From 47b2713b97ba52b8c914cd98089e52002130675a Mon Sep 17 00:00:00 2001
From: Liefran Satrio Sim <liefran.sim@traveloka.com>
Date: Mon, 11 May 2026 11:09:21 +0700
Subject: [PATCH] fix: add explicit default auth challenge handling to
 SessionDelegate

Without implementing urlSession(_:didReceive challenge:), URLSession
may silently reject server certificates in certain proxy/MITM scenarios
(e.g., mitmproxy, Charles Proxy) even when the CA certificate is
installed and trusted at the OS level.

Adding explicit .performDefaultHandling ensures the system's default
trust evaluation is used, which correctly respects user-installed CA
certificates. This has no effect on normal (non-proxy) connections.
---
 Sources/EventSource/SessionDelegate.swift | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Sources/EventSource/SessionDelegate.swift b/Sources/EventSource/SessionDelegate.swift
index be55a5a..72de74a 100644
--- a/Sources/EventSource/SessionDelegate.swift
+++ b/Sources/EventSource/SessionDelegate.swift
@@ -46,4 +46,12 @@ final class SessionDelegate: NSObject, URLSessionDataDelegate {
     ) {
         internalStream.continuation.yield(.didReceiveData(data))
     }
+
+    func urlSession(
+        _ session: URLSession,
+        didReceive challenge: URLAuthenticationChallenge,
+        completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
+    ) {
+        completionHandler(.performDefaultHandling, nil)
+    }
 }