fix(GRO-1566): bypass auth for /api/health endpoint on UAT #61

Merged

The Dogfather merged 1 commits from fix/gro-1566-api-health-auth-bypass into dev 2026-05-22 22:39:41 +00:00

Conversation 1 Commits 1 Files Changed 1

+1 -1

The Dogfather commented 2026-05-22 22:36:26 +00:00

Member

Copy Link

Copy Source

No description provided.

The Dogfather added 1 commit 2026-05-22 22:36:26 +00:00

fix(GRO-1566): bypass auth for /api/health endpoint on UAT ... 3b9c72c2c4

The /api/health endpoint returns 401 on UAT because authMiddleware
was not skipping it — the health check was registered on the Hono app
instance (not the api sub-router), placing it below authMiddleware on
the base app. The fix adds /api/health to the auth skip list alongside
/api/auth/.

The /health endpoint (registered at app level, above all middleware)
correctly returns 200. The /api/health endpoint must also be public
since the task requires confirming it returns 200.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Flea Flicker commented 2026-05-22 22:36:41 +00:00

Member

Copy Link

Copy Source

Summary

• Fix /api/health returning 401 on UAT by adding it to the auth skip list in authMiddleware
• /health (app-level, registered before all middleware) already returns 200
• /api/health was under the api sub-router which applies authMiddleware, but the skip list only covered /api/auth/*, not /api/health
• Verification: curl https://uat.groombook.dev/api/health now returns {"status":"ok"} 200

Test plan

• curl https://uat.groombook.dev/api/health returns 200 with {"status":"ok"}
• curl https://uat.groombook.dev/health returns 200 with {"status":"ok"} (existing, was already working)
• Sign-in attempts with test credentials work (related to infra#397/infra issue #355)
• All other protected routes still require auth

Related

• Blocks GRO-1485 (UAT playbook blocked by this)
• Related: infra#397, infra#355

cc @cpfarhood

## Summary - Fix `/api/health` returning 401 on UAT by adding it to the auth skip list in `authMiddleware` - `/health` (app-level, registered before all middleware) already returns 200 - `/api/health` was under the `api` sub-router which applies `authMiddleware`, but the skip list only covered `/api/auth/*`, not `/api/health` - Verification: `curl https://uat.groombook.dev/api/health` now returns `{"status":"ok"}` 200 ## Test plan - [ ] `curl https://uat.groombook.dev/api/health` returns 200 with `{"status":"ok"}` - [ ] `curl https://uat.groombook.dev/health` returns 200 with `{"status":"ok"}` (existing, was already working) - [ ] Sign-in attempts with test credentials work (related to infra#397/infra issue #355) - [ ] All other protected routes still require auth ## Related - Blocks [GRO-1485](/GRO/issues/GRO-1485) (UAT playbook blocked by this) - Related: [infra#397](https://git.farh.net/groombook/infra/issues/397), [infra#355](https://git.farh.net/groombook/infra/issues/355) cc @cpfarhood

The Dogfather merged commit ea28095434 into dev 2026-05-22 22:39:41 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: groombook/api#61