@beastmode-develeap/beastmode 0.1.323 → 0.1.324

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -7647,10 +7647,19 @@ async function startServer(options = {}) {
7647
7647
  }
7648
7648
  }
7649
7649
  }
7650
- if (UI_PASSWORD && !isAuthExempt(method, url) && !isAuthenticated(req)) {
7651
- res.writeHead(302, { Location: "/auth/login" });
7652
- res.end();
7653
- return;
7650
+ if (UI_PASSWORD) {
7651
+ if (!isAuthExempt(method, url) && !isAuthenticated(req)) {
7652
+ res.writeHead(302, { Location: "/auth/login" });
7653
+ res.end();
7654
+ return;
7655
+ }
7656
+ } else if (!ALLOW_NO_AUTH) {
7657
+ if (url.startsWith("/api/") && !isAuthExempt(method, url)) {
7658
+ sendJson(res, 403, {
7659
+ error: "Board API authentication is not configured. Set BEASTMODE_UI_PASSWORD, or set BEASTMODE_ALLOW_NO_AUTH=true to explicitly allow unauthenticated access."
7660
+ });
7661
+ return;
7662
+ }
7654
7663
  }
7655
7664
  if (url === "/auth/login" && method === "GET") {
7656
7665
  if (!UI_PASSWORD || isAuthenticated(req)) {
@@ -7920,7 +7929,7 @@ async function startServer(options = {}) {
7920
7929
  });
7921
7930
  });
7922
7931
  }
7923
- var _boardWsProxy, __filename, __dirname, INACTIVITY_TIMEOUT_MS, UI_PASSWORD, AUTH_COOKIE_NAME, AUTH_COOKIE_MAX_AGE, LOGIN_PAGE;
7932
+ var _boardWsProxy, __filename, __dirname, INACTIVITY_TIMEOUT_MS, UI_PASSWORD, ALLOW_NO_AUTH, AUTH_COOKIE_NAME, AUTH_COOKIE_MAX_AGE, LOGIN_PAGE;
7924
7933
  var init_server = __esm({
7925
7934
  "src/cli/ui/server.ts"() {
7926
7935
  "use strict";
@@ -7932,6 +7941,7 @@ var init_server = __esm({
7932
7941
  __dirname = dirname6(__filename);
7933
7942
  INACTIVITY_TIMEOUT_MS = 30 * 60 * 1e3;
7934
7943
  UI_PASSWORD = process.env.BEASTMODE_UI_PASSWORD || "";
7944
+ ALLOW_NO_AUTH = /^(1|true|yes)$/i.test(process.env.BEASTMODE_ALLOW_NO_AUTH || "");
7935
7945
  AUTH_COOKIE_NAME = "bm_session";
7936
7946
  AUTH_COOKIE_MAX_AGE = 86400;
7937
7947
  LOGIN_PAGE = `<!DOCTYPE html>