Add a configuration option to disable HTTP basic authentication

2022-07-08 17:25:20 +01:00 · 2022-07-08 17:25:20 +01:00 · 0ae438a5c1
commit 0ae438a5c1
parent 0c524b2408
2 changed files with 14 additions and 4 deletions
--- a/app/controllers/api_controller.rb
+++ b/app/controllers/api_controller.rb
@ -52,8 +52,13 @@ class ApiController < ApplicationController
    # handle authenticate pass/fail
    unless current_user
      # no auth, the user does not exist or the password was wrong
-      response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
-      render :plain => errormessage, :status => :unauthorized
+      if Settings.basic_auth_support
+        response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
+        render :plain => errormessage, :status => :unauthorized
+      else
+        render :plain => errormessage, :status => :forbidden
+      end
+
      false
    end
  end
@ -75,11 +80,13 @@ class ApiController < ApplicationController
      report_error t("oauth.permissions.missing"), :forbidden
    elsif current_user
      head :forbidden
-    else
+    elsif Settings.basic_auth_support
      realm = "Web Password"
      errormessage = "Couldn't authenticate you"
      response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
      render :plain => errormessage, :status => :unauthorized
+    else
+      render :plain => errormessage, :status => :forbidden
    end
  end

@ -94,12 +101,13 @@ class ApiController < ApplicationController
  # from the authorize method, but can be called elsewhere if authorisation
  # is optional.
  def setup_user_auth
+    logger.info " setup_user_auth"
    # try and setup using OAuth
    if doorkeeper_token&.accessible?
      self.current_user = User.find(doorkeeper_token.resource_owner_id)
    elsif Authenticator.new(self, [:token]).allow?
      # self.current_user setup by OAuth
-    else
+    elsif Settings.basic_auth_support
      username, passwd = auth_data # parse from headers
      # authenticate per-scheme
      self.current_user = if username.nil?
--- a/config/settings.yml
+++ b/config/settings.yml
@ -73,6 +73,8 @@ attachments_dir: ":rails_root/public/attachments"
 #logstash_path: ""
 # List of memcache servers to use for caching
 #memcache_servers: []
+# Enable HTTP basic authentication support
+basic_auth_support: true
 # Enable legacy OAuth 1.0 support
 oauth_10_support: true
 # URL of Nominatim instance to use for geocoding