From 98e5dbc8986c824c85ee8a358eb018dfbfc321e8 Mon Sep 17 00:00:00 2001
From: fuomag9 <1580624+fuomag9@users.noreply.github.com>
Date: Wed, 25 Feb 2026 01:47:48 +0100
Subject: [PATCH] fix: require auth for geoip-status endpoint

Remove /api/geoip-status from the middleware public routes allowlist so
unauthenticated requests are rejected before reaching the route handler.
The route handler already has requireUser() for defense-in-depth.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 proxy.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/proxy.ts b/proxy.ts
index 2874ad58..8ef6ced9 100644
--- a/proxy.ts
+++ b/proxy.ts
@@ -18,7 +18,6 @@ export default auth((req) => {
     pathname === "/login" ||
     pathname.startsWith("/api/auth") ||
     pathname === "/api/health" ||
-    pathname === "/api/geoip-status" ||
     pathname === "/api/instances/sync"
   ) {
     return NextResponse.next();