Fix: exempt /api/setup/* from enforce_auth so setup wizard works on fresh install
Unit Tests / test (push) Successful in 8m49s
Unit Tests / test (push) Successful in 8m49s
The setup wizard runs before any account exists, but the installer's setup_cell.py creates auth_users.json with an admin account first. This meant enforce_auth was active by the time the browser hit /setup, blocking all /api/setup/* calls with 401. The CSRF hook already exempted /api/setup/* — auth enforcement now matches. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+2
-2
@@ -199,8 +199,8 @@ def enforce_auth():
|
||||
backward-compatibility with pre-auth test suites.
|
||||
"""
|
||||
path = request.path
|
||||
# Always allow non-API paths and auth namespace
|
||||
if not path.startswith('/api/') or path.startswith('/api/auth/'):
|
||||
# Always allow non-API paths, auth namespace, and setup namespace
|
||||
if not path.startswith('/api/') or path.startswith('/api/auth/') or path.startswith('/api/setup/'):
|
||||
return None
|
||||
# Cell peer-sync endpoints authenticate via source IP + WG pubkey — not session
|
||||
if path.startswith('/api/cells/peer-sync/'):
|
||||
|
||||
@@ -128,6 +128,12 @@ def test_anon_blocked_from_peer_routes(anon_client):
|
||||
assert r.status_code == 401
|
||||
|
||||
|
||||
def test_setup_routes_bypass_auth(anon_client):
|
||||
"""/api/setup/* must be reachable without a session — setup runs before any account exists."""
|
||||
r = anon_client.get('/api/setup/status')
|
||||
assert r.status_code != 401
|
||||
|
||||
|
||||
def test_anon_blocked_from_peer_dashboard(anon_client):
|
||||
r = anon_client.get('/api/peer/dashboard')
|
||||
assert r.status_code == 401
|
||||
|
||||
Reference in New Issue
Block a user