the events in this document unfold in chronological order. let it be known, I know that webfs has Basic auth. I get to that towards the end.

just start hacking

the thing that drew me into 9front initially is the permacomputing angle. this isn't explicitly an interest of the core plan 9 / 9front community, but it is very closely aligned: 9front is actively hostile towards outside capital influences and avoidant of making itself useful to those interests; and it is "human scale", in that it is small and easy to understand.

the system ships with its own source code, and a script called src(1) which opens the source files of the program supplied as an argument in your preferred text editor. under /dist/9front lives a .git folder, such that binding /dist/9front to / turns the entire system into a git repository, such that any changes you make may be trivially turned into a patch and mailed upstream following the procedure in FQA section 2.5.2:

section 2.5.2 example

% bind -ac /dist/9front /
% cd /sys/src/your/changed/code
% git/diff . > /tmp/mypatch.diff

https://fqa.9front.org/fqa2.html#2.5.2

I have always found hacking on other projects to be intimidating, and I realize I've developed a learned helplessness about it. on 9front, though, there is no excuse not to hack on it.

this brings me to my first issue: I want to download manga from madokami! Madokami uses HTTP basic auth, and visiting in Mothra yielded a 401 with no way to log in. I could use hget and webfs directly by supplying the correct Authorization header, but it would be nice to browse it in Mothra. I thought I'd start by adding Basic auth to Mothra (silly move, we'll get there). opening the sources is just a src(1) invocation away, and then I started reading. I knew I'd need to set some headers in /mnt/webfs/?/ctl, that'd be somewhere where requests are made or where webclone is read. grepping around with the -n flag, plumbing to open relevant source file at the relevant line in the editor, using lookman(1) to find base64 encoding routines in the stdlib ... it did not take very long, one a handful of lines of code, to implement a routine where Mothra would look up an authentication pair in factotum and prepare and authorization header. And it worked!!

screenshot of madokami, authenticated and opened to the shimeji simulation page

then I went to sleep. and it did not take very long for me to start thinking, why the hell would I do this in Mothra, this belongs in webfs, and if I do it in webfs I'll get authentication for free everywhere - hget, feed readers, etc.

so I woke up in the morning and started reading webfs(4). and something I noticed that there was talk of HTTP Basic authentication in the manual, but seemed underdocumented. how did it work? it certainly is doing something with it, but I don't know how. so again, I invoked src(1), visited, grepped around for stuff having to do with authentication and very quickly found an authentication routine in http.c. awesome!

I spent more time reading and understanding the source. whenever a page was fetched, and the server returned a 401 with an authentication challenge, authenticate would be called. and does about what you would expect: it sees a WWW-Authenticate: Basic header, it looks up in factotum any pairs matching the following spec, and re-fetches with the correct Authorization header.

factotum spec used by webfs

proto=pass service=http server=<server> realm=<realm> user? !password?

I was still a bit miffed at why I couldn't get this working, and I was beginning to wonder if it just wasn't fully implemented. I started reading RFC 7617, which defines Basic authentication, looking at the requests going back and forth between my client and madokami in a known working browser outside of 9front, and stepping through the authenticate procedure very carefully.

from RFC 7617

The authentication parameter 'realm' is REQUIRED.

I noticed at this point that madokami was not returning a realm. and webfs was correctly (by the spec) considering the realmless header from madokami to be malformed, and giving up. but it seems to be the case that many other browsers are okay with this. as a result, plenty of webservers out there are returning malformed authentication challenges and nobody cares. so I'll have to deliberately make webfs noncompliant with the spec.

this was relatively straightforward! all I had to do was make the realm parameter optional, and not include it in the factotum lookup if there was no realm. this resulted in the following patch:

patch to support realmless Basic authentication in webfs

and it works great. I can browse madokami from Mothra, and subscribe to its Atom feeds from feedreaders, without any modifications. I don't know if the patch is any good, my C is quite poor and unpracticed at this point, but it works and I pulled it off entirely by consulting the documentation and source code that shipped with my system. that makes me a real happy camper.

2026-06-03