groombook/api
13
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
840675e89e059504f1e2d458eb614df56a0cf15c
api/src/middleware/auth.ts
T
Flea Flicker 3b9c72c2c4
CI / Lint & Typecheck (pull_request) Failing after 1m27s
Details
CI / Test (pull_request) Failing after 1m38s
Details
CI / Build & Push Docker Images (pull_request) Has been skipped
Details
fix(GRO-1566): bypass auth for /api/health endpoint on UAT 
The /api/health endpoint returns 401 on UAT because authMiddleware
was not skipping it — the health check was registered on the Hono app
instance (not the api sub-router), placing it below authMiddleware on
the base app. The fix adds /api/health to the auth skip list alongside
/api/auth/.

The /health endpoint (registered at app level, above all middleware)
correctly returns 200. The /api/health endpoint must also be public
since the task requires confirming it returns 200.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-22 22:36:15 +00:00

62 lines
1.5 KiB
TypeScript
Raw Blame History

import type { MiddlewareHandler } from "hono";
import { getAuth } from "../lib/auth.js";
export interface AuthUser {
id: string;
email: string;
name: string;
}
// Guard: refuse to start with AUTH_DISABLED in production.
if (process.env.AUTH_DISABLED === "true") {
if (process.env.NODE_ENV === "production") {
console.error(
"[FATAL] AUTH_DISABLED=true is not allowed in production. " +
"Remove AUTH_DISABLED from your environment and configure Better-Auth."
);
process.exit(1);
}
console.warn(
"[WARNING] AUTH_DISABLED=true — authentication is bypassed. " +
"Do NOT use this in production."
);
}
export const authMiddleware: MiddlewareHandler = async (c, next) => {
if (c.req.path.startsWith("/api/auth/") || c.req.path === "/api/health") {
await next();
return;
}
if (process.env.AUTH_DISABLED === "true") {
const devUserId = c.req.header("X-Dev-User-Id");
const sub = devUserId ?? "dev-user";
c.set("jwtPayload", { sub } as { sub: string });
await next();
return;
}
let auth;
try {
auth = getAuth();
} catch {
return c.json({ error: "Authentication not configured" }, 503);
}
const session = await auth.api.getSession({
headers: c.req.raw.headers,
});
if (!session) {
return c.json({ error: "Unauthorized" }, 401);
}
// Set jwtPayload with sub = Better-Auth user ID for backward compat with resolveStaffMiddleware
c.set("jwtPayload", {
sub: session.user.id,
email: session.user.email,
name: session.user.name,
});
await next();
};
Reference in New Issue View Git Blame Copy Permalink