This is an automated email from the ASF dual-hosted git repository.

rbstp pushed a commit to branch auth-disabled
in repository https://gitbox.apache.org/repos/asf/devlake.git

commit ac4f2c3228bdaa9166093ea1e8107472e3292ac8
Author: Richard Boisvert <[email protected]>
AuthorDate: Tue Jun 23 19:14:18 2026 -0400

    fix(authentication): feature should be disabled by default
    
    Contratry to what the PR for the feature mentionned, the setting was 
enabled by default, instead of disabled.
    
    Follow up to https://github.com/apache/devlake/pull/8854
---
 backend/helpers/oidchelper/config.go      | 4 ++--
 backend/helpers/oidchelper/config_test.go | 7 ++++---
 env.example                               | 8 ++++----
 3 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/backend/helpers/oidchelper/config.go 
b/backend/helpers/oidchelper/config.go
index 477e80591..a23606df1 100644
--- a/backend/helpers/oidchelper/config.go
+++ b/backend/helpers/oidchelper/config.go
@@ -88,11 +88,11 @@ func (c *Config) ProviderNames() []string {
 }
 
 // LoadConfig reads auth env vars via Viper and validates required fields.
-// AUTH_ENABLED defaults to true unless it is explicitly set to false.
+// AUTH_ENABLED defaults to false unless it is explicitly set to true.
 func LoadConfig(basicRes context.BasicRes) (*Config, error) {
        cfg := basicRes.GetConfigReader()
 
-       authEnabled := true
+       authEnabled := false
        if cfg.IsSet("AUTH_ENABLED") {
                authEnabled = cfg.GetBool("AUTH_ENABLED")
        }
diff --git a/backend/helpers/oidchelper/config_test.go 
b/backend/helpers/oidchelper/config_test.go
index cc1d75f2c..3fe92a118 100644
--- a/backend/helpers/oidchelper/config_test.go
+++ b/backend/helpers/oidchelper/config_test.go
@@ -105,15 +105,15 @@ func (b basicResStub) ReplaceLogger(log.Logger) 
corectx.BasicRes {
 }
 func (b basicResStub) GetDal() dal.Dal { return nil }
 
-func TestLoadConfigDefaultsAuthEnabled(t *testing.T) {
+func TestLoadConfigDefaultsAuthDisabled(t *testing.T) {
        v := viper.New()
 
        cfg, err := LoadConfig(basicResStub{cfg: v})
        if err != nil {
                t.Fatalf("LoadConfig returned error: %v", err)
        }
-       if !cfg.AuthEnabled {
-               t.Fatal("AuthEnabled should default to true when AUTH_ENABLED 
is unset")
+       if cfg.AuthEnabled {
+               t.Fatal("AuthEnabled should default to false when AUTH_ENABLED 
is unset")
        }
        if cfg.OIDCEnabled {
                t.Fatal("OIDCEnabled should default to false")
@@ -125,6 +125,7 @@ func TestLoadConfigDefaultsAuthEnabled(t *testing.T) {
 
 func TestLoadConfigRequiresSessionSecretForOIDC(t *testing.T) {
        v := viper.New()
+       v.Set("AUTH_ENABLED", true)
        v.Set("OIDC_ENABLED", true)
 
        if _, err := LoadConfig(basicResStub{cfg: v}); err == nil {
diff --git a/env.example b/env.example
index 6141f2497..7d6991550 100755
--- a/env.example
+++ b/env.example
@@ -97,10 +97,10 @@ 
ENABLE_SUBTASKS_BY_DEFAULT="jira:collectIssueChangelogs:true,jira:extractIssueCh
 ##########################
 # OIDC / Authentication
 ##########################
-# Master switch. Auth is enabled by default; set false only for isolated local
-# development. When enabled without OIDC, DevLake accepts API keys for /rest/*
-# and can trust X-Forwarded-User from an upstream proxy.
-AUTH_ENABLED=true
+# Master switch. Auth is disabled by default; set true to require
+# authentication. When enabled without OIDC, DevLake accepts API keys for
+# /rest/* and can trust X-Forwarded-User from an upstream proxy.
+AUTH_ENABLED=false
 
 # OIDC user login. Requires AUTH_ENABLED=true.
 OIDC_ENABLED=false

Reply via email to