From dce9c96442695d5861abb9b5a62f5ef8c8c72d86 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Thu, 14 May 2026 08:29:10 +0000 Subject: [PATCH] fix(GRO-1211): skip auth middleware for /api/webhooks/* routes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The telnyx webhook handler at /api/webhooks/telnyx/messaging was returning 401 for all requests including those with valid signatures. This was caused by the authMiddleware being applied to all /api/* routes via api.use("*", authMiddleware) after the webhook route was registered at the app level. authMiddleware already skips /api/auth/ paths; adding the same skip for /api/webhooks/* fixes the issue — webhook endpoints use their own signature validation and do not require Better-Auth session auth. Root cause: authMiddleware was applied to webhook routes that were registered at the app level before the api sub-app middleware, but the skip condition only covered /api/auth/, not /api/webhooks/. Co-Authored-By: Claude Opus 4.7 --- apps/api/src/middleware/auth.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/api/src/middleware/auth.ts b/apps/api/src/middleware/auth.ts index 906f505..198f55b 100644 --- a/apps/api/src/middleware/auth.ts +++ b/apps/api/src/middleware/auth.ts @@ -23,7 +23,8 @@ if (process.env.AUTH_DISABLED === "true") { } export const authMiddleware: MiddlewareHandler = async (c, next) => { - if (c.req.path.startsWith("/api/auth/")) { + const path = c.req.path; + if (path.startsWith("/api/auth/") || path.startsWith("/api/webhooks/")) { await next(); return; }