Only trigger the password-protection on the live site and not on local development servers

namibmap / IPPR

2 stars 1 forks source link

Only trigger the password-protection on the live site and not on local development servers #88

Open missfunmi opened 8 years ago

missfunmi commented 8 years ago

This is code review feedback from #83 which @nsetru worked on. I've opened a new issue here so that we don't lose track of it:

... I've just got the latest code and tried to run it locally but then I got prompted for the login credentials. So I disabled the password authentication locally in server.js and it worked fine.

Could we maybe pass an environment flag when the server starts up and use that to determine whether to enable or disable auth? So for example, when environment = "dev" (or "local"), don't require auth, but when environment = "live" (or "production"), then require auth.

See the process.env documentation and this example. Or we could also just store the environment flag in the secret.js file like we do with the Google Analytics code since @lbewlay is using a different file on the live server. See commits on #63 for more details.

nsetru commented 8 years ago

@missfunmi

Could we maybe pass an environment flag when the server starts up and use that to determine > whether to enable or disable auth? So for example, when environment = "dev" (or "local"), don't > require auth, but when environment = "live" (or "production"), then require auth.

I thought, what we need is exactly opposite of what you have mentioned there. The reason we have authentication in place is to not have public access to the dev site - as per data protection act and considering it is still under development. Once the website is live - then we don't need any authentication as the data is available for public access anyways.

Let me know if above makes sense.

missfunmi commented 8 years ago

Yes I see what you mean @nsetru, but for dev I was referring to local development. i.e. when you & I are running the server locally on our computers, we shouldn't need to specify a password. But for the staging site that @lbewlay currently has running, it makes sense to enable passwords there (until the site is actually deployed to the public).

You & I (and other developers) can of course simply comment out the password-prompting code while working locally, but that could lead to accidentally committing the commented out code (therefore getting rid of the password-protection) if people are not careful. Do you see what I mean?

nsetru commented 8 years ago

@missfunmi Yes - I get your point. I will look into it.