From a9d2209edd7eccaf08ee230af8f6d78bdfa21328 Mon Sep 17 00:00:00 2001 From: rcourtman Date: Thu, 6 Nov 2025 13:48:28 +0000 Subject: [PATCH] Fix demo mode to allow authentication endpoints Demo mode now permits login/logout and OIDC authentication endpoints while still blocking all modification requests. This allows demo instances to require authentication while remaining read-only. Authentication endpoints are read-only operations that verify credentials and issue session tokens without modifying any state. All POST/PUT/DELETE/PATCH operations remain blocked. --- internal/api/demo_middleware.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/internal/api/demo_middleware.go b/internal/api/demo_middleware.go index 1b23e74..7709809 100644 --- a/internal/api/demo_middleware.go +++ b/internal/api/demo_middleware.go @@ -32,6 +32,20 @@ func DemoModeMiddleware(cfg *config.Config, next http.Handler) http.Handler { return } + // Allow authentication endpoints (login is read-only - verifies credentials) + authPaths := []string{ + "/api/login", + "/api/oidc/login", + "/api/oidc/callback", + "/api/logout", + } + for _, path := range authPaths { + if r.URL.Path == path { + next.ServeHTTP(w, r) + return + } + } + // Block all modification requests (POST, PUT, DELETE, PATCH) log.Warn(). Str("method", r.Method).