Merge branch 'main' into metrics

server/config.go

@@ -49,7 +49,7 @@ const (
 	DefaultVisitorEmailLimitReplenish           = time.Hour
 	DefaultVisitorAccountCreationLimitBurst     = 3
 	DefaultVisitorAccountCreationLimitReplenish = 24 * time.Hour
-	DefaultVisitorAuthFailureLimitBurst         = 10
+	DefaultVisitorAuthFailureLimitBurst         = 30
 	DefaultVisitorAuthFailureLimitReplenish     = time.Minute
 	DefaultVisitorAttachmentTotalSizeLimit      = 100 * 1024 * 1024 // 100 MB
 	DefaultVisitorAttachmentDailyBandwidthLimit = 500 * 1024 * 1024 // 500 MB

server/server.go

@@ -1642,6 +1642,7 @@ func (s *Server) autorizeTopic(next handleFunc, perm user.Permission) handleFunc
 // maybeAuthenticate reads the "Authorization" header and will try to authenticate the user
 // if it is set.
 //
+//   - If auth-file is not configured, immediately return an IP-based visitor
 //   - If the header is not set or not supported (anything non-Basic and non-Bearer),
 //     an IP-based visitor is returned
 //   - If the header is set, authenticate will be called to check the username/password (Basic auth),
@@ -1653,13 +1654,14 @@ func (s *Server) maybeAuthenticate(r *http.Request) (*visitor, error) {
 	// Read "Authorization" header value, and exit out early if it's not set
 	ip := extractIPAddress(r, s.config.BehindProxy)
 	vip := s.visitor(ip, nil)
+	if s.userManager == nil {
+		return vip, nil
+	}
 	header, err := readAuthHeader(r)
 	if err != nil {
 		return vip, err
 	} else if !supportedAuthHeader(header) {
 		return vip, nil
-	} else if s.userManager == nil {
-		return vip, errHTTPUnauthorized
 	}
 	// If we're trying to auth, check the rate limiter first
 	if !vip.AuthAllowed() {

server/server_test.go

@@ -796,6 +796,7 @@ func TestServer_Auth_Fail_CannotPublish(t *testing.T) {
 
 func TestServer_Auth_Fail_Rate_Limiting(t *testing.T) {
 	c := newTestConfigWithAuthFile(t)
+	c.VisitorAuthFailureLimitBurst = 10
 	s := newTestServer(t, c)
 
 	for i := 0; i < 10; i++ {