fix: bypass middleware auth for ssh-config with setup token

Added middleware exception for /api/system/ssh-config when a valid setup
token is provided, matching the pattern used for verify-temperature-ssh.

The middleware was blocking ssh-config requests before they reached the
handler, even though the handler had setup token validation logic.
This commit is contained in:
rcourtman 2025-10-19 08:35:39 +00:00
parent 4b1d0013c0
commit 759a3b7d2f

View file

@ -1209,6 +1209,13 @@ func (r *Router) ServeHTTP(w http.ResponseWriter, req *http.Request) {
}
}
// Allow SSH config endpoint when a setup token is provided
if normalizedPath == "/api/system/ssh-config" && r.configHandlers != nil {
if token := extractSetupToken(req); token != "" && r.configHandlers.ValidateSetupToken(token) {
isPublic = true
}
}
// Auto-register endpoint needs to be public (validates tokens internally)
// BUT the tokens must be generated by authenticated users via setup-script-url
if normalizedPath == "/api/auto-register" {