Skip to content

fix: refuse to start when --auth is passed instead of silently ignoring it#5

Merged
melvincarvalho merged 1 commit into
mainfrom
fix/auth-option-silently-ignored
Jul 9, 2026
Merged

fix: refuse to start when --auth is passed instead of silently ignoring it#5
melvincarvalho merged 1 commit into
mainfrom
fix/auth-option-silently-ignored

Conversation

@melvincarvalho

Copy link
Copy Markdown
Contributor

Problem

--auth <user:pass> is defined (bin/jsserve.js) and documented (README options table + the WebDAV Alternative example), but options.auth is never read — and the underlying JSS has no basic-auth verification to forward it to. So the README's own use case:

servejss --auth user:pass ~/sync

silently serves PUT/DELETE-enabled files on 0.0.0.0 with no authentication at all, while the user believes the directory is password-protected.

Fix

Fail closed rather than fail open:

  • Passing --auth now exits with a clear error explaining it isn't implemented, and pointing at --read-only and --solid as the working alternatives. Anyone with --auth in a script finds out immediately instead of exposing a writable share.
  • The banner Mode line now says GET/PUT/DELETE enabled (public, no auth) (or (Solid auth) with --solid). This matters because jsserve's stdout filter swallows JSS's own "⚠️ PUBLIC MODE ENABLED" startup warning, so no auth signal ever reached the terminal.
  • README: --auth removed from the options table; the WebDAV example replaced with an honest unauthenticated variant plus a --solid authenticated one, and a note that --auth refuses to start.
  • Dropped the stale (requires #107) comment on --public — that landed upstream.

Verified

  • servejss --auth user:pass <dir> → prints the error, exit code 1, no server started
  • default invocation unaffected: server starts, banner shows the new Mode line, PUT /x.txt → 201
  • --help shows the updated option description

Implementing real basic auth would need either a proxy layer in jsserve or a --basic-auth option upstream in JSS — worth a separate upstream issue if wanted.

…ng it

--auth <user:pass> was defined and documented but options.auth was
never read, and JSS has no basic-auth verification to forward to —
so 'servejss --auth user:pass ~/sync' served PUT/DELETE-enabled files
on 0.0.0.0 with no authentication while the user believed otherwise.

- error out with guidance (--read-only / --solid) when --auth is given
- say 'public, no auth' / 'Solid auth' in the banner Mode line, since
  jsserve's output filter swallows JSS's own PUBLIC MODE warning
- README: drop the --auth options row, replace the WebDAV example with
  honest unauthenticated + --solid variants
- drop stale '(requires #107)' comment; --public landed upstream

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR prevents a dangerous “fail open” scenario by refusing to start the server when --auth user:pass is provided (since basic auth is not actually enforced), and it updates user-facing messaging to make the server’s authentication state explicit.

Changes:

  • Make servejss --auth ... exit with an explicit error instead of silently starting unauthenticated.
  • Update the startup banner “Mode” line to clearly indicate whether the server is public/no-auth vs Solid-auth.
  • Update README to remove the misleading basic-auth example and add an explicit note about --auth refusing to start.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
README.md Removes the misleading --auth usage and adds an explicit note + Solid-authenticated alternative.
bin/jsserve.js Rejects --auth at runtime with an error and clarifies banner output about auth/public mode.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@melvincarvalho melvincarvalho merged commit 653489c into main Jul 9, 2026
1 check passed
@melvincarvalho melvincarvalho deleted the fix/auth-option-silently-ignored branch July 9, 2026 11:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants