Make private projects not accessible if auth is not configured

2 files changed, 5 insertions, 3 deletions

diff --git a/acceptance_test.go b/acceptance_test.go
index 31f4e3e5..23abad5d 100644
--- a/acceptance_test.go
+++ b/acceptance_test.go
@@ -576,7 +576,7 @@ func TestKnownHostInReverseProxySetupReturns200(t *testing.T) {
 	}
 }
 
-func TestWhenAuthIsDisabledPrivateIsAccessible(t *testing.T) {
+func TestWhenAuthIsDisabledPrivateIsNotAccessible(t *testing.T) {
 	skipUnlessEnabled(t)
 	teardown := RunPagesProcess(t, *pagesBinary, listeners, "", "")
 	defer teardown()
@@ -585,7 +585,7 @@ func TestWhenAuthIsDisabledPrivateIsAccessible(t *testing.T) {
 
 	require.NoError(t, err)
 	rsp.Body.Close()
-	assert.Equal(t, http.StatusOK, rsp.StatusCode)
+	assert.Equal(t, http.StatusInternalServerError, rsp.StatusCode)
 }
 
 func TestWhenAuthIsEnabledPrivateWillRedirectToAuthorize(t *testing.T) {
diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index f8524405..8b0396d4 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -427,7 +427,9 @@ func (a *Auth) CheckAuthenticationWithoutProject(w http.ResponseWriter, r *http.
 func (a *Auth) CheckAuthentication(w http.ResponseWriter, r *http.Request, projectID uint64) bool {
 
 	if a == nil {
-		return false
+		log.Debug("Authentication is not configured")
+		httperrors.Serve500(w)
+		return true
 	}
 
 	session, err := a.checkSession(w, r)