Authorization middleware #10

Closed
opened 2026-06-12 20:27:21 +00:00 by james · 0 comments
Owner

Centralize the rule: every endpoint except /api/health and the auth callbacks requires a valid session.

Scope

  • A Next.js middleware (or equivalent route guard) that:
    • Allows /api/health and the auth callback routes through unauthenticated.
    • Rejects every other request without a valid session with a 401.
  • Tests assert the policy: an unauthenticated request to a random /api/* route returns 401.
  • The default for any new route is "requires auth" — adding a public route must be an explicit opt-in, not a default.

Acceptance criteria

  • Unauthenticated /api/anything-else returns 401.
  • Unauthenticated /api/health returns 200.
  • Adding a public route requires an explicit allowlist entry; this is documented.

Part of epic #1. Depends on #7.

Centralize the rule: every endpoint except `/api/health` and the auth callbacks requires a valid session. ## Scope - A Next.js middleware (or equivalent route guard) that: - Allows `/api/health` and the auth callback routes through unauthenticated. - Rejects every other request without a valid session with a 401. - Tests assert the policy: an unauthenticated request to a random `/api/*` route returns 401. - The default for **any new route** is "requires auth" — adding a public route must be an explicit opt-in, not a default. ## Acceptance criteria - [ ] Unauthenticated `/api/anything-else` returns 401. - [ ] Unauthenticated `/api/health` returns 200. - [ ] Adding a public route requires an explicit allowlist entry; this is documented. Part of epic #1. Depends on #7.
james closed this issue 2026-06-13 14:49:38 +00:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
james/carol#10
No description provided.