92caf6b44d2a66bf52d2e41961355a325d9d16fb
max
  Mon Jun 25 02:49:37 2018 -0700
making http auth mandatory, after a link wait

diff --git src/hg/lib/wikiLink.c src/hg/lib/wikiLink.c
index 33f27e0..dbfcd69 100644
--- src/hg/lib/wikiLink.c
+++ src/hg/lib/wikiLink.c
@@ -361,36 +361,32 @@
 int wordCount = chopString(tokenPlain, ":", words, ArraySize(words));
 if (wordCount!=2)
     errAbort("wikiLink/basicAuthUser: got illegal basic auth token");
 char *user = words[0];
 
 return user;
 }
 
 char *wikiLinkUserName()
 /* Return the user name specified in cookies from the browser, or NULL if 
  * the user doesn't appear to be logged in. */
 {
 if (loginUseBasicAuth())
     {
     char *token = getHttpBasicToken();
-    //XX The following should be uncommented for security reasons
-    //if (!token) 
-        //printTokenErrorAndExit();
-    // May 2017: Allowing normal login even when HTTP Basic is enabled. This may be insecure. 
-    // Keeping it insecure pending Jim's/Clay's approval, for backwards compatibility.
-    if (token) 
+    if (!token) 
+        printTokenErrorAndExit();
     return basicAuthUser(token);
     }
 
 if (loginSystemEnabled())
     {
     if (! alreadyAuthenticated)
         loginValidateCookies();
     if (authenticated)
         return cloneString(getLoginUserName());
     }
 else if (wikiLinkEnabled())
     {
     char *wikiUserName = findCookieData(wikiLinkUserNameCookie());
     char *wikiLoggedIn = findCookieData(wikiLinkLoggedInCookie());
     if (isNotEmpty(wikiLoggedIn) && isNotEmpty(wikiUserName))