diff --git a/README.md b/README.md index 8ff6f88a..20a8e00e 100644 --- a/README.md +++ b/README.md @@ -73,9 +73,9 @@ yarn binary ${vscodeVersion} ${codeServerVersion} # Or you can package it into a ## Security ### Authentication -To enable built-in password authentication use `code-server --auth password`. By -default it will use a randomly generated password but you can set the -`$PASSWORD` environment variable to use your own. +By default `code-server` enables password authentication using a randomly +generated password. You can set the `PASSWORD` environment variable to use your +own instead or use `--auth none` to disable password authentication. Do not expose `code-server` to the open internet without some form of authentication. diff --git a/src/node/cli.ts b/src/node/cli.ts index bd3c1da6..d65397f5 100644 --- a/src/node/cli.ts +++ b/src/node/cli.ts @@ -86,7 +86,7 @@ const startVscode = async (): Promise => { const args = getArgs(); const extra = args["_"] || []; const options = { - auth: args.auth, + auth: args.auth || AuthType.Password, basePath: args["base-path"], cert: args.cert, certKey: args["cert-key"], @@ -95,9 +95,9 @@ const startVscode = async (): Promise => { password: process.env.PASSWORD, }; - if (options.auth && enumToArray(AuthType).filter((t) => t === options.auth).length === 0) { + if (enumToArray(AuthType).filter((t) => t === options.auth).length === 0) { throw new Error(`'${options.auth}' is not a valid authentication type.`); - } else if (options.auth && !options.password) { + } else if (options.auth === "password" && !options.password) { options.password = await generatePassword(); } @@ -125,10 +125,13 @@ const startVscode = async (): Promise => { ]); logger.info(`Server listening on ${serverAddress}`); - if (options.auth && !process.env.PASSWORD) { + if (options.auth === "password" && !process.env.PASSWORD) { logger.info(` - Password is ${options.password}`); - logger.info(" - To use your own password, set the PASSWORD environment variable"); - } else if (options.auth) { + logger.info(" - To use your own password, set the PASSWORD environment variable"); + if (!args.auth) { + logger.info(" - To disable use `--auth none`"); + } + } else if (options.auth === "password") { logger.info(" - Using custom password for authentication"); } else { logger.info(" - No authentication"); diff --git a/src/node/server.ts b/src/node/server.ts index 21384580..0e96556d 100644 --- a/src/node/server.ts +++ b/src/node/server.ts @@ -110,7 +110,7 @@ export class HttpError extends Error { } export interface ServerOptions { - readonly auth?: AuthType; + readonly auth: AuthType; readonly basePath?: string; readonly connectionToken?: string; readonly cert?: string; @@ -133,7 +133,7 @@ export abstract class Server { public constructor(options: ServerOptions) { this.options = { - host: options.auth && options.cert ? "0.0.0.0" : "localhost", + host: options.auth === "password" && options.cert ? "0.0.0.0" : "localhost", ...options, basePath: options.basePath ? options.basePath.replace(/\/+$/, "") : "", }; @@ -269,7 +269,7 @@ export abstract class Server { base = path.normalize(base); requestPath = path.normalize(requestPath || "/index.html"); - if (base !== "/login" || !this.options.auth || requestPath !== "/index.html") { + if (base !== "/login" || this.options.auth !== "password" || requestPath !== "/index.html") { this.ensureGet(request); } @@ -300,7 +300,7 @@ export abstract class Server { response.cache = true; return response; case "/login": - if (!this.options.auth || requestPath !== "/index.html") { + if (this.options.auth !== "password" || requestPath !== "/index.html") { throw new HttpError("Not found", HttpCode.NotFound); } return this.tryLogin(request); @@ -421,7 +421,7 @@ export abstract class Server { } private authenticate(request: http.IncomingMessage, payload?: LoginPayload): boolean { - if (!this.options.auth) { + if (this.options.auth !== "password") { return true; } const safeCompare = localRequire("safe-compare/index"); diff --git a/src/node/util.ts b/src/node/util.ts index f4a8cb14..078fe0ef 100644 --- a/src/node/util.ts +++ b/src/node/util.ts @@ -14,6 +14,7 @@ import { mkdirp } from "vs/base/node/pfs"; export enum AuthType { Password = "password", + None = "none", } export enum FormatType { @@ -127,7 +128,7 @@ export const enumToArray = (t: any): string[] => { export const buildAllowedMessage = (t: any): string => { const values = enumToArray(t); - return `Allowed value${values.length === 1 ? " is" : "s are"} ${values.map((t) => `'${t}'`).join(",")}`; + return `Allowed value${values.length === 1 ? " is" : "s are"} ${values.map((t) => `'${t}'`).join(", ")}`; }; /**