I registered a basic security schema with my own validateSecurity.handlers for basic auth. When the user enters the URL in the browser he doesn't get the login prompt because the authentication doesn't return the "WWW-Authenticate" header in the response and just fails with "Authorization header required"

That means i have to work around it by adding this in the global error handler

      if(error.path === '/users/export' && error.status === 401) {
        res.set('WWW-Authenticate', 'Basic realm="ugh"');
      }

Which kinda defeats the purpose of the security handler in the first place :(