Removal of default API passwords (#2422)

GitOrigin-RevId: d831adcf2fb8bec8792dda624c255474480bb897

services/web/app.js

@@ -35,6 +35,11 @@ const port = Settings.port || Settings.internal.web.port || 3000
 const host = Settings.internal.web.host || 'localhost'
 if (!module.parent) {
   // Called directly
+
+  // We want to make sure that we provided a password through the environment.
+  if (!process.env['WEB_API_USER'] || !process.env['WEB_API_PASSWORD']) {
+    throw new Error('No API user and password provided')
+  }
   Server.server.listen(port, host, function() {
     logger.info(`web starting up, listening on ${host}:${port}`)
     logger.info(`${require('http').globalAgent.maxSockets} sockets enabled`)

services/web/config/settings.defaults.coffee

@@ -8,9 +8,10 @@ minutes = 60 * seconds
 
 # These credentials are used for authenticating api requests
 # between services that may need to go over public channels
-httpAuthUser = process.env['WEB_API_USER'] or "sharelatex"
+httpAuthUser = process.env['WEB_API_USER']
-httpAuthPass = process.env['WEB_API_PASSWORD'] or "password"
+httpAuthPass = process.env['WEB_API_PASSWORD']
 httpAuthUsers = {}
+if httpAuthUser and httpAuthPass
 	httpAuthUsers[httpAuthUser] = httpAuthPass
 
 sessionSecret = process.env['SESSION_SECRET'] or "secret-please-change"

services/web/test/acceptance/config/settings.test.coffee

@@ -3,10 +3,20 @@ v1Api =
 	user: 'overleaf'
 	pass: 'password'
 
+httpAuthUser = "sharelatex"
+httpAuthPass = "password"
+httpAuthUsers = {}
+httpAuthUsers[httpAuthUser] = httpAuthPass
+
 module.exports =
 	enableSubscriptions: true
 
+	httpAuthUsers: httpAuthUsers
+
 	apis:
+		web:
+			user: httpAuthUser
+			pass: httpAuthPass
 		v1:
 			url: v1Api.url
 			user: v1Api.user