fix: refuse to start when --auth is passed instead of silently ignoring it#5
Merged
Merged
Conversation
…ng it --auth <user:pass> was defined and documented but options.auth was never read, and JSS has no basic-auth verification to forward to — so 'servejss --auth user:pass ~/sync' served PUT/DELETE-enabled files on 0.0.0.0 with no authentication while the user believed otherwise. - error out with guidance (--read-only / --solid) when --auth is given - say 'public, no auth' / 'Solid auth' in the banner Mode line, since jsserve's output filter swallows JSS's own PUBLIC MODE warning - README: drop the --auth options row, replace the WebDAV example with honest unauthenticated + --solid variants - drop stale '(requires #107)' comment; --public landed upstream
There was a problem hiding this comment.
Pull request overview
This PR prevents a dangerous “fail open” scenario by refusing to start the server when --auth user:pass is provided (since basic auth is not actually enforced), and it updates user-facing messaging to make the server’s authentication state explicit.
Changes:
- Make
servejss --auth ...exit with an explicit error instead of silently starting unauthenticated. - Update the startup banner “Mode” line to clearly indicate whether the server is public/no-auth vs Solid-auth.
- Update README to remove the misleading basic-auth example and add an explicit note about
--authrefusing to start.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| README.md | Removes the misleading --auth usage and adds an explicit note + Solid-authenticated alternative. |
| bin/jsserve.js | Rejects --auth at runtime with an error and clarifies banner output about auth/public mode. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
--auth <user:pass>is defined (bin/jsserve.js) and documented (README options table + the WebDAV Alternative example), butoptions.authis never read — and the underlying JSS has no basic-auth verification to forward it to. So the README's own use case:servejss --auth user:pass ~/syncsilently serves PUT/DELETE-enabled files on 0.0.0.0 with no authentication at all, while the user believes the directory is password-protected.
Fix
Fail closed rather than fail open:
--authnow exits with a clear error explaining it isn't implemented, and pointing at--read-onlyand--solidas the working alternatives. Anyone with--authin a script finds out immediately instead of exposing a writable share.GET/PUT/DELETE enabled (public, no auth)(or(Solid auth)with--solid). This matters because jsserve's stdout filter swallows JSS's own "--authremoved from the options table; the WebDAV example replaced with an honest unauthenticated variant plus a--solidauthenticated one, and a note that--authrefuses to start.(requires #107)comment on--public— that landed upstream.Verified
servejss --auth user:pass <dir>→ prints the error, exit code 1, no server startedPUT /x.txt→ 201--helpshows the updated option descriptionImplementing real basic auth would need either a proxy layer in jsserve or a
--basic-authoption upstream in JSS — worth a separate upstream issue if wanted.