From 425ea00ba2ee52f47e4974320f903ea438144f20 Mon Sep 17 00:00:00 2001 From: rcourtman Date: Sun, 9 Nov 2025 20:29:41 +0000 Subject: [PATCH] Fix upgrade path when DISABLE_AUTH detected but no credentials exist (fixes #678) Users upgrading from v4.25 (where DISABLE_AUTH actually disabled auth) to v4.27.1 (where DISABLE_AUTH is ignored but triggers a deprecation warning) were stuck in a catch-22: - They had no credentials (old version had auth disabled) - DISABLE_AUTH detection incorrectly required authentication - Setup wizard returned 401, preventing first credential creation - Could not complete setup to create credentials and remove flag Root cause: When DISABLE_AUTH was detected, the code set forceRequested=true which triggered the authentication requirement even when authConfigured=false. Fix: Only require authentication when credentials actually exist. When no auth is configured, allow the bootstrap token flow regardless of whether DISABLE_AUTH is detected. This lets users upgrade from legacy DISABLE_AUTH deployments by using the bootstrap token to create their first credentials, then removing the flag. --- internal/api/security_setup_fix.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/internal/api/security_setup_fix.go b/internal/api/security_setup_fix.go index 5109197..9580d9b 100644 --- a/internal/api/security_setup_fix.go +++ b/internal/api/security_setup_fix.go @@ -148,7 +148,10 @@ func handleQuickSecuritySetupFixed(r *Router) http.HandlerFunc { authorized := recoveryAuthorized - if !authorized && (authConfigured || forceRequested) { + // Only require authentication if credentials are already configured. + // When DISABLE_AUTH is detected but no auth exists (upgrade path from legacy), + // allow bootstrap token flow instead of demanding credentials that don't exist. + if !authorized && authConfigured { wrapped := &responseCapture{ResponseWriter: w} if CheckAuth(r.config, wrapped, req) { authorized = true