🛂 Skip 401 for root config OIDC, return empty instead

Author: lissy93

services/app.js

@@ -170,6 +170,9 @@ function getAuthMiddleware(authConfig, oidcSettings) {
 const initialAuthConfig = loadAuthConfig();
 const oidcSettings = loadOidcSettings(initialAuthConfig);
 const protectConfig = getAuthMiddleware(initialAuthConfig, oidcSettings);
+const bootstrapAuth = oidcSettings
+  ? createOidcMiddleware(oidcSettings, { permissive: true })
+  : protectConfig;
 
 /* True when any auth method is configured. Used to keep zero-auth deployments
    open (their original behaviour) while closing the gate for everyone else. */
@@ -279,7 +282,7 @@ const app = express()
   }))
   // Middleware to serve any .yml files in USER_DATA_DIR with optional protection
   // Note: returns stripped version if auth configured but not yet authenticated
-  .get('/*.yml', protectConfig, (req, res) => {
+  .get('/*.yml', bootstrapAuth, (req, res) => {
     const ymlFile = req.path.split('/').pop();
     const filePath = path.resolve(rootDir, process.env.USER_DATA_DIR || 'user-data', ymlFile);
     if (authIsConfigured) {
@@ -295,6 +298,10 @@ const app = express()
         printWarning(`Failed to read or parse ${ymlFile}`, e);
         return safeEnd(res, errBody('Could not read config'), 500);
       }
+      // Not authenticated, not main conf.yml
+      if (!req.auth && !guestAccessOn) {
+        return res.status(401).json({ success: false, message: 'Unauthorized' });
+      }
     }
     res.sendFile(filePath, (err) => {
       if (err) safeEnd(res, errBody(`Could not read ${ymlFile}`), 404);

services/auth-oidc.js

@@ -103,12 +103,13 @@ function deriveIsAdmin(claims, settings) {
   return false;
 }
 
-/* Connect middleware factory. Verifies Bearer id_token; sets req.auth on success. */
-function createOidcMiddleware(settings) {
+/* Connect middleware factory. Verifies Bearer id_token; sets req.auth on success
+ * If `permissive: true`, falls through on verification failure instead of 401 */
+function createOidcMiddleware(settings, { permissive = false } = {}) {
   return async (req, res, next) => {
     const header = req.headers.authorization || '';
     const match = header.match(/^Bearer\s+(.+)$/i);
-    if (!match) return next(); // Permissive: no token attached, let downstream gates decide
+    if (!match) return next(); // No token attached, let downstream gates decide
     const token = match[1].trim();
     if (!token) return next();
 
@@ -127,6 +128,7 @@ function createOidcMiddleware(settings) {
       return next();
     } catch (e) {
       console.warn('[auth-oidc] token verification failed:', e.message || e); // eslint-disable-line no-console
+      if (permissive) return next();
       return res.status(401).json({
         success: false,
         message: 'Unauthorized - Invalid or expired token',

tests/server/conf-strip.test.js

@@ -60,16 +60,31 @@ describe('OIDC strip behaviour for /conf.yml', () => {
     expect(res.headers['vary']).toContain('Authorization');
   });
 
-  it('does not strip non-root yml files', async () => {
+  it('requires valid auth for non-root yml files', async () => {
     const res = await request(app).get('/sub.yml');
-    expect(res.status).toBe(200);
-    expect(res.text).toContain('Sub');
+    expect(res.status).toBe(401);
+  });
+
+  it('also rejects sub-yml requests with invalid Bearer', async () => {
+    const res = await request(app)
+      .get('/sub.yml')
+      .set('Authorization', 'Bearer not-a-real-token');
+    expect(res.status).toBe(401);
   });
 
-  it('rejects invalid Bearer tokens with 401 from the OIDC middleware', async () => {
+  it('falls through to bootstrap on conf.yml when Bearer fails to verify', async () => {
     const res = await request(app)
       .get('/conf.yml')
       .set('Authorization', 'Bearer not-a-real-token');
+    expect(res.status).toBe(200);
+    const body = yamlLoad(res.text);
+    expect(body._bootstrap.authenticated).toBe(false);
+  });
+
+  it('strict middleware still rejects invalid Bearer on protected API routes', async () => {
+    const res = await request(app)
+      .get('/status-check')
+      .set('Authorization', 'Bearer not-a-real-token');
     expect(res.status).toBe(401);
   });
 });