Allow unauthenticated requests, mapped to a predefined user entry (#78)

ptallada · sbogaart@pic.es · SilviaSWR · web-flow · commit 43ed4ce606fd · 2025-08-30T18:11:22.000+08:00
* Anonymous user implementation

* Fallback to authenticated requests when accessing protected paths

* Update changelog.en.md

* Change name from anonymous_id to unauthenticated_username

* docs: add documentation for unauthenticated user configuration

* test: add tests for unauthenticated_username support

---------

Co-authored-by: sbogaart@pic.es &lt;sbogaart@pic.es&gt;
Co-authored-by: silviavandenbogaartmarzola &lt;marzolasilvia3@gmail.com&gt;
diff --git a/asgi_webdav/auth.py b/asgi_webdav/auth.py
@@ -550,7 +550,14 @@ def __init__(self, config: Config):
     async def pick_out_user(self, request: DAVRequest) -> tuple[DAVUser | None, str]:
         authorization_header = request.headers.get(b"authorization")
         if authorization_header is None:
-            return None, "miss header: authorization"
+            if not self.config.unauthenticated_username:
+                return None, "miss header: authorization"
+            user = self.user_mapping.get(self.config.unauthenticated_username)
+            if user is None or not user.check_paths_permission([request.path]):
+                return None, "miss header: authorization"
+            else:
+                # Server has the anonymous option able
+                return user, ""
 
         index = authorization_header.find(b" ")
         if index == -1:
diff --git a/asgi_webdav/config.py b/asgi_webdav/config.py
@@ -149,6 +149,7 @@ class Config(JSONWizard):
     account_mapping: list[User] = field(default_factory=list)
     http_basic_auth: HTTPBasicAuth = field(default_factory=HTTPBasicAuth)
     http_digest_auth: HTTPDigestAuth = field(default_factory=HTTPDigestAuth)
+    unauthenticated_username: str | None = None
 
     # provider
     provider_mapping: list[Provider] = field(default_factory=list)
diff --git a/docs/changelog.en.md b/docs/changelog.en.md
@@ -5,6 +5,7 @@
 - feat: new config, HTTPBasicAuth.cache_timeout
 - feat: new config, Compression.enable
 - feat: both support .toml and .json config file
+- feat: allow unauthenticated requests, thanks [PIC](https://www.pic.es)
 
 ## 1.5.0 - 20250628
 
diff --git a/docs/howto/howto-allow-unauthenticated-username.en.md b/docs/howto/howto-allow-unauthenticated-username.en.md
@@ -0,0 +1,23 @@
+# How to Allow Unauthenticated Username
+
+To enable unauthenticated (anonymous) access, update your`json`config file like below:
+
+```json
+{
+  "unauthenticated_username": "nobody",
+  "account_mapping": [
+    {
+      "username": "nobody",
+      "password": "",
+      "permissions": ["+^/public"]
+    }
+  ]
+}
+```
+
+* When `unauthenticated_username` is set, and a user with that name exists in `account_mapping`
+(with an empty password), any request without authentication will be treated as this user.
+* The `permissions` field controls which paths are accessible to unauthenticated users.
+
+Tip: To disable write access, combine with "read_only": true in the corresponding provider mapping.
+
diff --git a/docs/reference/config-file.en.md b/docs/reference/config-file.en.md
@@ -25,6 +25,7 @@ When the file exists, the mapping relationship is defined by the file content.
 
 ```json
 {
+  "unauthenticated_username": "nobody",
   "account_mapping": [
     {
       "username": "username",
@@ -40,6 +41,11 @@ When the file exists, the mapping relationship is defined by the file content.
       "username": "guest",
       "password": "password",
       "permissions": []
+    },
+    {
+      "username": "nobody",
+      "password": "",
+      "permissions": ["+^/public"]
     }
   ],
   "http_basic_auth": {
@@ -75,13 +81,17 @@ When the file exists, the mapping relationship is defined by the file content.
 }
 ```
 
