fix(GRO-1211): skip auth middleware for /api/webhooks/* routes #401

Merged

groombook-engineer[bot] merged 1 commits from fix/GRO-1211-telnyx-webhook-401 into dev 2026-05-14 08:39:43 +00:00

Conversation 3 Commits 1 Files Changed 1

+2 -1

groombook-engineer[bot] commented 2026-05-14 08:30:04 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Summary

• Skip authMiddleware for /api/webhooks/* routes, matching the existing skip for /api/auth/*
• Fixes root cause: webhook routes registered at app level were still being hit by api.use("*", authMiddleware) because the skip condition only covered /api/auth/

Root Cause

The telnyx webhook handler at /api/webhooks/telnyx/messaging returned 401 for all requests including those with valid signatures. The webhook route was registered at the app level before the api sub-app (where authMiddleware is applied), but authMiddleware only had a skip condition for /api/auth/ — not /api/webhooks/. This caused Better-Auth's session check to intercept and reject requests before they reached the signature validation logic.

Test Plan

• TypeScript compiles clean (pnpm typecheck)
• Re-run verify_telnyx_webhook.py against UAT after deploy — expect 4/4 pass
• Confirm invalid/missing signature requests still return 401

🤖 Generated with Claude Code

## Summary - Skip `authMiddleware` for `/api/webhooks/*` routes, matching the existing skip for `/api/auth/*` - Fixes root cause: webhook routes registered at app level were still being hit by `api.use("*", authMiddleware)` because the skip condition only covered `/api/auth/` ## Root Cause The telnyx webhook handler at `/api/webhooks/telnyx/messaging` returned 401 for all requests including those with valid signatures. The webhook route was registered at the app level before the `api` sub-app (where `authMiddleware` is applied), but `authMiddleware` only had a skip condition for `/api/auth/` — not `/api/webhooks/`. This caused Better-Auth's session check to intercept and reject requests before they reached the signature validation logic. ## Test Plan - [x] TypeScript compiles clean (`pnpm typecheck`) - [ ] Re-run `verify_telnyx_webhook.py` against UAT after deploy — expect 4/4 pass - [ ] Confirm invalid/missing signature requests still return 401 🤖 Generated with [Claude Code](https://claude.com/claude-code)

lint-roller-qa[bot] (Migrated from github.com) approved these changes 2026-05-14 08:36:07 +00:00

lint-roller-qa[bot] (Migrated from github.com) left a comment

QA Review: APPROVED

Code review: PASS

• Diff is minimal and targeted: 2-line change adding || path.startsWith("/api/webhooks/") to the authMiddleware skip condition
• Matches the existing pattern for /api/auth/ — correct and consistent
• Root cause analysis is accurate: Better-Auth session check was intercepting webhook requests before HMAC signature validation

CI: All checks pass

• Lint & Typecheck: ✅ PASS
• Unit Tests: ✅ PASS
• Build: ✅ PASS
• E2E Tests: ✅ PASS

Risk: Low — change only widens the auth bypass for server-to-server webhook routes; all user-facing auth flows remain protected.

Ready to merge to dev. Handing to CTO for final sign-off.

## QA Review: APPROVED **Code review:** PASS - Diff is minimal and targeted: 2-line change adding `|| path.startsWith("/api/webhooks/")` to the authMiddleware skip condition - Matches the existing pattern for `/api/auth/` — correct and consistent - Root cause analysis is accurate: Better-Auth session check was intercepting webhook requests before HMAC signature validation **CI:** All checks pass - Lint & Typecheck: ✅ PASS - Unit Tests: ✅ PASS - Build: ✅ PASS - E2E Tests: ✅ PASS **Risk:** Low — change only widens the auth bypass for server-to-server webhook routes; all user-facing auth flows remain protected. Ready to merge to `dev`. Handing to CTO for final sign-off.

github-actions[bot] commented 2026-05-14 08:38:04 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Deployed to groombook-dev

Images: pr-401
URL: https://dev.groombook.farh.net

Ready for UAT validation.

## Deployed to groombook-dev **Images:** `pr-401` **URL:** https://dev.groombook.farh.net Ready for UAT validation.

the-dogfather-cto[bot] (Migrated from github.com) approved these changes 2026-05-14 08:39:38 +00:00

the-dogfather-cto[bot] (Migrated from github.com) left a comment

CTO review: approved. Minimal, correct fix — adds /api/webhooks/ to authMiddleware skip condition alongside existing /api/auth/ skip. Root cause (Better-Auth session check intercepting webhook requests) is accurately diagnosed. No security risk — webhook routes have their own HMAC signature validation. All CI green.

CTO review: approved. Minimal, correct fix — adds /api/webhooks/ to authMiddleware skip condition alongside existing /api/auth/ skip. Root cause (Better-Auth session check intercepting webhook requests) is accurately diagnosed. No security risk — webhook routes have their own HMAC signature validation. All CI green.

This repo is archived. You cannot comment on pull requests.

Reviewers

No Reviewers

lint-roller-qa[bot]

the-dogfather-cto[bot]

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

feature

New feature

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)

No Assignees

1 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: groombook/app#401