Lack of auth providers doesn't show errors in the UI

[paskal]

Here is what one would see by running Remark42 like ./remark42.darwin-arm64 server --secret=12345 --url=http://127.0.0.1:8080 :

Let's name it "Read-only mode" and write some helping text like "No authentication methods are set up, the comments are in the read-only mode".

[akellbl4]

Why would somebody run comment system without auth providers at all?
Should backend throw an error if no providers were configured?

[paskal]

Frontend behaviour currently is not helpful for someone trying to set up Remark42 for the first time. I would insist on showing some proper message about the lack of providers in that case.

[akellbl4]

It is not friendly because in my opinion Remark42 shouldn't be started without providers and backend should provide info about it in any possible form. Responsibility of backend configuration and errors shouldn't be shifted to frontend.

I have this position because we don't have requirement for starting an instance without providers and it makes no sense to me. Why would we need it?

[umputun]

I think It does make sense to run the backend-only without any auth providers if basic auth mode turned on. This is useful at least for development and also for some internal tests/operation one may want to do without setting up the proper auth

[akellbl4]

@umputun if it's backend-only than why would we need an error on frontend?
How basic auth is working and what frontend have to do with it?

[umputun]

frontend has nothing to do with this. From the fronted POV such configuration is invalid (or at leas incomplete), but if user run it this way for whatever testing they did, and forgot to enable auth providers - frontend may help that poor user a little bit. Probably, logging WARN to backend log is more apropriate place technically (i.e. "WARN no auth backend enabled", or smth like this) but this won't prevent users from doing it anyway and asking after this "why no auth working?"

[akellbl4]

Backend-only mode probably means that FE shouldn't be exposed at all. I think it should has specific option and an error/warning won't appear in BE logs in this case.

[paskal]

The backend doesn't fail in such a scenario as it's a valid case to run it in such a scenario. However, the front is broken in that case and doesn't help the user understand what is wrong. Some error message in case there are zero providers should be displayed.

[umputun]

Backend-only mode probably means that FE shouldn't be exposed at all. I think it should has specific option and an error/warning won't appear in BE logs in this case.

in fact, this is not really a backend-only mode, sorry for confusion as I called it like this. Without any auth frontend is usable for read-only, just limited. I do see how someone may want to run the backend without auth (for whatever reason) and would like to have the frrontend. For instanse, some testing or export or import, smth like this.

This is a strange mode for sure, but still a valid one.

[akellbl4]

in fact, this is not really a backend-only mode, sorry for confusion as I called it like this. Without any auth frontend is usable for read-only, just limited. I do see how someone may want to run the backend without auth (for whatever reason) and would like to have the frrontend. For instanse, some testing or export or import, smth like this.
This is a strange mode for sure, but still a valid one.

I don't think we need to do an effort in order to support any type of special UI in such case. If somebody doing this it should be expected.

The best what we can do is add an error in console and enforce read-only mode in UI.