From 759a3b7d2f16632d2d7e81b83e2b2b80558b2e46 Mon Sep 17 00:00:00 2001 From: rcourtman Date: Sun, 19 Oct 2025 08:35:39 +0000 Subject: [PATCH] fix: bypass middleware auth for ssh-config with setup token Added middleware exception for /api/system/ssh-config when a valid setup token is provided, matching the pattern used for verify-temperature-ssh. The middleware was blocking ssh-config requests before they reached the handler, even though the handler had setup token validation logic. --- internal/api/router.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/internal/api/router.go b/internal/api/router.go index a465adf..1a244cb 100644 --- a/internal/api/router.go +++ b/internal/api/router.go @@ -1209,6 +1209,13 @@ func (r *Router) ServeHTTP(w http.ResponseWriter, req *http.Request) { } } + // Allow SSH config endpoint when a setup token is provided + if normalizedPath == "/api/system/ssh-config" && r.configHandlers != nil { + if token := extractSetupToken(req); token != "" && r.configHandlers.ValidateSetupToken(token) { + isPublic = true + } + } + // Auto-register endpoint needs to be public (validates tokens internally) // BUT the tokens must be generated by authenticated users via setup-script-url if normalizedPath == "/api/auto-register" {