@@ -21,6 +21,7 @@ import {
2121 health ,
2222 models ,
2323 settings ,
24+ providers ,
2425 deployments ,
2526 installation ,
2627 oauth ,
@@ -130,19 +131,24 @@ app.use('*', async (c, next) => {
130131// Auth Middleware
131132// ============================================================================
132133
133- // Routes that don't require authentication
134- // Keep this list minimal — only routes needed before login
135- const PUBLIC_ROUTES = [
136- '/api/cluster/status' ,
137- '/api/settings' , // Settings is public (read-only auth config needed by frontend)
138- '/api/oauth' , // OAuth routes must be public for initial authentication
139- ] ;
140-
141- // Public routes that must match exactly (no sub-path matching)
134+ // Routes that don't require authentication. Keep this list minimal — only
135+ // routes needed before login, and avoid prefix-whitelisting provider detail
136+ // endpoints because they include install metadata and chart values.
142137const PUBLIC_ROUTES_EXACT = [
143138 '/api/health' ,
144139 '/api/health/' ,
145140 '/api/health/version' ,
141+ '/api/cluster/status' ,
142+ '/api/settings' ,
143+ '/api/settings/' ,
144+ '/api/settings/providers' ,
145+ '/api/settings/providers/' ,
146+ '/api/providers' ,
147+ '/api/providers/' ,
148+ ] ;
149+
150+ const PUBLIC_ROUTE_PREFIXES = [
151+ '/api/oauth' , // OAuth routes must be public for initial authentication
146152] ;
147153
148154// Auth middleware for protected API routes
@@ -158,8 +164,8 @@ app.use('/api/*', async (c, next) => {
158164 return next ( ) ;
159165 }
160166
161- // Skip auth for prefix-match public routes (cluster/status, settings, oauth)
162- if ( PUBLIC_ROUTES . some ( route => path === route || path . startsWith ( route + '/' ) ) ) {
167+ // Skip auth for prefix-match public routes (OAuth callback/token flow).
168+ if ( PUBLIC_ROUTE_PREFIXES . some ( route => path === route || path . startsWith ( route + '/' ) ) ) {
163169 return next ( ) ;
164170 }
165171
@@ -200,6 +206,7 @@ app.route('/api/health', health);
200206app . route ( '/api/cluster' , health ) ;
201207app . route ( '/api/models' , models ) ;
202208app . route ( '/api/settings' , settings ) ;
209+ app . route ( '/api/providers' , providers ) ;
203210app . route ( '/api/deployments' , deployments ) ;
204211app . route ( '/api/installation' , installation ) ;
205212app . route ( '/api/oauth' , oauth ) ;
0 commit comments