From 1989dfa0a36a4c492bf1899e6ab79971959f70d2 Mon Sep 17 00:00:00 2001 From: Dmitrii Iurco Date: Mon, 11 May 2026 05:03:44 -0400 Subject: [PATCH] Fix: exempt /api/setup/* from enforce_auth so setup wizard works on fresh install MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The setup wizard runs before any account exists, but the installer's setup_cell.py creates auth_users.json with an admin account first. This meant enforce_auth was active by the time the browser hit /setup, blocking all /api/setup/* calls with 401. The CSRF hook already exempted /api/setup/* — auth enforcement now matches. Co-Authored-By: Claude Sonnet 4.6 --- api/app.py | 4 ++-- tests/test_route_protection.py | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/api/app.py b/api/app.py index faca87b..f8eee4b 100644 --- a/api/app.py +++ b/api/app.py @@ -199,8 +199,8 @@ def enforce_auth(): backward-compatibility with pre-auth test suites. """ path = request.path - # Always allow non-API paths and auth namespace - if not path.startswith('/api/') or path.startswith('/api/auth/'): + # Always allow non-API paths, auth namespace, and setup namespace + if not path.startswith('/api/') or path.startswith('/api/auth/') or path.startswith('/api/setup/'): return None # Cell peer-sync endpoints authenticate via source IP + WG pubkey — not session if path.startswith('/api/cells/peer-sync/'): diff --git a/tests/test_route_protection.py b/tests/test_route_protection.py index b5045bf..73a2ba5 100644 --- a/tests/test_route_protection.py +++ b/tests/test_route_protection.py @@ -128,6 +128,12 @@ def test_anon_blocked_from_peer_routes(anon_client): assert r.status_code == 401 +def test_setup_routes_bypass_auth(anon_client): + """/api/setup/* must be reachable without a session — setup runs before any account exists.""" + r = anon_client.get('/api/setup/status') + assert r.status_code != 401 + + def test_anon_blocked_from_peer_dashboard(anon_client): r = anon_client.get('/api/peer/dashboard') assert r.status_code == 401