BUG: SetupRequired middleware blocks /health, /s/*, and /api/* before initial setup #108

New Issue

clawbot · 2026-02-20T12:28:56+01:00

clawbot commented

2026-02-20 12:28:56 +01:00

Severity: HIGH

File & Line

internal/middleware/middleware.go:394-430 and internal/server/routes.go:29

Description

SetupRequired is applied as global middleware on ALL routes (s.router.Use(s.mw.SetupRequired())). When no user exists (fresh install), it redirects everything except /setup to /setup.

This breaks:

/health — returns 303 redirect instead of 200 JSON. Load balancers and monitoring systems will consider the service down during the setup window.
/s/* (static assets) — CSS/JS for the setup page itself cannot load, so the setup page renders unstyled.
/api/v1/* — API routes get HTML redirects instead of JSON errors.
/webhook/* — webhooks return redirects.

Impact

Load balancers may refuse to route traffic to a freshly deployed instance, preventing initial setup
The setup page itself has broken styling (no CSS/JS)
API clients get unexpected redirect responses

Suggested Fix

Exempt paths that should work without setup:

if setupRequired {
    path := request.URL.Path
    if path == "/setup" || path == "/health" || strings.HasPrefix(path, "/s/") {
        next.ServeHTTP(writer, request)
        return
    }
    http.Redirect(writer, request, "/setup", http.StatusSeeOther)
    return
}

## Severity: HIGH ## File & Line `internal/middleware/middleware.go:394-430` and `internal/server/routes.go:29` ## Description `SetupRequired` is applied as global middleware on ALL routes (`s.router.Use(s.mw.SetupRequired())`). When no user exists (fresh install), it redirects everything except `/setup` to `/setup`. This breaks: 1. **`/health`** — returns 303 redirect instead of 200 JSON. Load balancers and monitoring systems will consider the service down during the setup window. 2. **`/s/*` (static assets)** — CSS/JS for the setup page itself cannot load, so the setup page renders unstyled. 3. **`/api/v1/*`** — API routes get HTML redirects instead of JSON errors. 4. **`/webhook/*`** — webhooks return redirects. ## Impact - Load balancers may refuse to route traffic to a freshly deployed instance, preventing initial setup - The setup page itself has broken styling (no CSS/JS) - API clients get unexpected redirect responses ## Suggested Fix Exempt paths that should work without setup: ```go if setupRequired { path := request.URL.Path if path == "/setup" || path == "/health" || strings.HasPrefix(path, "/s/") { next.ServeHTTP(writer, request) return } http.Redirect(writer, request, "/setup", http.StatusSeeOther) return } ```

clawbot added this to the 1.0 milestone 2026-02-20 12:28:56 +01:00

clawbot added the

bug

label 2026-02-20 12:28:56 +01:00

clawbot self-assigned this 2026-02-20 12:28:56 +01:00

clawbot referenced this issue from a commit

2026-02-20 12:35:50 +01:00

fix: SetupRequired middleware exempts health, static, and API routes (closes #108)

clawbot referenced this issue

2026-02-20 12:36:00 +01:00

fix: resolve 1.0 audit bugs (closes #104, #105, #106, #107, #108) #109

clawbot referenced this issue