fix(authentication): feature should be disabled by default

rbstp · rbstp · commit acdffa69dee8 · 2026-06-23T19:15:26.000-04:00
Contrary to what the PR for the feature mentioned, the setting was enabled by default, instead of disabled. Follow up to #8854
diff --git a/backend/helpers/oidchelper/config.go b/backend/helpers/oidchelper/config.go
@@ -88,11 +88,11 @@ func (c *Config) ProviderNames() []string {
 }
 
 // LoadConfig reads auth env vars via Viper and validates required fields.
-// AUTH_ENABLED defaults to true unless it is explicitly set to false.
+// AUTH_ENABLED defaults to false unless it is explicitly set to true.
 func LoadConfig(basicRes context.BasicRes) (*Config, error) {
 	cfg := basicRes.GetConfigReader()
 
-	authEnabled := true
+	authEnabled := false
 	if cfg.IsSet("AUTH_ENABLED") {
 		authEnabled = cfg.GetBool("AUTH_ENABLED")
 	}
diff --git a/backend/helpers/oidchelper/config_test.go b/backend/helpers/oidchelper/config_test.go
@@ -105,15 +105,15 @@ func (b basicResStub) ReplaceLogger(log.Logger) corectx.BasicRes {
 }
 func (b basicResStub) GetDal() dal.Dal { return nil }
 
-func TestLoadConfigDefaultsAuthEnabled(t *testing.T) {
+func TestLoadConfigDefaultsAuthDisabled(t *testing.T) {
 	v := viper.New()
 
 	cfg, err := LoadConfig(basicResStub{cfg: v})
 	if err != nil {
 		t.Fatalf("LoadConfig returned error: %v", err)
 	}
-	if !cfg.AuthEnabled {
-		t.Fatal("AuthEnabled should default to true when AUTH_ENABLED is unset")
+	if cfg.AuthEnabled {
+		t.Fatal("AuthEnabled should default to false when AUTH_ENABLED is unset")
 	}
 	if cfg.OIDCEnabled {
 		t.Fatal("OIDCEnabled should default to false")
@@ -125,6 +125,7 @@ func TestLoadConfigDefaultsAuthEnabled(t *testing.T) {
 
 func TestLoadConfigRequiresSessionSecretForOIDC(t *testing.T) {
 	v := viper.New()
+	v.Set("AUTH_ENABLED", true)
 	v.Set("OIDC_ENABLED", true)
 
 	if _, err := LoadConfig(basicResStub{cfg: v}); err == nil {
diff --git a/env.example b/env.example
@@ -97,10 +97,10 @@ ENABLE_SUBTASKS_BY_DEFAULT="jira:collectIssueChangelogs:true,jira:extractIssueCh
 ##########################
 # OIDC / Authentication
 ##########################
-# Master switch. Auth is enabled by default; set false only for isolated local
-# development. When enabled without OIDC, DevLake accepts API keys for /rest/*
-# and can trust X-Forwarded-User from an upstream proxy.
-AUTH_ENABLED=true
+# Master switch. Auth is disabled by default; set true to require
+# authentication. When enabled without OIDC, DevLake accepts API keys for
+# /rest/* and can trust X-Forwarded-User from an upstream proxy.
+AUTH_ENABLED=false
 
 # OIDC user login. Requires AUTH_ENABLED=true.
 OIDC_ENABLED=false

Original file line number	Diff line number	Diff line change
`@@ -88,11 +88,11 @@ func (c *Config) ProviderNames() []string {`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	`// LoadConfig reads auth env vars via Viper and validates required fields.`
`91`		`-// AUTH_ENABLED defaults to true unless it is explicitly set to false.`
	`91`	`+// AUTH_ENABLED defaults to false unless it is explicitly set to true.`
`92`	`92`	`func LoadConfig(basicRes context.BasicRes) (*Config, error) {`
`93`	`93`	`cfg := basicRes.GetConfigReader()`
`94`	`94`
`95`		`- authEnabled := true`
	`95`	`+ authEnabled := false`
`96`	`96`	`if cfg.IsSet("AUTH_ENABLED") {`
`97`	`97`	`authEnabled = cfg.GetBool("AUTH_ENABLED")`
`98`	`98`	`}`