WildDragonLLC/dragonflight
1
0
Fork 0
Code Issues 18 Pull requests 3 Projects Releases Packages Wiki Activity Actions

feat(mam-api): mount requireAuth gate at /api/v1 with auth + cluster carve-outs

Browse source
This commit is contained in:
Zac Gaetano 2026-05-27 14:13:21 -04:00
parent 88c3aa5149
commit 9de4fe9ab9
1 changed files with 12 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
services/mam-api/src/index.js
View file

@ -8,6 +8,7 @@ import os from 'node:os';
import { exec } from 'node:child_process';
import pool from './db/pool.js';
import { errorHandler } from './middleware/errors.js';
import { requireAuth } from './middleware/auth.js';
import { loadS3ConfigFromDb } from './s3/client.js';
// Routes
@ -86,6 +87,17 @@ app.use(session({
// ── Health ────────────────────────────────────────────────────────────────────
app.get('/health', (_req, res) => res.json({ status: 'ok' }));
// ── Auth gate ─────────────────────────────────────────────────────────────────
// Mount once for everything under /api/v1, with an explicit allowlist for
// the three pre-login auth paths and a carve-out for /cluster/* (node-agent
// uses migration 019's token-binding, not user auth). See spec.
const UNAUTH_PATHS = new Set(['/auth/login', '/auth/setup', '/auth/setup-required']);
app.use('/api/v1', (req, res, next) => {
if (UNAUTH_PATHS.has(req.path)) return next();
if (req.path.startsWith('/cluster')) return next(); // node-agent service auth, not user auth
return requireAuth(req, res, next);
});
// ── API Routes ────────────────────────────────────────────────────────────────
app.use('/api/v1/assets', assetsRouter);
app.use('/api/v1/projects', projectsRouter);