Fix upgrade path when DISABLE_AUTH detected but no credentials exist (fixes #678)
Users upgrading from v4.25 (where DISABLE_AUTH actually disabled auth) to v4.27.1 (where DISABLE_AUTH is ignored but triggers a deprecation warning) were stuck in a catch-22: - They had no credentials (old version had auth disabled) - DISABLE_AUTH detection incorrectly required authentication - Setup wizard returned 401, preventing first credential creation - Could not complete setup to create credentials and remove flag Root cause: When DISABLE_AUTH was detected, the code set forceRequested=true which triggered the authentication requirement even when authConfigured=false. Fix: Only require authentication when credentials actually exist. When no auth is configured, allow the bootstrap token flow regardless of whether DISABLE_AUTH is detected. This lets users upgrade from legacy DISABLE_AUTH deployments by using the bootstrap token to create their first credentials, then removing the flag.
This commit is contained in:
parent
078248770e
commit
425ea00ba2
1 changed files with 4 additions and 1 deletions
|
|
@ -148,7 +148,10 @@ func handleQuickSecuritySetupFixed(r *Router) http.HandlerFunc {
|
|||
|
||||
authorized := recoveryAuthorized
|
||||
|
||||
if !authorized && (authConfigured || forceRequested) {
|
||||
// Only require authentication if credentials are already configured.
|
||||
// When DISABLE_AUTH is detected but no auth exists (upgrade path from legacy),
|
||||
// allow bootstrap token flow instead of demanding credentials that don't exist.
|
||||
if !authorized && authConfigured {
|
||||
wrapped := &responseCapture{ResponseWriter: w}
|
||||
if CheckAuth(r.config, wrapped, req) {
|
||||
authorized = true
|
||||
|
|
|
|||
Loading…
Reference in a new issue