fix(security): enforce access gate on all routes, not just /api/ (#42)

Co-authored-by: ThankNIXlater <267577058+ThankNIXlater@users.noreply.github.com>
2026-03-22 02:22:20 +05:30
parent 6b5895dcfe
commit 533bcd9b3f
1 changed files with 7 additions and 4 deletions
@@ -28,8 +28,8 @@ function createAccessGate(options) {

  const handleHttp = (req, res) => {
    if (!enabled) return false;
-    if (String(req.url || "/").startsWith("/api/")) {
-      if (!isAuthorized(req)) {
+    if (!isAuthorized(req)) {
+      if (String(req.url || "/").startsWith("/api/")) {
        res.statusCode = 401;
        res.setHeader("Content-Type", "application/json");
        res.end(
@@ -37,10 +37,13 @@ function createAccessGate(options) {
            error: "Studio access token required. Send the configured Studio access cookie and retry.",
          })
        );
-        return true;
+      } else {
+        res.statusCode = 401;
+        res.setHeader("Content-Type", "text/plain");
+        res.end("Studio access token required. Set the studio_access cookie to access this page.");
      }
+      return true;
    }
-
    return false;
  };