From b052c3f8d87865eec9f533b335e9b681b9f32659 Mon Sep 17 00:00:00 2001
From: Abel Luck <abel@guardianproject.info>
Date: Thu, 26 Feb 2026 16:22:35 +0100
Subject: [PATCH] allow public access to / and /index.html

---
 flake.nix              |  2 +-
 nix-cache/src/index.ts | 20 ++++++++++++--------
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/flake.nix b/flake.nix
index 9bd48f5..a3e2267 100644
--- a/flake.nix
+++ b/flake.nix
@@ -14,7 +14,7 @@
       packages = forAllSystems (pkgs: {
         nix-cache = pkgs.buildNpmPackage {
           pname = "nix-cache";
-          version = "0.1.2";
+          version = "0.1.3";
           src = ./nix-cache;
           npmDepsHash = "sha256-bIujU7pZa1ExCZOMOoxsTeLDSF1GuPN/oMSgiMhY/04=";
           buildPhase = ''
diff --git a/nix-cache/src/index.ts b/nix-cache/src/index.ts
index 3335de4..b4f6e94 100644
--- a/nix-cache/src/index.ts
+++ b/nix-cache/src/index.ts
@@ -91,18 +91,22 @@ export default {
 			return Response.redirect(url.toString(), 301);
 		}
 
-		const authenticated = await authenticate(request, env);
-		if (!authenticated) {
-			return new Response('Unauthorized', {
-				status: 401,
-				headers: { 'WWW-Authenticate': 'Bearer realm="nix-cache"' },
-			});
-		}
-
 		if (url.pathname === '/') {
 			url.pathname = '/index.html';
 		}
 
+		const isPublic = url.pathname === '/index.html';
+
+		if (!isPublic) {
+			const authenticated = await authenticate(request, env);
+			if (!authenticated) {
+				return new Response('Unauthorized', {
+					status: 401,
+					headers: { 'WWW-Authenticate': 'Bearer realm="nix-cache"' },
+				});
+			}
+		}
+
 		const cache = caches.default;
 		let response = await cache.match(request);
 		let range: Range | undefined;