From 8226b644ae083f8252c74735c8ade96e695f7de7 Mon Sep 17 00:00:00 2001
From: dswbx <dennis.senn@gmx.ch>
Date: Thu, 16 Jan 2025 15:45:29 +0100
Subject: [PATCH] fix double registration of auth middleware on data routes

---
 app/src/auth/middlewares.ts        | 33 ++++++++++++++++--------------
 app/src/data/api/DataController.ts |  4 +---
 2 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/app/src/auth/middlewares.ts b/app/src/auth/middlewares.ts
index 50fd2d4..f36c94b 100644
--- a/app/src/auth/middlewares.ts
+++ b/app/src/auth/middlewares.ts
@@ -26,25 +26,28 @@ export const auth = (options?: {
    skip?: (string | RegExp)[];
 }) =>
    createMiddleware<ServerEnv>(async (c, next) => {
-      // make sure to only register once
-      if (c.get("auth_registered")) {
-         throw new Error(`auth middleware already registered for ${getPath(c)}`);
-      }
-      c.set("auth_registered", true);
-
       const app = c.get("app");
-      const skipped = shouldSkip(c, options?.skip) || !app?.module.auth.enabled;
       const guard = app?.modules.ctx().guard;
       const authenticator = app?.module.auth.authenticator;
 
-      if (!skipped) {
-         const resolved = c.get("auth_resolved");
-         if (!resolved) {
-            if (!app.module.auth.enabled) {
-               guard?.setUserContext(undefined);
-            } else {
-               guard?.setUserContext(await authenticator?.resolveAuthFromRequest(c));
-               c.set("auth_resolved", true);
+      let skipped = shouldSkip(c, options?.skip) || !app?.module.auth.enabled;
+
+      // make sure to only register once
+      if (c.get("auth_registered")) {
+         skipped = true;
+         console.warn(`auth middleware already registered for ${getPath(c)}`);
+      } else {
+         c.set("auth_registered", true);
+
+         if (!skipped) {
+            const resolved = c.get("auth_resolved");
+            if (!resolved) {
+               if (!app?.module.auth.enabled) {
+                  guard?.setUserContext(undefined);
+               } else {
+                  guard?.setUserContext(await authenticator?.resolveAuthFromRequest(c));
+                  c.set("auth_resolved", true);
+               }
             }
          }
       }
diff --git a/app/src/data/api/DataController.ts b/app/src/data/api/DataController.ts
index 497ffa9..6735c7a 100644
--- a/app/src/data/api/DataController.ts
+++ b/app/src/data/api/DataController.ts
@@ -70,7 +70,7 @@ export class DataController extends Controller {
 
    override getController() {
       const { permission, auth } = this.middlewares;
-      const hono = this.create().use(auth());
+      const hono = this.create().use(auth(), permission(SystemPermissions.accessApi));
 
       const definedEntities = this.em.entities.map((e) => e.name);
       const tbNumber = Type.Transform(Type.String({ pattern: "^[1-9][0-9]{0,}$" }))
@@ -85,8 +85,6 @@ export class DataController extends Controller {
          return func;
       }
 
-      hono.use("*", permission(SystemPermissions.accessApi));
-
       // info
       hono.get(
          "/",