feat: add option to disable authentication#17
Conversation
sutr90
commented
Feb 22, 2026
sutr90
commented
- adds option to completely disable the authentication from the application.
- closes Add option to remove native authentication from the app #16
sutr90
force-pushed
the
feature/remove-auth
branch
from
bb03420 to
6257253
Compare
There was a problem hiding this comment.
Pull request overview
Adds a DISABLE_AUTH option intended for deployments behind an external auth proxy, allowing the app to bypass its built-in authentication and adjust the UI accordingly.
Changes:
- Add backend auth bypass when
DISABLE_AUTH=truefor user/admin verification. - Inject
DISABLE_AUTHinto the frontend via a placeholder replacement inindex.html. - Hide the Users menu entry in the client panel when auth is disabled.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| application/frontend/src/lib/ClientPanel/ClientPanel.svelte | Conditionally hides the Users menu item based on a global DISABLE_AUTH flag. |
| application/frontend/index.html | Adds a script setting window.DISABLE_AUTH via a $DISABLE_AUTH$ placeholder. |
| application/backend/app/routes/routes.go | Adds auth-bypass checks and replaces $DISABLE_AUTH$ in served index.html. |
| application/backend/app/routes/routes_test.go | Minor test adjustments/formatting and DOCKER_HOST fallback update. |
| README.md | Documents the new DISABLE_AUTH env var. |
| .github/workflows/go.yml | Aligns CI Go version with the repo’s Go toolchain version. |
Comments suppressed due to low confidence (2)
README.md:93
- The README text has a couple of grammar/hyphenation issues: “built in” should be “built-in”, and “behave like if” should be “behave as if” (or similar). Adjusting this will make the new env var description clearer.
| DISABLE_AUTH | Option to completely disable built in authentication in the application. When this option is set to `true` the app will behave like if the Administrator is logged in. The option to manage users will be removed. | false | -
application/backend/app/routes/routes.go:68
- New
DISABLE_AUTHbehavior (bypassingverifyUser/verifyAdminUser) is not covered by tests. Since routes already have unit tests, please add coverage to assert that protected endpoints succeed without a cookie whenDISABLE_AUTH=true, and still fail when it is unset/false.
func verifyAdminUser(w *http.ResponseWriter, req *http.Request) bool {
if os.Getenv("DISABLE_AUTH") == "true" {
return true
}
username, err := util.GetUserFromJWT(*req)
if username != os.Getenv("ADMIN_USERNAME") {
(*w).WriteHeader(http.StatusForbidden)
json.NewEncoder(*w).Encode(map[string]string{"error": "Only admin can perform this request"})
return false
}
if err != nil {
(*w).WriteHeader(http.StatusUnauthorized)
json.NewEncoder(*w).Encode(map[string]string{"error": err.Error()})
return false
}
return true
}
func verifyUser(w *http.ResponseWriter, req *http.Request) bool {
if os.Getenv("DISABLE_AUTH") == "true" {
return true
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| let localTheme = ""; | ||
| let api = new fetchApi(); | ||
|
|
||
| const showUserMenu = window.DISABLE_AUTH ?? true; |
There was a problem hiding this comment.
showUserMenu is derived from window.DISABLE_AUTH in a way that inverts the intended behavior: when auth is enabled (DISABLE_AUTH === false), false ?? true evaluates to false and the Users menu is hidden; when auth is disabled it becomes visible. Consider computing this as the inverse of DISABLE_AUTH (defaulting to auth enabled) so the Users menu is hidden only when auth is disabled.
| const showUserMenu = window.DISABLE_AUTH ?? true; | |
| const showUserMenu = !(window.DISABLE_AUTH ?? false); |
| <title>OnLogs</title> | ||
|
|
||
| <script> | ||
| window.DISABLE_AUTH=$DISABLE_AUTH$ ?? false; |
There was a problem hiding this comment.
$DISABLE_AUTH$ is not valid JavaScript syntax when this file is served without backend substitution (e.g. during local frontend dev / Vite). As written, the page will error before the app loads. Consider placing the placeholder inside a string and parsing it (or using a build-time env injection) so the script remains valid even when the placeholder is not replaced.
| window.DISABLE_AUTH=$DISABLE_AUTH$ ?? false; | |
| (function () { | |
| const rawDisableAuth = '$DISABLE_AUTH$'; | |
| const value = String(rawDisableAuth).trim().toLowerCase(); | |
| const isDisabled = | |
| value === 'true' || value === '1' || value === 'yes'; | |
| window.DISABLE_AUTH = isDisabled; | |
| })(); |
| stat, _ := file.Stat() | ||
| content, _ := io.ReadAll(file) | ||
|
|
There was a problem hiding this comment.
file.Stat() and io.ReadAll(file) errors are ignored. If Stat() fails, stat will be nil and stat.ModTime() will panic; if ReadAll fails, you may serve partial/empty content without signaling an error. Please handle these errors and return an appropriate HTTP status (e.g. 500) instead of proceeding.
