diff --git a/pact_broker/basic_auth.rb b/pact_broker/basic_auth.rb index 45b5f829..e7ce4df1 100644 --- a/pact_broker/basic_auth.rb +++ b/pact_broker/basic_auth.rb @@ -19,9 +19,14 @@ def initialize(app, write_user_username, write_user_password, read_user_username username == @write_user_username && password == @write_user_password end - @app_with_read_auth = Rack::Auth::Basic.new(app, "Restricted area") do |username, password| - (username == @write_user_username && password == @write_user_password) || - (username == @read_user_username && password == @read_user_password) + @app_with_read_auth = if read_user_username && read_user_username.size > 0 + Rack::Auth::Basic.new(app, "Restricted area") do |username, password| + (username == @write_user_username && password == @write_user_password) || + (username == @read_user_username && password == @read_user_password) + end + else + puts "WARN: Public read access is enabled as no PACT_BROKER_BASIC_AUTH_READ_ONLY_USERNAME has been set" + app end end diff --git a/spec/basic_auth_spec.rb b/spec/basic_auth_spec.rb index d3962899..5f4a1368 100644 --- a/spec/basic_auth_spec.rb +++ b/spec/basic_auth_spec.rb @@ -7,7 +7,9 @@ let(:protected_app) { ->(env) { [200, {}, []]} } - let(:app) { BasicAuth.new(protected_app, 'write_username', 'write_password', 'read_username', 'read_password', allow_public_access_to_heartbeat) } + let(:app) { BasicAuth.new(protected_app, 'write_username', 'write_password', read_username, read_password, allow_public_access_to_heartbeat) } + let(:read_username) { 'read_username' } + let(:read_password) { 'read_password' } let(:allow_public_access_to_heartbeat) { true } @@ -174,20 +176,25 @@ end context "when there is no read only user configured" do - let(:app) { BasicAuth.new(protected_app, 'write_username', 'write_password', nil, nil, allow_public_access_to_heartbeat) } + before do + allow($stdout).to receive(:puts) + end + + let(:read_username) { '' } + let(:read_password) { '' } context "with no credentials" do - it "does not allow GET" do + it "allows a GET" do get "/" - expect(last_response.status).to eq 401 + expect(last_response.status).to eq 200 end end - context "with credentials" do - it "does not allow GET" do + context "with incorrect credentials" do + it "allows a GET" do basic_authorize "foo", "bar" get "/" - expect(last_response.status).to eq 401 + expect(last_response.status).to eq 200 end end end