From 739982d8a7597b467d4d4a197165ad2d071c950a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= <valknar@pivoine.art>
Date: Fri, 7 Nov 2025 12:14:46 +0100
Subject: [PATCH] feat: remove HTTP Basic Auth from Kit stack services
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Removed authentication middleware from Vert and Paint services:
- Removed basicauth middleware labels from vert service
- Removed basicauth middleware labels from paint service
- Updated middleware chains to exclude auth
- Updated CLAUDE.md to reflect public access

All Kit stack services (landing, vert, paint) are now publicly
accessible without authentication as they are client-side tools
that don't require protection.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 CLAUDE.md        | 3 +--
 kit/compose.yaml | 6 ++----
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/CLAUDE.md b/CLAUDE.md
index 792de0e..1b6d721 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -269,13 +269,12 @@ VERT universal file format converter:
 - No file size limits
 - Privacy-focused: all conversions happen in the browser
 - No persistent data storage required
-- Protected by HTTP Basic Auth (credentials in `.env`)
+- Publicly accessible (no authentication required)
 
 **Configuration**:
 - **PUB_HOSTNAME**: `vert.kit.pivoine.art` (public hostname)
 - **PUB_ENV**: `production` (environment mode)
 - **PUB_DISABLE_ALL_EXTERNAL_REQUESTS**: `true` (privacy mode)
-- **AUTH_USERS**: Shared HTTP Basic Auth credentials (htpasswd format in `.env`)
 
 **Usage**:
 Access https://vert.kit.pivoine.art and drag/drop files to convert between formats. All processing happens in your browser using WebAssembly - no data is uploaded to the server.
diff --git a/kit/compose.yaml b/kit/compose.yaml
index 6adcfa8..a1bd24a 100644
--- a/kit/compose.yaml
+++ b/kit/compose.yaml
@@ -45,9 +45,8 @@ services:
       - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-vert-web-secure.rule=Host(`${KIT_VERT_TRAEFIK_HOST}`)'
       - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-vert-web-secure.tls.certresolver=resolver'
       - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-vert-web-secure.entrypoints=web-secure'
-      - 'traefik.http.middlewares.${KIT_COMPOSE_PROJECT_NAME}-vert-auth.basicauth.users=${AUTH_USERS}'
       - 'traefik.http.middlewares.${KIT_COMPOSE_PROJECT_NAME}-vert-compress.compress=true'
-      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-vert-web-secure.middlewares=${KIT_COMPOSE_PROJECT_NAME}-vert-auth,${KIT_COMPOSE_PROJECT_NAME}-vert-compress,security-headers@file'
+      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-vert-web-secure.middlewares=${KIT_COMPOSE_PROJECT_NAME}-vert-compress,security-headers@file'
       # Service
       - 'traefik.http.services.${KIT_COMPOSE_PROJECT_NAME}-vert.loadbalancer.server.port=80'
       - 'traefik.docker.network=${NETWORK_NAME}'
@@ -74,9 +73,8 @@ services:
       - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-paint-web-secure.rule=Host(`${KIT_PAINT_TRAEFIK_HOST}`)'
       - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-paint-web-secure.tls.certresolver=resolver'
       - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-paint-web-secure.entrypoints=web-secure'
-      - 'traefik.http.middlewares.${KIT_COMPOSE_PROJECT_NAME}-paint-auth.basicauth.users=${AUTH_USERS}'
       - 'traefik.http.middlewares.${KIT_COMPOSE_PROJECT_NAME}-paint-compress.compress=true'
-      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-paint-web-secure.middlewares=${KIT_COMPOSE_PROJECT_NAME}-paint-auth,${KIT_COMPOSE_PROJECT_NAME}-paint-compress,security-headers@file'
+      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-paint-web-secure.middlewares=${KIT_COMPOSE_PROJECT_NAME}-paint-compress,security-headers@file'
       # Service
       - 'traefik.http.services.${KIT_COMPOSE_PROJECT_NAME}-paint.loadbalancer.server.port=80'
       - 'traefik.docker.network=${NETWORK_NAME}'