At this moment, the authorization code does the following:
if (!spaceServer.auth) {
// Auth disabled in this config, skip
return next();
}
This makes it impossible to only enable SB_AUTH_TOKEN without SB_USER (or the flag --user). So someone could think that the API is protected when it's not since it requires the basic auth enabled.
At this moment, the authorization code does the following:
This makes it impossible to only enable
SB_AUTH_TOKEN
withoutSB_USER
(or the flag--user
). So someone could think that the API is protected when it's not since it requires the basic auth enabled.