remove auth disabled support (#1013)

packages/server/src/config.ts

@@ -16,7 +16,6 @@ import { homedir } from 'os'
  * - UPLOAD_DIR: Upload directory override. Default: join(HERMES_WEB_UI_HOME, 'upload').
  *
  * Auth:
- * - AUTH_DISABLED: Set to 1 or true to disable Web UI auth.
  * - AUTH_TOKEN: Explicit bearer token. If unset, Web UI stores an auto-generated token under HERMES_WEB_UI_HOME.
  *
  * Runtime behavior:

packages/server/src/controllers/auth.ts

@@ -99,7 +99,7 @@ export async function login(ctx: Context) {
     token = await issueUserJwt(user)
   } catch (err: any) {
     ctx.status = 500
-    ctx.body = { error: err?.message || 'Auth is disabled on this server' }
+    ctx.body = { error: err?.message || 'Failed to issue login token' }
     return
   }
 

packages/server/src/middleware/user-auth.ts

@@ -60,7 +60,7 @@ function safeEqual(a: string, b: string): boolean {
   }
 }
 
-async function getJwtSecret(): Promise<string | null> {
+async function getJwtSecret(): Promise<string> {
   return process.env.AUTH_JWT_SECRET || await getToken()
 }
 
@@ -78,7 +78,7 @@ const SERVER_TOKEN_MEDIA_PATHS = new Set([
 async function allowServerTokenForMedia(ctx: Context, token: string): Promise<boolean> {
   if (!token || !SERVER_TOKEN_MEDIA_PATHS.has(ctx.path)) return false
   const serverToken = await getToken()
-  if (!serverToken || token !== serverToken) return false
+  if (token !== serverToken) return false
   ctx.state.serverTokenAuth = true
   return true
 }
@@ -128,7 +128,6 @@ export function verifyUserJwt(token: string, secret: string, now = Date.now()):
 
 export async function issueUserJwt(user: Pick<UserRecord, 'id' | 'username' | 'role'>): Promise<string> {
   const secret = await getJwtSecret()
-  if (!secret) throw new Error('Auth is disabled on this server')
   return signUserJwt(user, secret)
 }
 
@@ -146,7 +145,6 @@ export function toAuthenticatedUser(user: Pick<UserRecord, 'id' | 'username' | '
 
 export async function authenticateUserToken(token: string): Promise<AuthenticatedUser | null> {
   const secret = await getJwtSecret()
-  if (!secret) return null
 
   const payload = token ? verifyUserJwt(token, secret) : null
   if (!payload) return null
@@ -157,7 +155,8 @@ export async function authenticateUserToken(token: string): Promise<Authenticate
 }
 
 export async function isAuthEnabled(): Promise<boolean> {
-  return !!await getJwtSecret()
+  await getJwtSecret()
+  return true
 }
 
 export async function requireUserJwt(ctx: Context, next: Next): Promise<void> {
@@ -167,11 +166,6 @@ export async function requireUserJwt(ctx: Context, next: Next): Promise<void> {
   }
 
   const secret = await getJwtSecret()
-  if (!secret) {
-    await next()
-    return
-  }
-
   const token = requestToken(ctx)
   const payload = token ? verifyUserJwt(token, secret) : null
   if (!payload) {

packages/server/src/services/auth.ts

@@ -12,13 +12,9 @@ function generateToken(): string {
 }
 
 /**
- * Get or create the auth token. Returns null if auth is disabled.
+ * Get or create the auth token.
  */
-export async function getToken(): Promise<string | null> {
-  if (process.env.AUTH_DISABLED === '1' || process.env.AUTH_DISABLED === 'true') {
-    return null
-  }
-
+export async function getToken(): Promise<string> {
   if (process.env.AUTH_TOKEN) {
     return process.env.AUTH_TOKEN
   }
@@ -45,11 +41,6 @@ export async function getToken(): Promise<string | null> {
  */
 export function requireAuth(token: string | null) {
   return async (ctx: any, next: () => Promise<void>) => {
-    if (!token) {
-      await next()
-      return
-    }
-
     const auth = ctx.headers.authorization || ''
     const provided = auth.startsWith('Bearer ')
       ? auth.slice(7)