From 0ae438a5c19dbda947ceb5834ae7052ce7b941cd Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Fri, 8 Jul 2022 17:25:20 +0100
Subject: [PATCH] Add a configuration option to disable HTTP basic
 authentication

---
 app/controllers/api_controller.rb | 16 ++++++++++++----
 config/settings.yml               |  2 ++
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb
index 83a35e15f..a8067a493 100644
--- a/app/controllers/api_controller.rb
+++ b/app/controllers/api_controller.rb
@@ -52,8 +52,13 @@ class ApiController < ApplicationController
     # handle authenticate pass/fail
     unless current_user
       # no auth, the user does not exist or the password was wrong
-      response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
-      render :plain => errormessage, :status => :unauthorized
+      if Settings.basic_auth_support
+        response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
+        render :plain => errormessage, :status => :unauthorized
+      else
+        render :plain => errormessage, :status => :forbidden
+      end
+
       false
     end
   end
@@ -75,11 +80,13 @@ class ApiController < ApplicationController
       report_error t("oauth.permissions.missing"), :forbidden
     elsif current_user
       head :forbidden
-    else
+    elsif Settings.basic_auth_support
       realm = "Web Password"
       errormessage = "Couldn't authenticate you"
       response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
       render :plain => errormessage, :status => :unauthorized
+    else
+      render :plain => errormessage, :status => :forbidden
     end
   end
 
@@ -94,12 +101,13 @@ class ApiController < ApplicationController
   # from the authorize method, but can be called elsewhere if authorisation
   # is optional.
   def setup_user_auth
+    logger.info " setup_user_auth"
     # try and setup using OAuth
     if doorkeeper_token&.accessible?
       self.current_user = User.find(doorkeeper_token.resource_owner_id)
     elsif Authenticator.new(self, [:token]).allow?
       # self.current_user setup by OAuth
-    else
+    elsif Settings.basic_auth_support
       username, passwd = auth_data # parse from headers
       # authenticate per-scheme
       self.current_user = if username.nil?
diff --git a/config/settings.yml b/config/settings.yml
index e8db6f818..0e73d2b02 100644
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -73,6 +73,8 @@ attachments_dir: ":rails_root/public/attachments"
 #logstash_path: ""
 # List of memcache servers to use for caching
 #memcache_servers: []
+# Enable HTTP basic authentication support
+basic_auth_support: true
 # Enable legacy OAuth 1.0 support
 oauth_10_support: true
 # URL of Nominatim instance to use for geocoding
-- 
2.45.1