CSRF in combination with basic auth breaks UI

[Fatal705]

Bug summary

When enabling CSRF (by PREFECT_SERVER_CSRF_PROTECTION_ENABLED) and basic auth (by PREFECT_API_AUTH_STRING) on the server, the UI no longer shows any information. After disabling CSRF protection everything works as expected.

It seems this is due to not sending the Authorization header for CSRF requests (/api/csrf-token. In the browser console these requests show up as 401 unauthorized.

Version info

Version:             3.1.8
API version:         0.8.4
Python version:      3.12.8
Git commit:          53a83ebc
Built:               Tue, Dec 17, 2024 10:20 AM
OS/Arch:             linux/x86_64
Profile:             ephemeral
Server type:         server
Pydantic version:    2.10.3

Additional context

No response

[cicdw]

Thank you for the bug report @Fatal705 and for identifying the potential issue; I'm looking into why the auth string isn't respected for that call right now and should have a fix soon.