allow either one or both to be set for basicAuth

orchestrator/src/client/pages/SettingsPage.tsx

@@ -296,21 +296,21 @@ export const SettingsPage: React.FC = () => {
 
       const envPayload: Partial<UpdateSettingsInput> = {}
 
-      if (dirtyFields.rxresumeEmail) {
+      if (dirtyFields.rxresumeEmail || dirtyFields.rxresumePassword) {
         envPayload.rxresumeEmail = normalizeString(data.rxresumeEmail)
       }
 
-      if (dirtyFields.ukvisajobsEmail) {
+      if (dirtyFields.ukvisajobsEmail || dirtyFields.ukvisajobsPassword) {
         envPayload.ukvisajobsEmail = normalizeString(data.ukvisajobsEmail)
       }
 
       if (data.enableBasicAuth === false) {
         envPayload.basicAuthUser = null
         envPayload.basicAuthPassword = null
-      } else {
-        if (dirtyFields.basicAuthUser) {
-          envPayload.basicAuthUser = normalizeString(data.basicAuthUser)
-        }
+      } else if (dirtyFields.enableBasicAuth || dirtyFields.basicAuthUser || dirtyFields.basicAuthPassword) {
+        // If enabling basic auth or changing either field, ensure we send at least the username
+        // to keep the pair consistent in the backend.
+        envPayload.basicAuthUser = normalizeString(data.basicAuthUser)
 
         if (dirtyFields.basicAuthPassword) {
           const value = normalizePrivateInput(data.basicAuthPassword)

orchestrator/src/server/api/routes/settings.test.ts

@@ -56,4 +56,19 @@ describe.sequential('Settings API routes', () => {
     expect(patchBody.data.rxresumeEmail).toBe('updated@example.com');
     expect(patchBody.data.openrouterApiKeyHint).toBe('upda');
   });
+
+  it('validates basic auth requirements', async () => {
+    const res = await fetch(`${baseUrl}/api/settings`, {
+      method: 'PATCH',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        enableBasicAuth: true,
+        basicAuthUser: '',
+      }),
+    });
+    expect(res.status).toBe(400);
+    const body = await res.json();
+    expect(body.success).toBe(false);
+    expect(body.error).toContain('Username is required');
+  });
 });

orchestrator/src/shared/settings-schema.ts

@@ -33,6 +33,16 @@ export const updateSettingsSchema = z.object({
   ukvisajobsPassword: z.string().trim().max(2000).nullable().optional(),
   webhookSecret: z.string().trim().max(2000).nullable().optional(),
   enableBasicAuth: z.boolean().optional(),
+}).superRefine((data, ctx) => {
+  if (data.enableBasicAuth) {
+    if (!data.basicAuthUser || data.basicAuthUser.trim() === "") {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: "Username is required when basic auth is enabled",
+        path: ["basicAuthUser"],
+      });
+    }
+  }
 });
 
 export type UpdateSettingsInput = z.infer<typeof updateSettingsSchema>;