From d32ba7cadd0c95877898ee984b90765c8c34cc8c Mon Sep 17 00:00:00 2001 From: Louis Lam Date: Thu, 24 Mar 2022 18:02:34 +0800 Subject: [PATCH] Fix #1318, basic auth is completely disabled if the auth is disabled --- server/auth.js | 52 ++++++++++++++++++++++++++++++-------------------- 1 file changed, 31 insertions(+), 21 deletions(-) diff --git a/server/auth.js b/server/auth.js index c476ea1e3..5d3597cca 100644 --- a/server/auth.js +++ b/server/auth.js @@ -31,31 +31,41 @@ exports.login = async function (username, password) { }; function myAuthorizer(username, password, callback) { - setting("disableAuth").then((result) => { - if (result) { - callback(null, true); - } else { - // Login Rate Limit - loginRateLimiter.pass(null, 0).then((pass) => { - if (pass) { - exports.login(username, password).then((user) => { - callback(null, user != null); + // Login Rate Limit + loginRateLimiter.pass(null, 0).then((pass) => { + if (pass) { + exports.login(username, password).then((user) => { + callback(null, user != null); - if (user == null) { - loginRateLimiter.removeTokens(1); - } - }); - } else { - callback(null, false); + if (user == null) { + loginRateLimiter.removeTokens(1); } }); - + } else { + callback(null, false); } }); } -exports.basicAuth = basicAuth({ - authorizer: myAuthorizer, - authorizeAsync: true, - challenge: true, -}); +/** + * If disabled auth, it does not call `next`. + */ +exports.checkBasicAuth = async (req, res, next) => { + +}; + +exports.basicAuth = async function (req, res, next) { + const middleware = basicAuth({ + authorizer: myAuthorizer, + authorizeAsync: true, + challenge: true, + }); + + const disabledAuth = await setting("disableAuth"); + + if (!disabledAuth) { + middleware(req, res, next); + } else { + next(); + } +};