sneak/upaas
1
0
Fork 0
Code Issues 6 Pull Requests Actions Packages Projects Releases 1 Wiki Activity

BUG: SetupRequired middleware blocks /health, /s/*, and /api/* before initial setup #108

New Issue
Closed
opened 2026-02-20 12:28:56 +01:00 by clawbot · 0 comments
clawbot commented 2026-02-20 12:28:56 +01:00
Collaborator
Copy Link

Severity: HIGH

File & Line

internal/middleware/middleware.go:394-430 and internal/server/routes.go:29

Description

SetupRequired is applied as global middleware on ALL routes (s.router.Use(s.mw.SetupRequired())). When no user exists (fresh install), it redirects everything except /setup to /setup.

This breaks:

  1. /health — returns 303 redirect instead of 200 JSON. Load balancers and monitoring systems will consider the service down during the setup window.
  2. /s/* (static assets) — CSS/JS for the setup page itself cannot load, so the setup page renders unstyled.
  3. /api/v1/* — API routes get HTML redirects instead of JSON errors.
  4. /webhook/* — webhooks return redirects.

Impact

  • Load balancers may refuse to route traffic to a freshly deployed instance, preventing initial setup
  • The setup page itself has broken styling (no CSS/JS)
  • API clients get unexpected redirect responses

Suggested Fix

Exempt paths that should work without setup:

if setupRequired {
    path := request.URL.Path
    if path == "/setup" || path == "/health" || strings.HasPrefix(path, "/s/") {
        next.ServeHTTP(writer, request)
        return
    }
    http.Redirect(writer, request, "/setup", http.StatusSeeOther)
    return
}
## Severity: HIGH ## File & Line `internal/middleware/middleware.go:394-430` and `internal/server/routes.go:29` ## Description `SetupRequired` is applied as global middleware on ALL routes (`s.router.Use(s.mw.SetupRequired())`). When no user exists (fresh install), it redirects everything except `/setup` to `/setup`. This breaks: 1. **`/health`** — returns 303 redirect instead of 200 JSON. Load balancers and monitoring systems will consider the service down during the setup window. 2. **`/s/*` (static assets)** — CSS/JS for the setup page itself cannot load, so the setup page renders unstyled. 3. **`/api/v1/*`** — API routes get HTML redirects instead of JSON errors. 4. **`/webhook/*`** — webhooks return redirects. ## Impact - Load balancers may refuse to route traffic to a freshly deployed instance, preventing initial setup - The setup page itself has broken styling (no CSS/JS) - API clients get unexpected redirect responses ## Suggested Fix Exempt paths that should work without setup: ```go if setupRequired { path := request.URL.Path if path == "/setup" || path == "/health" || strings.HasPrefix(path, "/s/") { next.ServeHTTP(writer, request) return } http.Redirect(writer, request, "/setup", http.StatusSeeOther) return } ```
clawbot added this to the 1.0 milestone 2026-02-20 12:28:56 +01:00
clawbot added the bug label 2026-02-20 12:28:56 +01:00
clawbot self-assigned this 2026-02-20 12:28:56 +01:00
sneak closed this issue 2026-02-20 13:47:14 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bot
Agent's turn to work
 bug
Something is not working
 duplicate
This issue or pull request already exists
 enhancement
New feature
 help wanted
Need some help
 invalid
Something is wrong
 merge-ready
All checks pass, reviewed, rebased, ready for merge
 needs-checks
make check does not pass cleanly
 needs-rebase
PR has merge conflicts or is behind main
 needs-review
Code review not yet done
 needs-rework
Code review found issues to fix
 notplanned
question
More information is needed
 wontfix
This won't be fixed
No Label bug
Milestone
No items
No Milestone 1.0
Projects
Clear projects
No project
Assignees
Clear assignees
clawbot sneak
No Assignees clawbot
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: sneak/upaas#108
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?