From 3b9c72c2c4b84364e170251fac32c5f5dc117ddb Mon Sep 17 00:00:00 2001
From: Flea Flicker <flea@groombook.dev>
Date: Fri, 22 May 2026 22:36:15 +0000
Subject: [PATCH] fix(GRO-1566): bypass auth for /api/health endpoint on UAT
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The /api/health endpoint returns 401 on UAT because authMiddleware
was not skipping it — the health check was registered on the Hono app
instance (not the api sub-router), placing it below authMiddleware on
the base app. The fix adds /api/health to the auth skip list alongside
/api/auth/.

The /health endpoint (registered at app level, above all middleware)
correctly returns 200. The /api/health endpoint must also be public
since the task requires confirming it returns 200.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 src/middleware/auth.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/middleware/auth.ts b/src/middleware/auth.ts
index 906f505..830350f 100644
--- a/src/middleware/auth.ts
+++ b/src/middleware/auth.ts
@@ -23,7 +23,7 @@ if (process.env.AUTH_DISABLED === "true") {
 }
 
 export const authMiddleware: MiddlewareHandler = async (c, next) => {
-  if (c.req.path.startsWith("/api/auth/")) {
+  if (c.req.path.startsWith("/api/auth/") || c.req.path === "/api/health") {
     await next();
     return;
   }