Commit e8194b7
fix(auth): allow unauthenticated user_id on /feed/for-you (#804)
## Summary
The For You handler (`v1_users_feed_for_you.go`) treats:
- **path `:userId`** as the personalization target
- **query `user_id`** as a viewer hint, used only to decorate response
fields like `has_current_user_reposted` / `has_current_user_saved`
It already calls `tryGetAuthedWallet` (optional), so the handler is fine
with an unauthenticated request — the path `:userId` controls the
personalization SQL, and the access-gated track filter falls through to
"ungated only" when `authedWallet` is empty.
But the global `authMiddleware` returns 403 whenever `user_id` is set
and the request isn't signed:
```go
// auth_middleware.go:351
if myId != 0 && !pkceAuthed && !app.isAuthorizedRequest(c.Context(), myId, wallet) {
return fiber.NewError(fiber.StatusForbidden,
fmt.Sprintf("You are not authorized to make this request authedWallet=%s myId=%d", wallet, myId))
}
```
…so the call dies before reaching the handler. Symptom on the web RC:
For You tab silently empty / 403 in network tab.
## Fix
Exempt the `/feed/for-you` route from that strict check via
`strings.HasSuffix(c.Path(), "/feed/for-you")`. The `myId` is still
resolved (so viewer-relative fields populate when a `user_id` is
supplied) — it's just not gated behind a wallet match.
## What stays the same
- Path `:userId` still controls **what** content is returned — caller
can't impersonate a different user for personalization.
- Access-gated tracks still filtered out when `authedWallet` is empty
(handler's existing `t.access_authorities` predicate).
- All other routes still get the strict 403.
## Test plan
- ✅ New test `TestV1FeedForYou_UnauthenticatedViewerIdAllowed` exercises
the exemption with `skipAuthCheck` OFF (so the real auth path runs).
Passes locally against the test DB.
- ✅ Existing For You tests still pass (`TestV1FeedForYou_Basic`,
`TestV1FeedForYou_RequiresValidUserId`,
`TestV1FeedForYou_ExcludesAlreadySavedTracks`, etc.).
- ✅ `go build ./api/...` / `go vet ./api/...` clean.
- After merge: web RC `/v1/users/{id}/feed/for-you?user_id={id}` should
return 200 instead of 403 — verifiable directly with curl.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent 386ac75 commit e8194b7
2 files changed
Lines changed: 29 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
347 | 347 | | |
348 | 348 | | |
349 | 349 | | |
350 | | - | |
351 | | - | |
| 350 | + | |
| 351 | + | |
| 352 | + | |
| 353 | + | |
| 354 | + | |
| 355 | + | |
| 356 | + | |
| 357 | + | |
| 358 | + | |
| 359 | + | |
352 | 360 | | |
353 | 361 | | |
354 | 362 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
148 | 148 | | |
149 | 149 | | |
150 | 150 | | |
| 151 | + | |
| 152 | + | |
| 153 | + | |
| 154 | + | |
| 155 | + | |
| 156 | + | |
| 157 | + | |
| 158 | + | |
| 159 | + | |
| 160 | + | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
| 165 | + | |
| 166 | + | |
| 167 | + | |
| 168 | + | |
| 169 | + | |
151 | 170 | | |
152 | 171 | | |
153 | 172 | | |
| |||
0 commit comments