From fe1f9fafbd3f93726a5bd4b676463dd162411abb Mon Sep 17 00:00:00 2001
From: Cohee <18619528+Cohee1207@users.noreply.github.com>
Date: Wed, 9 Oct 2024 10:43:52 +0300
Subject: [PATCH] [bug] Don't allow per user auth with accounts disabled

---
 server.js                   | 4 +++-
 src/middleware/basicAuth.js | 6 ++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/server.js b/server.js
index d39092765..99c8c44d3 100644
--- a/server.js
+++ b/server.js
@@ -758,7 +758,9 @@ const postSetupTasks = async function (v6Failed, v4Failed) {
     }
 
     if (basicAuthMode) {
-        if (!perUserBasicAuth) {
+        if (perUserBasicAuth && !enableAccounts) {
+            console.error(color.red('Per-user basic authentication is enabled, but user accounts are disabled. This configuration may be insecure.'));
+        } else if (!perUserBasicAuth) {
             const basicAuthUser = getConfigValue('basicAuthUser', {});
             if (!basicAuthUser?.username || !basicAuthUser?.password) {
                 console.warn(color.yellow('Basic Authentication is enabled, but username or password is not set or empty!'));
diff --git a/src/middleware/basicAuth.js b/src/middleware/basicAuth.js
index b18db1209..be7a153eb 100644
--- a/src/middleware/basicAuth.js
+++ b/src/middleware/basicAuth.js
@@ -7,6 +7,7 @@ const { getConfig, getConfigValue } = require('../util.js');
 const storage = require('node-persist');
 
 const PER_USER_BASIC_AUTH = getConfigValue('perUserBasicAuth', false);
+const ENABLE_ACCOUNTS = getConfigValue('enableUserAccounts', false);
 
 const unauthorizedResponse = (res) => {
     res.set('WWW-Authenticate', 'Basic realm="SillyTavern", charset="UTF-8"');
@@ -27,13 +28,14 @@ const basicAuthMiddleware = async function (request, response, callback) {
         return unauthorizedResponse(response);
     }
 
+    const usePerUserAuth = PER_USER_BASIC_AUTH && ENABLE_ACCOUNTS;
     const [username, password] = Buffer.from(credentials, 'base64')
         .toString('utf8')
         .split(':');
 
-    if (!PER_USER_BASIC_AUTH && username === config.basicAuthUser.username && password === config.basicAuthUser.password) {
+    if (!usePerUserAuth && username === config.basicAuthUser.username && password === config.basicAuthUser.password) {
         return callback();
-    } else if (PER_USER_BASIC_AUTH) {
+    } else if (usePerUserAuth) {
         const userHandles = await getAllUserHandles();
         for (const userHandle of userHandles) {
             if (username === userHandle) {