From acdffa69dee85eb6a097e01eda585dcf6669991e Mon Sep 17 00:00:00 2001
From: Richard Boisvert <rboisvert@devolutions.net>
Date: Tue, 23 Jun 2026 19:15:26 -0400
Subject: [PATCH] fix(authentication): feature should be disabled by default

Contrary to what the PR for the feature mentioned, the setting was enabled by default, instead of disabled.

Follow up to https://github.com/apache/devlake/pull/8854
---
 backend/helpers/oidchelper/config.go      | 4 ++--
 backend/helpers/oidchelper/config_test.go | 7 ++++---
 env.example                               | 8 ++++----
 3 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/backend/helpers/oidchelper/config.go b/backend/helpers/oidchelper/config.go
index 477e80591de..a23606df1d4 100644
--- a/backend/helpers/oidchelper/config.go
+++ b/backend/helpers/oidchelper/config.go
@@ -88,11 +88,11 @@ func (c *Config) ProviderNames() []string {
 }
 
 // LoadConfig reads auth env vars via Viper and validates required fields.
-// AUTH_ENABLED defaults to true unless it is explicitly set to false.
+// AUTH_ENABLED defaults to false unless it is explicitly set to true.
 func LoadConfig(basicRes context.BasicRes) (*Config, error) {
 	cfg := basicRes.GetConfigReader()
 
-	authEnabled := true
+	authEnabled := false
 	if cfg.IsSet("AUTH_ENABLED") {
 		authEnabled = cfg.GetBool("AUTH_ENABLED")
 	}
diff --git a/backend/helpers/oidchelper/config_test.go b/backend/helpers/oidchelper/config_test.go
index cc1d75f2cde..3fe92a1187a 100644
--- a/backend/helpers/oidchelper/config_test.go
+++ b/backend/helpers/oidchelper/config_test.go
@@ -105,15 +105,15 @@ func (b basicResStub) ReplaceLogger(log.Logger) corectx.BasicRes {
 }
 func (b basicResStub) GetDal() dal.Dal { return nil }
 
-func TestLoadConfigDefaultsAuthEnabled(t *testing.T) {
+func TestLoadConfigDefaultsAuthDisabled(t *testing.T) {
 	v := viper.New()
 
 	cfg, err := LoadConfig(basicResStub{cfg: v})
 	if err != nil {
 		t.Fatalf("LoadConfig returned error: %v", err)
 	}
-	if !cfg.AuthEnabled {
-		t.Fatal("AuthEnabled should default to true when AUTH_ENABLED is unset")
+	if cfg.AuthEnabled {
+		t.Fatal("AuthEnabled should default to false when AUTH_ENABLED is unset")
 	}
 	if cfg.OIDCEnabled {
 		t.Fatal("OIDCEnabled should default to false")
@@ -125,6 +125,7 @@ func TestLoadConfigDefaultsAuthEnabled(t *testing.T) {
 
 func TestLoadConfigRequiresSessionSecretForOIDC(t *testing.T) {
 	v := viper.New()
+	v.Set("AUTH_ENABLED", true)
 	v.Set("OIDC_ENABLED", true)
 
 	if _, err := LoadConfig(basicResStub{cfg: v}); err == nil {
diff --git a/env.example b/env.example
index 6141f24978b..7d69915505a 100755
--- a/env.example
+++ b/env.example
@@ -97,10 +97,10 @@ ENABLE_SUBTASKS_BY_DEFAULT="jira:collectIssueChangelogs:true,jira:extractIssueCh
 ##########################
 # OIDC / Authentication
 ##########################
-# Master switch. Auth is enabled by default; set false only for isolated local
-# development. When enabled without OIDC, DevLake accepts API keys for /rest/*
-# and can trust X-Forwarded-User from an upstream proxy.
-AUTH_ENABLED=true
+# Master switch. Auth is disabled by default; set true to require
+# authentication. When enabled without OIDC, DevLake accepts API keys for
+# /rest/* and can trust X-Forwarded-User from an upstream proxy.
+AUTH_ENABLED=false
 
 # OIDC user login. Requires AUTH_ENABLED=true.
 OIDC_ENABLED=false