From aa3f4a1b1ffbd7fec7ac7251beb79633ff74672b Mon Sep 17 00:00:00 2001
From: 0xb00bface <0xboobface@gmail.com>
Date: Sat, 8 May 2021 19:02:20 +0200
Subject: [PATCH] Only enable basic auth, if a HMAC key is configured

---
 server/src/main/java/ctbrec/recorder/server/HttpServer.java | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/server/src/main/java/ctbrec/recorder/server/HttpServer.java b/server/src/main/java/ctbrec/recorder/server/HttpServer.java
index 725a459e..f17f753b 100644
--- a/server/src/main/java/ctbrec/recorder/server/HttpServer.java
+++ b/server/src/main/java/ctbrec/recorder/server/HttpServer.java
@@ -239,10 +239,12 @@ public class HttpServer {
                 defaultContext.addServlet(holder, staticFileContext);
                 LOG.info("Register static file servlet under {}", defaultContext.getContextPath()+staticFileContext);
 
-                // servlet to retrieve the HMAC secured by basic auth
+                // servlet to retrieve the HMAC (secured by basic auth if an hmac key is set in the config)
                 String username = this.config.getSettings().webinterfaceUsername;
                 String password = this.config.getSettings().webinterfacePassword;
-                basicAuthContext.setSecurityHandler(basicAuth(username, password, "CTB Recorder"));
+                if (config.getSettings().key != null && config.getSettings().key.length > 0) {
+                    basicAuthContext.setSecurityHandler(basicAuth(username, password, "CTB Recorder"));
+                }
                 basicAuthContext.addServlet(new ServletHolder(new HttpServlet() {
                     @Override
                     protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException {