If any of the ListenAndServe functions are called with an empty token, token authentication is disabled globally for all listeners.
Also, a minor timing side channel was present allowing attackers with very low latency and able to make a lot of requests to potentially recover the token.
github.com/nanobox-io/golang-nanoauth