From 8217bae067db29382bdb6369e2a91cb23761139d Mon Sep 17 00:00:00 2001
From: u1 <u1@rv32i.pl>
Date: Tue, 6 Jan 2026 13:27:33 +0100
Subject: [PATCH] feat(auth): allow disabling built-in basic auth

---
 README.md                    |  2 ++
 services/frontend/server.mjs | 27 +++++++++++++++++----------
 2 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index 2dac11e..5c8cde6 100644
--- a/README.md
+++ b/README.md
@@ -18,3 +18,5 @@ npm run dev
 docker build -t trade-frontend .
 docker run --rm -p 8081:8081 trade-frontend
 ```
+
+Jeśli auth jest realizowany przed aplikacją (np. Traefik `basicAuth`), ustaw `BASIC_AUTH_MODE=off`, żeby wyłączyć wbudowany basic auth w serwerze.
diff --git a/services/frontend/server.mjs b/services/frontend/server.mjs
index 22c4f90..449ce1a 100644
--- a/services/frontend/server.mjs
+++ b/services/frontend/server.mjs
@@ -15,6 +15,10 @@ const STATIC_DIR = process.env.STATIC_DIR || '/srv';
 const BASIC_AUTH_FILE = process.env.BASIC_AUTH_FILE || '/tokens/frontend.json';
 const API_READ_TOKEN_FILE = process.env.API_READ_TOKEN_FILE || '/tokens/read.json';
 const API_UPSTREAM = process.env.API_UPSTREAM || process.env.API_URL || 'http://api:8787';
+const BASIC_AUTH_MODE = String(process.env.BASIC_AUTH_MODE || 'on')
+  .trim()
+  .toLowerCase();
+const BASIC_AUTH_ENABLED = !['off', 'false', '0', 'disabled', 'none'].includes(BASIC_AUTH_MODE);
 
 function readJson(filePath) {
   const raw = fs.readFileSync(filePath, 'utf8');
@@ -226,17 +230,19 @@ function handler(req, res) {
     return;
   }
 
-  let creds;
-  try {
-    creds = loadBasicAuth();
-  } catch (e) {
-    send(res, 500, { 'content-type': 'text/plain; charset=utf-8' }, String(e?.message || e));
-    return;
-  }
+  if (BASIC_AUTH_ENABLED) {
+    let creds;
+    try {
+      creds = loadBasicAuth();
+    } catch (e) {
+      send(res, 500, { 'content-type': 'text/plain; charset=utf-8' }, String(e?.message || e));
+      return;
+    }
 
-  if (!isAuthorized(req, creds)) {
-    basicAuthRequired(res);
-    return;
+    if (!isAuthorized(req, creds)) {
+      basicAuthRequired(res);
+      return;
+    }
   }
 
   if (req.url?.startsWith('/api') && (req.url === '/api' || req.url.startsWith('/api/'))) {
@@ -264,6 +270,7 @@ server.listen(PORT, () => {
         staticDir: STATIC_DIR,
         apiUpstream: API_UPSTREAM,
         basicAuthFile: BASIC_AUTH_FILE,
+        basicAuthMode: BASIC_AUTH_MODE,
         apiReadTokenFile: API_READ_TOKEN_FILE,
       },
       null,