fix: auto whitelist /me endpoint

rrd108 · rrd108 · commit 5453da91c6f2 · 2025-08-26T13:46:49.000+02:00
diff --git a/scripts/test-integration.sh b/scripts/test-integration.sh
@@ -72,14 +72,14 @@ sleep 2
 
 print_status $BLUE "🧪 Running integration tests..."
 
-# Test 1: Protected endpoint should return 401
-print_status $YELLOW "🔐 Testing protected endpoint /api/nuxt-users/me..."
+# Test 1: /me endpoint should require authentication (401 without token)
+print_status $YELLOW "🔐 Testing /me endpoint requires authentication..."
 response=$(curl -s -o /dev/null -w "%{http_code}" "http://localhost:3000/api/nuxt-users/me" || echo "000")
 
 if [ "$response" = "401" ]; then
-    print_status $GREEN "✅ Middleware working - protected endpoint returns 401"
+    print_status $GREEN "✅ /me endpoint properly requires authentication (401 without token)"
 else
-    print_status $RED "❌ Middleware NOT working - expected 401, got $response"
+    print_status $RED "❌ /me endpoint should require authentication - expected 401, got $response"
     print_status $RED "   This means server middleware is not properly registered!"
     exit 1
 fi
diff --git a/src/runtime/constants.ts b/src/runtime/constants.ts
@@ -2,4 +2,4 @@
 export const NO_AUTH_PATHS = ['/login', '/reset-password']
 
 // API routes that don't require authentication (will be prefixed with apiBasePath)
-export const NO_AUTH_API_PATHS = ['/session', '/password/forgot', '/password/reset', '/me']
+export const NO_AUTH_API_PATHS = ['/session', '/password/forgot', '/password/reset']
diff --git a/src/runtime/server/middleware/authorization.server.ts b/src/runtime/server/middleware/authorization.server.ts
@@ -69,6 +69,12 @@ export default defineEventHandler(async (event) => {
     }
   }
 
+  // Auto-whitelist /me endpoint for any authenticated user
+  if (event.path === `${base}/me`) {
+    console.log(`[Nuxt Users] server.middleware.auth.global: Auto-whitelisted /me endpoint for authenticated user ${user.id}`)
+    return
+  }
+
   // Check role-based permissions
   if (!hasPermission(user.role, event.path, event.method, options.auth.permissions)) {
     if (event.path.startsWith('/api/')) {
diff --git a/test/unit/authorization.server.middleware.test.ts b/test/unit/authorization.server.middleware.test.ts
@@ -473,5 +473,32 @@ describe('Auth Server Middleware', () => {
       expect(mockCreateError).not.toHaveBeenCalled()
       expect(result).toBeUndefined()
     })
+
+    it('should auto-whitelist /me endpoint for any authenticated user', async () => {
+      const event = { path: '/api/nuxt-users/me', method: 'GET' } as H3Event
+
+      // Mock getCookie to return a valid token
+      mockGetCookie.mockReturnValue('valid-token')
+
+      // Mock getCurrentUserFromToken to return a user with unknown role (not in permissions)
+      const { getCurrentUserFromToken } = await import('../../src/runtime/server/utils')
+      const mockUser = {
+        id: 5,
+        email: 'unknown@example.com',
+        name: 'Unknown Role User',
+        role: 'unknown', // This role is not in permissions but /me should still work
+        created_at: '2024-01-01T00:00:00Z',
+        updated_at: '2024-01-01T00:00:00Z',
+        active: true
+      }
+      vi.mocked(getCurrentUserFromToken).mockResolvedValue(mockUser)
+
+      const result = await serverAuthMiddleware.default(event)
+
+      expect(mockGetCookie).toHaveBeenCalledWith(event, 'auth_token')
+      expect(getCurrentUserFromToken).toHaveBeenCalledWith('valid-token', mockOptions)
+      expect(mockCreateError).not.toHaveBeenCalled()
+      expect(result).toBeUndefined()
+    })
   })
 })

Original file line number	Diff line number	Diff line change
`@@ -69,6 +69,12 @@ export default defineEventHandler(async (event) => {`
`69`	`69`	`}`
`70`	`70`	`}`
`71`	`71`
	`72`	`+ // Auto-whitelist /me endpoint for any authenticated user`
	`73`	+ if (event.path === `${base}/me`) {
	`74`	+ console.log(`[Nuxt Users] server.middleware.auth.global: Auto-whitelisted /me endpoint for authenticated user ${user.id}`)
	`75`	`+ return`
	`76`	`+ }`
	`77`	`+`
`72`	`78`	`// Check role-based permissions`
`73`	`79`	`if (!hasPermission(user.role, event.path, event.method, options.auth.permissions)) {`
`74`	`80`	`if (event.path.startsWith('/api/')) {`