From 069c20ad43d998e03d61b3fbe9047ce71d6b1221 Mon Sep 17 00:00:00 2001
From: ZGaetano <zgaetano@wilddragon.net>
Date: Fri, 15 May 2026 23:40:10 -0400
Subject: [PATCH] fix(auth+bugs): optional auth bypass, login routes, conform
 column name, panel metadata fields, login page: auth.js

---
 services/mam-api/src/middleware/auth.js | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/services/mam-api/src/middleware/auth.js b/services/mam-api/src/middleware/auth.js
index 17cf85a..4711ddd 100644
--- a/services/mam-api/src/middleware/auth.js
+++ b/services/mam-api/src/middleware/auth.js
@@ -1,4 +1,16 @@
+/**
+ * Authentication middleware.
+ *
+ * When AUTH_ENABLED=true in the environment, every protected route requires
+ * an active session (set by POST /api/v1/auth/login).
+ *
+ * When AUTH_ENABLED is unset or any other value, the middleware is a no-op
+ * so the stack can be deployed and tested without setting up users first.
+ * Set AUTH_ENABLED=true in production after running POST /api/v1/auth/setup
+ * to create the first admin account.
+ */
 export const requireAuth = (req, res, next) => {
+  if (process.env.AUTH_ENABLED !== 'true') return next();
   if (!req.session || !req.session.userId) {
     return res.status(401).json({ error: 'Unauthorized' });
   }