This is an automated email from the ASF dual-hosted git repository.

Startrekzky pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/incubator-devlake.git


The following commit(s) were added to refs/heads/main by this push:
     new ad202276a feat: require authentication for /proceed-db-migration 
endpoint if auth was enabled (#8893)
ad202276a is described below

commit ad202276ab04c5b545fb0c5515c667b8d97ca61a
Author: Klesh Wong <[email protected]>
AuthorDate: Sat May 30 19:34:08 2026 +0800

    feat: require authentication for /proceed-db-migration endpoint if auth was 
enabled (#8893)
    
    * feat: require authentication for /proceed-db-migration endpoint if auth 
was enabled
    
    * fix: linting
    
    * fix: disable codespell due to it is blocked by asf runner
    
    ---------
    
    Co-authored-by: Klesh Wong <[email protected]>
---
 ...espell.yml => codespell.yml.action-blocked-by-asf} |  0
 backend/server/api/api.go                             |  4 ++--
 backend/server/api/auth/middleware.go                 | 19 +++++++++----------
 backend/test/helper/client.go                         |  1 +
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/codespell.yml 
b/.github/workflows/codespell.yml.action-blocked-by-asf
similarity index 100%
rename from .github/workflows/codespell.yml
rename to .github/workflows/codespell.yml.action-blocked-by-asf
diff --git a/backend/server/api/api.go b/backend/server/api/api.go
index cd66b765a..82f80ff30 100644
--- a/backend/server/api/api.go
+++ b/backend/server/api/api.go
@@ -127,8 +127,8 @@ func SetupApiServer(router *gin.Engine) {
        router.UseRawPath = true
        // router.UnescapePathValues = false
 
-       // Endpoint to proceed database migration
-       router.GET("/proceed-db-migration", func(ctx *gin.Context) {
+       // Endpoint to proceed database migration (now requires authentication)
+       router.GET("/proceed-db-migration", auth.RequireAuth(), func(ctx 
*gin.Context) {
                // Execute database migration
                errors.Must(services.ExecuteMigration())
                // Return success response
diff --git a/backend/server/api/auth/middleware.go 
b/backend/server/api/auth/middleware.go
index 231f4d546..b668de032 100644
--- a/backend/server/api/auth/middleware.go
+++ b/backend/server/api/auth/middleware.go
@@ -34,16 +34,15 @@ import (
 // and clear its session even when the cookie has lapsed; both handlers
 // short-circuit gracefully when no user is set.
 var publicPaths = map[string]struct{}{
-       "/ping":                 {},
-       "/ready":                {},
-       "/health":               {},
-       "/version":              {},
-       "/proceed-db-migration": {},
-       PathMethods:             {},
-       PathLogin:               {},
-       PathCallback:            {},
-       PathLogout:              {},
-       PathUserInfo:            {},
+       "/ping":      {},
+       "/ready":     {},
+       "/health":    {},
+       "/version":   {},
+       PathMethods:  {},
+       PathLogin:    {},
+       PathCallback: {},
+       PathLogout:   {},
+       PathUserInfo: {},
 }
 
 func OIDCAuthentication() gin.HandlerFunc { return 
defaultService.OIDCAuthentication() }
diff --git a/backend/test/helper/client.go b/backend/test/helper/client.go
index c3855f589..8e39d6f5b 100644
--- a/backend/test/helper/client.go
+++ b/backend/test/helper/client.go
@@ -180,6 +180,7 @@ func ConnectLocalServer(t *testing.T, clientConfig 
*LocalClientConfig) *DevlakeC
                                api.CreateAndRunApiServer()
                        })
                }()
+               // NOTE: /proceed-db-migration now requires authentication. If 
AUTH_ENABLED=true, this test must provide credentials.
                req, err2 := http.NewRequest(http.MethodGet, 
fmt.Sprintf("%s/proceed-db-migration", addr), nil)
                require.NoError(t, err2)
                d.forceSendHttpRequest(100, req, func(err errors.Error) bool {

Reply via email to