allow disabling authentication for server version, closes #1132

config-sample.ini

@@ -2,6 +2,9 @@
 # Instance name can be used to distinguish between different instances
 instanceName=
 
+# set to true to allow using Trilium without authentication (makes sense for server build only, desktop build doesn't need password)
+noAuthentication=false
+
 # Disable automatically generating desktop icon
 # noDesktopIcon=true
 

src/services/auth.js

@@ -6,12 +6,15 @@ const sqlInit = require('./sql_init');
 const utils = require('./utils');
 const passwordEncryptionService = require('./password_encryption');
 const optionService = require('./options');
+const config = require('./config');
+
+const noAuthentication = config.General && config.General.noAuthentication === true;
 
 function checkAuth(req, res, next) {
     if (!sqlInit.isDbInitialized()) {
         res.redirect("setup");
     }
-    else if (!req.session.loggedIn && !utils.isElectron()) {
+    else if (!req.session.loggedIn && !utils.isElectron() && !noAuthentication) {
         res.redirect("login");
     }
     else {
@@ -22,7 +25,7 @@ function checkAuth(req, res, next) {
 // for electron things which need network stuff
 // currently we're doing that for file upload because handling form data seems to be difficult
 function checkApiAuthOrElectron(req, res, next) {
-    if (!req.session.loggedIn && !utils.isElectron()) {
+    if (!req.session.loggedIn && !utils.isElectron() && !noAuthentication) {
         reject(req, res, "Not authorized");
     }
     else {
@@ -31,7 +34,7 @@ function checkApiAuthOrElectron(req, res, next) {
 }
 
 function checkApiAuth(req, res, next) {
-    if (!req.session.loggedIn) {
+    if (!req.session.loggedIn && !noAuthentication) {
         reject(req, res, "Not authorized");
     }
     else {

src/services/ws.js

@@ -3,6 +3,7 @@ const utils = require('./utils');
 const log = require('./log');
 const sql = require('./sql');
 const cls = require('./cls');
+const config = require('./config');
 const syncMutexService = require('./sync_mutex');
 const protectedSessionService = require('./protected_session');
 
@@ -12,7 +13,9 @@ function init(httpServer, sessionParser) {
     webSocketServer = new WebSocket.Server({
         verifyClient: (info, done) => {
             sessionParser(info.req, {}, () => {
-                const allowed = utils.isElectron() || info.req.session.loggedIn;
+                const allowed = utils.isElectron()
+                    || info.req.session.loggedIn
+                    || (config.General && config.General.noAuthentication);
 
                 if (!allowed) {
                     log.error("WebSocket connection not allowed because session is neither electron nor logged in.");