fix: add auth guards to providers, update, and health API (#61)

[pablopunk]

Closes #61

What

Adds authentication checks to 10 action handlers and 1 API route that were callable without authentication due to Astro middleware deliberately skipping auth for /_actions/ and /api/.

Changes

• New: src/server/auth/requireUser.ts — shared typed auth guard (requireUser(context) → User) extracted from 3 duplicate ensureAuthenticated copies
• providers.ts: Guards all 6 handlers (list, connect, disconnect, startOauth, finishOauth, getAvailableModelsForUser) — auth checked before cache, OpenCode API, or OAuth calls
• update.ts: Guards all 3 handlers (checkForUpdate, pull, restart) — auth checked before Docker operations
• health.ts: Adds requireAuth(cookies) → returns 401 before any DB queries leak queue/project/infrastructure data
• mcps.ts: Migrated from local ensureAuthenticated to shared requireUser (no behavior change)

Impact

• Unauthenticated callers now receive UNAUTHORIZED (actions) / 401 (API) instead of accessing provider credentials, OAuth flows, Docker operations, and infrastructure health
• Authenticated flows unchanged — same handler logic after the auth guard
• auth.ts and setup.ts intentionally untouched (public login/first-run setup)

Validation

• pnpm exec biome check passes on all changed files
• git diff --check passes (no whitespace errors)
• No regressions in handler return shapes or error codes

Summary by CodeRabbit

• Security
  • MCP server management features now require user authentication
  • Provider connection and management operations now require user authentication
  • System update and restart operations now require user authentication
  • System health API endpoint now requires user authentication

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8ca9bc32-358c-435c-86d1-896af0493189

📥 Commits

Reviewing files that changed from the base of the PR and between 98cf4a1 and 063c846.

📒 Files selected for processing (5)

• src/actions/mcps.ts
• src/actions/providers.ts
• src/actions/update.ts
• src/pages/api/system/health.ts
• src/server/auth/requireUser.ts

---

Walkthrough

A new shared requireUser(context) helper is introduced in src/server/auth/requireUser.ts. It reads context.locals.user and throws an UNAUTHORIZED ActionError when no user is present. This helper is then applied across three action files: mcps.ts replaces its local ensureAuthenticated function with the shared helper; providers.ts adds requireUser calls to all six action handlers (list, connect, disconnect, startOauth, finishOauth, getAvailableModelsForUser) and also lifts the inline cachedAction wrappers for list and getAvailableModelsForUser to module-level constants; update.ts adds requireUser to checkForUpdate, pull, and restart. The GET handler in src/pages/api/system/health.ts is gated with an existing requireAuth(cookies) early-return check.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding authentication guards to providers, update actions, and health API endpoint as required by issue #61.
Linked Issues check	✅ Passed	The PR successfully addresses all coding requirements from issue #61: auth guards added to 6 handlers in providers.ts, 3 in update.ts, health API protected with requireAuth, and a shared requireUser helper created for future extensibility.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #61 requirements. The PR protects the specified handlers (providers, update, health), creates the recommended shared helper, migrates mcps.ts to use it, and avoids intentionally public endpoints (auth.ts, setup.ts).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
doce-dev-www	Ready	Preview, Comment	Jun 17, 2026 1:29pm