From 533bcd9b3f704c73fda6e404403ae1e5f567bb09 Mon Sep 17 00:00:00 2001
From: Nix <trumptoshi@gmail.com>
Date: Sun, 22 Mar 2026 02:22:20 +0530
Subject: [PATCH] fix(security): enforce access gate on all routes, not just
 /api/ (#42)

Co-authored-by: ThankNIXlater <267577058+ThankNIXlater@users.noreply.github.com>
---
 server/access-gate.js | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/server/access-gate.js b/server/access-gate.js
index ddf4fef..cd8e529 100644
--- a/server/access-gate.js
+++ b/server/access-gate.js
@@ -28,8 +28,8 @@ function createAccessGate(options) {
 
   const handleHttp = (req, res) => {
     if (!enabled) return false;
-    if (String(req.url || "/").startsWith("/api/")) {
-      if (!isAuthorized(req)) {
+    if (!isAuthorized(req)) {
+      if (String(req.url || "/").startsWith("/api/")) {
         res.statusCode = 401;
         res.setHeader("Content-Type", "application/json");
         res.end(
@@ -37,10 +37,13 @@ function createAccessGate(options) {
             error: "Studio access token required. Send the configured Studio access cookie and retry.",
           })
         );
-        return true;
+      } else {
+        res.statusCode = 401;
+        res.setHeader("Content-Type", "text/plain");
+        res.end("Studio access token required. Set the studio_access cookie to access this page.");
       }
+      return true;
     }
-
     return false;
   };