From d8df6ed43927881b566f8b5bf72de7dc9ddb65e6 Mon Sep 17 00:00:00 2001
From: rathahin <ratha.hin@asiacell.com>
Date: Tue, 31 Oct 2023 16:45:36 +0300
Subject: [PATCH] Ensure that when exclusion is not configured, access to the
 entire global site is permitted, with only the inclusion criteria taking
 effect.

---
 src/runtime/server/middleware/basicAuth.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/runtime/server/middleware/basicAuth.ts b/src/runtime/server/middleware/basicAuth.ts
index 10b23b93..6274065c 100644
--- a/src/runtime/server/middleware/basicAuth.ts
+++ b/src/runtime/server/middleware/basicAuth.ts
@@ -24,7 +24,7 @@ export default defineEventHandler((event) => {
   const basicAuthConfig = securityConfig.basicAuth
 
   // Check for exclusion paths
-  const excludePaths = basicAuthConfig?.exclude || []
+  const excludePaths = basicAuthConfig?.exclude || ['/']
   const isPathExcluded = excludePaths.some(el => event.path?.startsWith(el))
 
   // Check for inclusion paths