Skip to content

fix(cms): restore auth: false on custom REST endpoints#647

Merged
tataihono merged 1 commit intomainfrom
fix/restore-auth-false-custom-endpoints
Apr 3, 2026
Merged

fix(cms): restore auth: false on custom REST endpoints#647
tataihono merged 1 commit intomainfrom
fix/restore-auth-false-custom-endpoints

Conversation

@tataihono
Copy link
Copy Markdown
Contributor

@tataihono tataihono commented Apr 3, 2026
edited
Loading

Summary

Hotfix — PR #646 removed auth: false from custom routes, causing a 404 on /api/language-geo in production. Strapi v5 custom routes without auth: false fall under Users & Permissions, which requires admin-configured roles — not API token auth.

Fix: Created a global api-token-auth middleware that validates the Bearer token against Strapi's hashed API token store. Routes keep auth: false (to bypass U&P) but add the middleware for real auth:

config: {
  auth: false,
  middlewares: ["global::api-token-auth"],
}

Applied to both language-geo and video-coverage endpoints.

How it works

  1. Extracts Authorization: Bearer <token> header
  2. Hashes the token using Strapi's API token service (apiTokenService.hash)
  3. Looks up the hashed token in the admin::api-token table via apiTokenService.getBy
  4. Checks expiration
  5. Returns 401 if any step fails, calls next() if valid

Files

  • NEW: apps/cms/src/middlewares/api-token-auth.ts — global middleware
  • MODIFIED: apps/cms/src/api/language-geo/routes/language-geo.ts — adds middleware
  • MODIFIED: apps/cms/src/api/video-coverage/routes/video-coverage.ts — adds middleware

Testing

  • CMS typechecks clean
  • Linting passes

@railway-app
Copy link
Copy Markdown

railway-app bot commented Apr 3, 2026
edited
Loading

🚅 Deployed to the forge-pr-647 environment in forge

Service Status Web Updated (UTC)
@forge/cms ✅ Success (View Logs) Apr 3, 2026 at 8:37 am
2 services not affected by this PR
  • @forge/web
  • @forge/manager

@railway-app railway-app bot temporarily deployed to forge / forge-pr-647 April 3, 2026 08:21 Destroyed
@tataihono @claude
fix(cms): add API token auth middleware for custom REST endpoints
4dc9839 
Strapi v5 custom routes with auth: false bypass all auth, but removing
auth: false enables Users & Permissions (which needs admin-configured
roles, not API tokens) — causing 404s.

Solution: keep auth: false to bypass U&P, add a global api-token-auth
middleware that validates the Bearer token against Strapi's hashed API
token store. Applied to both language-geo and video-coverage endpoints.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@tataihono tataihono force-pushed the fix/restore-auth-false-custom-endpoints branch from 2cc466f to 4dc9839 Compare April 3, 2026 08:34
@railway-app railway-app bot temporarily deployed to forge / forge-pr-647 April 3, 2026 08:34 Destroyed
@tataihono tataihono merged commit 4bb9477 into main Apr 3, 2026
29 checks passed
@tataihono tataihono deleted the fix/restore-auth-false-custom-endpoints branch April 3, 2026 08:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@tataihono tataihono

Labels

cms fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tataihono