From b3d175fedcbc446a5f32e94e43004651619c773e Mon Sep 17 00:00:00 2001
From: achingbrain <alex@achingbrain.net>
Date: Fri, 27 Jun 2025 23:29:24 +0200
Subject: [PATCH 1/3] fix: require auth when set

Default to requiring auth so behaviour aligns with types.
---
 packages/http/src/routes/peer-id-auth.ts | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/packages/http/src/routes/peer-id-auth.ts b/packages/http/src/routes/peer-id-auth.ts
index c9e01d2..d5ad8ce 100644
--- a/packages/http/src/routes/peer-id-auth.ts
+++ b/packages/http/src/routes/peer-id-auth.ts
@@ -26,6 +26,8 @@ interface PeerIdAuthInit {
   /**
    * If true, and the client has not initiated the HTTP PeerId Auth handshake,
    * have the server do it.
+   *
+   * @default true
    */
   requireAuth?: boolean
 }
@@ -41,7 +43,7 @@ export class PeerIdAuth {
     this.components = components
     this.log = components.logger.forComponent('libp2p:http:server-peer-id-auth')
     this.tokenTTL = init.tokenTTL ?? DEFAULT_AUTH_TOKEN_TTL
-    this.requireAuth = init.requireAuth ?? false
+    this.requireAuth = init.requireAuth ?? true
     this.verifyHostname = init.verifyHostname ?? (() => true)
   }
 
@@ -52,7 +54,7 @@ export class PeerIdAuth {
     }
 
     if (authHeader == null || authHeader === '') {
-      if (this.requireAuth) {
+      if (this.requireAuth !== false) {
         return this.returnChallenge(hostname)
       }
 

From b122b6ae5fc638a39b1f4f33fdf3327dd5c70c6a Mon Sep 17 00:00:00 2001
From: achingbrain <alex@achingbrain.net>
Date: Fri, 27 Jun 2025 23:46:22 +0200
Subject: [PATCH 2/3] chore: fix browsers

---
 packages/http/src/routes/peer-id-auth.ts | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/packages/http/src/routes/peer-id-auth.ts b/packages/http/src/routes/peer-id-auth.ts
index d5ad8ce..4dbbe29 100644
--- a/packages/http/src/routes/peer-id-auth.ts
+++ b/packages/http/src/routes/peer-id-auth.ts
@@ -47,14 +47,16 @@ export class PeerIdAuth {
     this.verifyHostname = init.verifyHostname ?? (() => true)
   }
 
-  public async authenticateRequest (hostname: string, authHeader?: string | null): Promise<AuthenticationResult> {
+  public async authenticateRequest (hostname: string, method: string, authHeader?: string | null): Promise<AuthenticationResult> {
     if (!(await this.verifyHostname(hostname))) {
       this.log.error('hostname verification failed')
       return { status: 400 }
     }
 
     if (authHeader == null || authHeader === '') {
-      if (this.requireAuth !== false) {
+      // OPTIONS is used by preflight request - cannot enforce auth on it as
+      // browsers throw "failed to fetch" errors
+      if (method != 'OPTIONS' && this.requireAuth !== false) {
         return this.returnChallenge(hostname)
       }
 
@@ -282,7 +284,7 @@ export function authenticatedRoute (handler: OptionallyAuthenticatedEndpoint | A
       const next = initializeRoute<AuthenticatedHTTPRequestHandler | OptionallyAuthenticatedHTTPRequestHandler>(handler, components)
 
       return async (req: Request): Promise<Response> => {
-        const authResult = await auth.authenticateRequest(readHostname(req), req.headers.get('Authorization'))
+        const authResult = await auth.authenticateRequest(readHostname(req), req.method, req.headers.get('Authorization'))
 
         return authenticate(req, authResult, handlerMethods, next)
       }
@@ -324,7 +326,7 @@ export function authenticatedWebSocketRoute (handler: OptionallyAuthenticatedWeb
 
         // TODO: we should have a way of doing this before the websocket upgrade
         // has been negotiated
-        auth.authenticateRequest(readHostname(ws), readProtocol(ws))
+        auth.authenticateRequest(readHostname(ws), '', readProtocol(ws))
           .then(authResult => {
             next.handler(ws, authResult.peer)
           })
@@ -334,7 +336,7 @@ export function authenticatedWebSocketRoute (handler: OptionallyAuthenticatedWeb
       }
 
       return async (req: Request): Promise<Response> => {
-        const authResult = await auth.authenticateRequest(readHostname(req), readAuthorization(req) ?? readSecWebSocketProtocol(req))
+        const authResult = await auth.authenticateRequest(readHostname(req), req.method, readAuthorization(req) ?? readSecWebSocketProtocol(req))
 
         return authenticate(req, authResult, handlerMethods, {
           ...next,

From 72b72c3ace5a7f5c6473a484b680029e8b36441b Mon Sep 17 00:00:00 2001
From: achingbrain <alex@achingbrain.net>
Date: Fri, 27 Jun 2025 23:47:35 +0200
Subject: [PATCH 3/3] chore: readbility

---
 packages/http/src/routes/peer-id-auth.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/packages/http/src/routes/peer-id-auth.ts b/packages/http/src/routes/peer-id-auth.ts
index 4dbbe29..d5451c5 100644
--- a/packages/http/src/routes/peer-id-auth.ts
+++ b/packages/http/src/routes/peer-id-auth.ts
@@ -56,11 +56,11 @@ export class PeerIdAuth {
     if (authHeader == null || authHeader === '') {
       // OPTIONS is used by preflight request - cannot enforce auth on it as
       // browsers throw "failed to fetch" errors
-      if (method != 'OPTIONS' && this.requireAuth !== false) {
-        return this.returnChallenge(hostname)
+      if (method === 'OPTIONS' || this.requireAuth === false) {
+        return { status: 200 }
       }
 
-      return { status: 200 }
+      return this.returnChallenge(hostname)
     }
 
     try {