From bec7f91566ffcaf7e187e2df39a3fdd7f5b59520 Mon Sep 17 00:00:00 2001
From: "groombook-ci[bot]" <ci@groombook.bot>
Date: Sat, 28 Mar 2026 14:27:56 +0000
Subject: [PATCH] fix(auth): skip auth middleware for Better-Auth's own routes

The auth middleware was intercepting /api/auth/** requests (OAuth
callbacks, session management) and returning 401 before Better-Auth
could process them. This prevented login when AUTH_DISABLED=false.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/api/src/middleware/auth.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/apps/api/src/middleware/auth.ts b/apps/api/src/middleware/auth.ts
index 66ec3d4..dbdbb1f 100644
--- a/apps/api/src/middleware/auth.ts
+++ b/apps/api/src/middleware/auth.ts
@@ -23,6 +23,12 @@ if (process.env.AUTH_DISABLED === "true") {
 }
 
 export const authMiddleware: MiddlewareHandler = async (c, next) => {
+  // Better-Auth's own routes handle their own auth (OAuth callbacks, session mgmt)
+  if (c.req.path.startsWith("/api/auth/")) {
+    await next();
+    return;
+  }
+
   if (process.env.AUTH_DISABLED === "true") {
     const devUserId = c.req.header("X-Dev-User-Id");
     const sub = devUserId ?? "dev-user";