From 0e1c8e8988a94239b0bd96d676aa29a38b6fa09f Mon Sep 17 00:00:00 2001
From: Lewis Marshall <lewis.marshall@ably.com>
Date: Sun, 9 Jul 2023 22:31:55 +0100
Subject: [PATCH] auth: Add option to allow basic auth for non-TLS requests

We internally often want to use the Go SDK in private environments (e.g.
local development, or within virtual private networks), where we do not
use TLS, but find it convenient to be able to use API keys rather than
tokens.

This commit adds an InsecureAllowBasicAuthWithoutTLS option which
permits the use of an API key when the NoTLS option is also set.

We only require this in the Go SDK, so there is no intention of adding
this option to the feature spec.

Signed-off-by: Lewis Marshall <lewis.marshall@ably.com>
---
 ably/auth.go    |  2 +-
 ably/options.go | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/ably/auth.go b/ably/auth.go
index 1b0dc1b0..56d1a309 100644
--- a/ably/auth.go
+++ b/ably/auth.go
@@ -545,7 +545,7 @@ func detectAuthMethod(opts *clientOptions) (int, error) {
 	if !isKeyValid {
 		return 0, newError(ErrInvalidCredential, errInvalidKey)
 	}
-	if opts.NoTLS {
+	if opts.NoTLS && !opts.InsecureAllowBasicAuthWithoutTLS {
 		return 0, newError(ErrInvalidUseOfBasicAuthOverNonTLSTransport, errInsecureBasicAuth)
 	}
 	return authBasic, nil
diff --git a/ably/options.go b/ably/options.go
index 1bf26783..6c7c8362 100644
--- a/ably/options.go
+++ b/ably/options.go
@@ -408,6 +408,10 @@ type clientOptions struct {
 	// LogHandler controls the log output of the library. This is a function to handle each line of log output.
 	// platform specific (TO3c)
 	LogHandler Logger
+
+	// InsecureAllowBasicAuthWithoutTLS permits an API key to be used even if the connection
+	// will not use TLS, something which would otherwise not be permitted for security reasons.
+	InsecureAllowBasicAuthWithoutTLS bool
 }
 
 func (opts *clientOptions) validate() error {
@@ -1316,6 +1320,14 @@ func WithDial(dial func(protocol string, u *url.URL, timeout time.Duration) (con
 	}
 }
 
+// WithInsecureAllowBasicAuthWithoutTLS permits an API key to be used even if the connection
+// will not use TLS, something which would otherwise not be permitted for security reasons.
+func WithInsecureAllowBasicAuthWithoutTLS() ClientOption {
+	return func(opts *clientOptions) {
+		opts.InsecureAllowBasicAuthWithoutTLS = true
+	}
+}
+
 func applyOptionsWithDefaults(opts ...ClientOption) *clientOptions {
 	to := defaultOptions
 	// No need to set hosts by default