fix(backend): remove authentication bypass configuration

davidebriani · davidebriani · commit 3adf2a1e02d1 · 2026-02-04T16:21:56.000+01:00
- Remove 'DISABLE_TENANT_AUTHENTICATION' and 'DISABLE_ADMIN_AUTHENTICATION' support
- Hardens authentication by removing runtime checks that could bypass auth pipelines
- Removes associated configuration definitions in Edgehog.Config

Signed-off-by: Davide Briani &lt;davide.briani@secomind.com&gt;
diff --git a/backend/lib/edgehog/config.ex b/backend/lib/edgehog/config.ex
@@ -1,7 +1,7 @@
 #
 # This file is part of Edgehog.
 #
-# Copyright 2022-2023 SECO Mind Srl
+# Copyright 2022-2026 SECO Mind Srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -30,14 +30,6 @@ defmodule Edgehog.Config do
   alias Edgehog.Geolocation
   alias Edgehog.Geolocation.Providers.GoogleGeocoding
 
-  @envdoc """
-  Disables admin authentication. CHANGING IT TO TRUE IS GENERALLY A REALLY BAD IDEA IN A PRODUCTION ENVIRONMENT, IF YOU DON'T KNOW WHAT YOU ARE DOING.
-  """
-  app_env :disable_admin_authentication, :edgehog, :disable_admin_authentication,
-    os_env: "DISABLE_ADMIN_AUTHENTICATION",
-    type: :boolean,
-    default: false
-
   @envdoc "The Admin API JWT public key."
   app_env :admin_jwk, :edgehog, :admin_jwk,
     os_env: "ADMIN_JWT_PUBLIC_KEY_PATH",
@@ -67,14 +59,6 @@ defmodule Edgehog.Config do
     type: :boolean,
     default: false
 
-  @envdoc """
-  Disables tenant authentication. CHANGING IT TO TRUE IS GENERALLY A REALLY BAD IDEA IN A PRODUCTION ENVIRONMENT, IF YOU DON'T KNOW WHAT YOU ARE DOING.
-  """
-  app_env :disable_tenant_authentication, :edgehog, :disable_tenant_authentication,
-    os_env: "DISABLE_TENANT_AUTHENTICATION",
-    type: :boolean,
-    default: false
-
   @envdoc "The API key for the ipbase.com geolocation provider."
   app_env :ipbase_api_key, :edgehog, :ipbase_api_key,
     os_env: "IPBASE_API_KEY",
@@ -112,11 +96,7 @@ defmodule Edgehog.Config do
     type: GeocodingProviders,
     default: [GoogleGeocoding]
 
-  @doc """
-  Returns true if admin authentication is disabled.
-  """
-  @spec admin_authentication_disabled?() :: boolean()
-  def admin_authentication_disabled?, do: disable_admin_authentication!()
+
 
   @doc """
   Returns true if edgehog should use an ssl connection with the database.
@@ -179,11 +159,7 @@ defmodule Edgehog.Config do
       else: false
   end
 
-  @doc """
-  Returns true if tenant authentication is disabled.
-  """
-  @spec tenant_authentication_disabled?() :: boolean()
-  def tenant_authentication_disabled?, do: disable_tenant_authentication!()
+
 
   @doc """
   Returns the list of geolocation modules to use.
@@ -215,11 +191,7 @@ defmodule Edgehog.Config do
   """
   @spec validate_admin_authentication!() :: :ok | no_return()
   def validate_admin_authentication! do
-    if admin_authentication_disabled?() do
-      :ok
-    else
-      admin_jwk!()
-      :ok
-    end
+    admin_jwk!()
+    :ok
   end
 end
diff --git a/backend/lib/edgehog_web/admin_api/auth/auth.ex b/backend/lib/edgehog_web/admin_api/auth/auth.ex
@@ -1,7 +1,7 @@
 #
 # This file is part of Edgehog.
 #
-# Copyright 2023 SECO Mind Srl
+# Copyright 2023-2026 SECO Mind Srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,16 +20,14 @@
 
 defmodule EdgehogWeb.AdminAPI.Auth do
   @moduledoc false
-  alias Edgehog.Config
   alias EdgehogWeb.AdminAPI.Auth.Pipeline
 
   def init(opts) do
     Pipeline.init(opts)
   end
 
   def call(conn, opts) do
-    if Config.admin_authentication_disabled?() ||
-         conn.path_info == ["admin-api", "v1", "open_api"] do
+    if conn.path_info == ["admin-api", "v1", "open_api"] do
       conn
     else
       Pipeline.call(conn, opts)
diff --git a/backend/lib/edgehog_web/auth.ex b/backend/lib/edgehog_web/auth.ex
@@ -1,7 +1,7 @@
 #
 # This file is part of Edgehog.
 #
-# Copyright 2022-2023 SECO Mind Srl
+# Copyright 2022-2026 SECO Mind Srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,20 +20,13 @@
 
 defmodule EdgehogWeb.Auth do
   @moduledoc false
-  alias Edgehog.Config
   alias EdgehogWeb.Auth.Pipeline
 
   def init(opts) do
     Pipeline.init(opts)
   end
 
   def call(conn, opts) do
-    if Config.tenant_authentication_disabled?() do
-      # TODO: when we add Authz this path will probably have to
-      # put some type of all-access Authz in the GraphQL context
-      conn
-    else
-      Pipeline.call(conn, opts)
-    end
+    Pipeline.call(conn, opts)
   end
 end
