Fix upgrade path when DISABLE_AUTH detected but no credentials exist (fixes #678)

Users upgrading from v4.25 (where DISABLE_AUTH actually disabled auth) to
v4.27.1 (where DISABLE_AUTH is ignored but triggers a deprecation warning)
were stuck in a catch-22:

- They had no credentials (old version had auth disabled)
- DISABLE_AUTH detection incorrectly required authentication
- Setup wizard returned 401, preventing first credential creation
- Could not complete setup to create credentials and remove flag

Root cause: When DISABLE_AUTH was detected, the code set forceRequested=true
which triggered the authentication requirement even when authConfigured=false.

Fix: Only require authentication when credentials actually exist. When no
auth is configured, allow the bootstrap token flow regardless of whether
DISABLE_AUTH is detected.

This lets users upgrade from legacy DISABLE_AUTH deployments by using the
bootstrap token to create their first credentials, then removing the flag.
This commit is contained in:
rcourtman 2025-11-09 20:29:41 +00:00
parent 078248770e
commit 425ea00ba2

View file

@ -148,7 +148,10 @@ func handleQuickSecuritySetupFixed(r *Router) http.HandlerFunc {
authorized := recoveryAuthorized
if !authorized && (authConfigured || forceRequested) {
// Only require authentication if credentials are already configured.
// When DISABLE_AUTH is detected but no auth exists (upgrade path from legacy),
// allow bootstrap token flow instead of demanding credentials that don't exist.
if !authorized && authConfigured {
wrapped := &responseCapture{ResponseWriter: w}
if CheckAuth(r.config, wrapped, req) {
authorized = true