feat: add anonymous read mode (NORA_AUTH_ANONYMOUS_READ)

When auth is enabled with anonymous_read=true, GET/HEAD requests are allowed without credentials (pull/download), while write operations (PUT/POST/DELETE/PATCH) still require authentication. Use case: public demo registries, read-only mirrors. Config: NORA_AUTH_ANONYMOUS_READ=true or auth.anonymous_read=true
2026-04-12 16:10:31 +00:00 · 2026-03-20 22:48:41 +00:00
parent 9709471485
commit 8fc741c8db
2 changed files with 47 additions and 0 deletions
--- a/nora-registry/src/auth.rs
+++ b/nora-registry/src/auth.rs
@@ -94,6 +94,16 @@ pub async fn auth_middleware(
        return next.run(request).await;
    }

+    // Allow anonymous read if configured
+    let is_read_method = matches!(
+        *request.method(),
+        axum::http::Method::GET | axum::http::Method::HEAD
+    );
+    if state.config.auth.anonymous_read && is_read_method {
+        // Read requests allowed without auth
+        return next.run(request).await;
+    }
+
    // Extract Authorization header
    let auth_header = request
        .headers()