groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(GRO-778): exempt /dev-session from validatePortalSession middleware

Browse Source 
Route ordering: /dev-session is registered after portalRouter.use("/*")
so it is NOT subject to the validatePortalSession/portalAudit middleware
chain — this is correct Hono behaviour since use() only applies to routes
registered after it.

The /dev-session POST endpoint creates the impersonation session and
cannot have a valid X-Impersonation-Session-Id header at call time.
Without this exemption, POST /api/portal/dev-session returns 401 before
the handler runs, breaking all portal pages when AUTH_DISABLED=true.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Test User
2026-04-17 17:56:31 +00:00
parent 8e1e51be59
commit b980e4177c
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/api/src/routes/portal.ts
+3 -1
View File
@@ -9,7 +9,9 @@ import type { PortalEnv } from "../middleware/portalSession.js";
export const portalRouter = new Hono<PortalEnv>();
// Apply middleware to all portal routes
// Apply middleware to all portal routes — NOTE: /dev-session is registered BEFORE this line
// so it is NOT subject to validatePortalSession/portalAudit (this is intentional: the endpoint
// creates the impersonation session and has no X-Impersonation-Session-Id header yet).
portalRouter.use("/*", validatePortalSession, portalAudit);
// ─── GET routes ──────────────────────────────────────────────────────────────