From 8cc2c50fed49aad993b1e5faa885eb03fcba6fa3 Mon Sep 17 00:00:00 2001 From: quinn Date: Fri, 15 May 2026 18:22:37 -0700 Subject: [PATCH] merge batch 7: TODO marker for /my/* auth model divergence (ssoRequired vs serviceTokenAuth) --- src/server/src/app/server.ts | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/server/src/app/server.ts b/src/server/src/app/server.ts index 4ffb2a8..1871ef3 100644 --- a/src/server/src/app/server.ts +++ b/src/server/src/app/server.ts @@ -100,6 +100,11 @@ export async function createApp() { return deviceTokenAuth(config.SERVICE_TOKEN)(c, next); }) .route('/client', clientSurface) + // TODO(merge-conflict): plum gates /my/* with `ssoRequired(SSO_VALIDATE_URL, SERVICE_TOKEN)` + // (cookie/SSO session against an external validator); apricot gates it with + // `serviceTokenAuth(SERVICE_TOKEN)` (single shared bearer token). These are + // production auth models for the dashboard — pick one before deploy. + // Currently using apricot's simpler service-token mode. .use('/my/*', corsMiddleware('same-origin')) .use('/my/*', rateLimitMiddleware('my')) .use('/my/*', serviceTokenAuth(config.SERVICE_TOKEN))