Hi Kris, maybe I'm not understanding clearly the issue, but this is the correct behavior, once autobots resource is protected, you can't retrieve any kind of information before login.

I was testing it against: corscontroller-abstractj.rhcloud.com and I did the same test with Passport: https://github.com/jaredhanson/passport-http/tree/master/examples/digest and curl -v -X OPTIONS...

Looking at the RFC http://www.ietf.org/rfc/rfc2617.txt

"3.2.1 The WWW-Authenticate Response Header

   If a server receives a request for an access-protected object, and an
   acceptable Authorization header is not sent, the server responds with
   a "401 Unauthorized" status code, and a WWW-Authenticate header as
   per the framework defined above, which for the digest scheme is
   utilized as follows:"

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira