frontend: require login to access Publish page and hide Publish link when logged out; use stored token for uploads\n\nbackend: add ALLOW_ANON_READ env toggle (default false) to require auth for reads\n\nCo-authored-by: openhands <openhands@all-hands.dev>

2026-04-24 13:54:59 +00:00 · 2026-01-09 01:35:56 +00:00
parent 64c79bb28e
commit ae0ccca59c
3 changed files with 29 additions and 8 deletions
--- a/backend/app.py
+++ b/backend/app.py
@@ -44,6 +44,8 @@ BLOB_DIR = DATA_DIR / "blobs"
 META_DIR = DATA_DIR / "meta"
 ROCKSDB_DIR = DATA_DIR / "rocksdb"
 JWT_SECRET = os.environ.get("JWT_SECRET", "dev-secret-key")
+# Control whether anonymous reads are allowed. Default: False (auth required for reads)
+ALLOW_ANON_READ = os.environ.get("ALLOW_ANON_READ", "false").lower() == "true"

 # Initialize storage
 BLOB_DIR.mkdir(parents=True, exist_ok=True)
@@ -97,8 +99,8 @@ def require_scopes(required_scopes: list) -> Optional[Dict[str, Any]]:
    """Check if request has required scopes."""
    auth_header = request.headers.get("Authorization", "")
    if not auth_header.startswith("Bearer "):
-        # For MVP, allow unauthenticated read access
-        if "read" in required_scopes:
+        # Allow unauthenticated read access only if explicitly enabled
+        if "read" in required_scopes and ALLOW_ANON_READ:
            return {"sub": "anonymous", "scopes": ["read"]}
        raise RepositoryError("Missing authorization", 401, "UNAUTHORIZED")