Fix demo mode to allow authentication endpoints

Demo mode now permits login/logout and OIDC authentication endpoints
while still blocking all modification requests. This allows demo
instances to require authentication while remaining read-only.

Authentication endpoints are read-only operations that verify
credentials and issue session tokens without modifying any state.
All POST/PUT/DELETE/PATCH operations remain blocked.
This commit is contained in:
rcourtman 2025-11-06 13:48:28 +00:00
parent aea9586145
commit a9d2209edd

View file

@ -32,6 +32,20 @@ func DemoModeMiddleware(cfg *config.Config, next http.Handler) http.Handler {
return
}
// Allow authentication endpoints (login is read-only - verifies credentials)
authPaths := []string{
"/api/login",
"/api/oidc/login",
"/api/oidc/callback",
"/api/logout",
}
for _, path := range authPaths {
if r.URL.Path == path {
next.ServeHTTP(w, r)
return
}
}
// Block all modification requests (POST, PUT, DELETE, PATCH)
log.Warn().
Str("method", r.Method).