feat: require authentication for /proceed-db-migration endpoint if auth was enabled (#8893)

klesh · Klesh Wong · web-flow · commit ad202276ab04 · 2026-05-30T19:34:08.000+08:00
* feat: require authentication for /proceed-db-migration endpoint if auth was enabled

* fix: linting

* fix: disable codespell due to it is blocked by asf runner

---------

Co-authored-by: Klesh Wong &lt;kleshwong@gmail.com&gt;
diff --git a/.github/workflows/codespell.yml.action-blocked-by-asf b/.github/workflows/codespell.yml.action-blocked-by-asf
diff --git a/backend/server/api/api.go b/backend/server/api/api.go
@@ -127,8 +127,8 @@ func SetupApiServer(router *gin.Engine) {
 	router.UseRawPath = true
 	// router.UnescapePathValues = false
 
-	// Endpoint to proceed database migration
-	router.GET("/proceed-db-migration", func(ctx *gin.Context) {
+	// Endpoint to proceed database migration (now requires authentication)
+	router.GET("/proceed-db-migration", auth.RequireAuth(), func(ctx *gin.Context) {
 		// Execute database migration
 		errors.Must(services.ExecuteMigration())
 		// Return success response
diff --git a/backend/server/api/auth/middleware.go b/backend/server/api/auth/middleware.go
@@ -34,16 +34,15 @@ import (
 // and clear its session even when the cookie has lapsed; both handlers
 // short-circuit gracefully when no user is set.
 var publicPaths = map[string]struct{}{
-	"/ping":                 {},
-	"/ready":                {},
-	"/health":               {},
-	"/version":              {},
-	"/proceed-db-migration": {},
-	PathMethods:             {},
-	PathLogin:               {},
-	PathCallback:            {},
-	PathLogout:              {},
-	PathUserInfo:            {},
+	"/ping":      {},
+	"/ready":     {},
+	"/health":    {},
+	"/version":   {},
+	PathMethods:  {},
+	PathLogin:    {},
+	PathCallback: {},
+	PathLogout:   {},
+	PathUserInfo: {},
 }
 
 func OIDCAuthentication() gin.HandlerFunc { return defaultService.OIDCAuthentication() }
diff --git a/backend/test/helper/client.go b/backend/test/helper/client.go
@@ -180,6 +180,7 @@ func ConnectLocalServer(t *testing.T, clientConfig *LocalClientConfig) *DevlakeC
 				api.CreateAndRunApiServer()
 			})
 		}()
+		// NOTE: /proceed-db-migration now requires authentication. If AUTH_ENABLED=true, this test must provide credentials.
 		req, err2 := http.NewRequest(http.MethodGet, fmt.Sprintf("%s/proceed-db-migration", addr), nil)
 		require.NoError(t, err2)
 		d.forceSendHttpRequest(100, req, func(err errors.Error) bool {