+**Note**: When `unauthenticated_username` is set and a user with that name exists in `account_mapping`
+(typically with an empty password), requests with no authentication will be mapped to that user. Permissions of that user will determine allowed access for unauthenticated clients.
+
 #### logging output
 
 ```text
 INFO: [asgi_webdav.server] ASGI WebDAV Server(v1.3.2) starting...
 INFO: [asgi_webdav.auth] Register Account: username, allow:[''], deny:[]
 INFO: [asgi_webdav.auth] Register Account: litmus, allow:['^/$', '^/litmus'], deny:['^/litmus/other']
 INFO: [asgi_webdav.auth] Register Account: guest, allow:[], deny:[]
+INFO: [asgi_webdav.auth] Register Account: nobody, allow:['^/public'], deny:[]
 INFO: [asgi_webdav.web_dav] Mapping Prefix: / --[ReadOnly]--> file:///data/root
 INFO: [asgi_webdav.web_dav] Mapping Prefix: /provider --[ReadOnly]--> memory:///
 INFO: [asgi_webdav.web_dav] Mapping Prefix: /provider/fs --> file:///tmp
@@ -99,6 +109,7 @@ root object
 
 | Key                      | Use For  | Value Type              | Default Value             |
 | ------------------------ | -------- | ----------------------- | ------------------------- |
+| unauthenticated_username | auth     | `str`                   | `None`                    |
 | account_mapping          | auth     | `list[User]`            | `[]`                      |
 | http_basic_auth          | auth     | `HTTPBasicAuth`         | `HTTPBasicAuth()`         |
 | http_digest_auth         | auth     | `HTTPDigestAuth`        | `HTTPDigestAuth()`        |
@@ -114,6 +125,7 @@ Example
 
 ```text
 {
+    "unauthenticated_username": "nobody",
     "account_mapping": [...],
     "http_digest_auth": {...},
     "provider_mapping": [...],
@@ -141,6 +153,18 @@ Example
 | admin       | bool       | `false`       |
 
 - When the value of `admin` is `true`, the user can access the web page `/_/admin/xxx`
+- If `unauthenticated_username` is set and refers to a user with an empty password, that user will be used for 
+unauthenticated (anonymous) requests.
+
+Example:
+```json
+{
+  "username": "nobody",
+  "password": "",
+  "permissions": ["+^/public"]
+}
+```
+
 
 ### `Permissions` Format/Example
 
diff --git a/tests/test_auth.py b/tests/test_auth.py
@@ -18,6 +18,8 @@
 PASSWORD_HASHLIB = "<hashlib>:sha256:salt:291e247d155354e48fec2b579637782446821935fc96a5a08a0b7885179c408b"
 USERNAME_DIGEST = "user-digest"
 PASSWORD_DIGEST = "<digest>:ASGI-WebDAV:c1d34f1e0f457c4de05b7468d5165567"
+USERNAME_UNAUTHENTICATED = "nobody"
+PASSWORD_UNAUTHENTICATED = ""
 
 INVALID_PASSWORD_FORMAT_USER_1 = "invalid-user-1"
 INVALID_PASSWORD_FORMAT_USER_2 = "invalid-user-2"
@@ -59,6 +61,15 @@
         },
     ],
 }
+UNAUTHENTICATED_DATA = deepcopy(BASIC_AUTHORIZATION_CONFIG_DATA)
+UNAUTHENTICATED_DATA["unauthenticated_username"] = USERNAME_UNAUTHENTICATED
+UNAUTHENTICATED_DATA["account_mapping"].append(
+    {
+        "username": USERNAME_UNAUTHENTICATED,
+        "password": PASSWORD_UNAUTHENTICATED,
+        "permissions": ["+^/$"],
+    }
+)
 
 
 def fake_call():
@@ -232,6 +243,21 @@ async def test_basic_authentication_digest():
     assert response.status_code == 401
 
 
+@pytest.mark.asyncio
+async def test_basic_authentication_unauthenticated():
+    client = ASGITestClient(get_webdav_app(config_object=UNAUTHENTICATED_DATA))
+
+    response = await client.get(
+        "/",
+    )
+    assert response.status_code == 200
+
+    response = await client.get(
+        "t/",
+    )
+    assert response.status_code == 401
+
+
 def test_verify_permission():
     username = USERNAME
     password = PASSWORD
