Skip to content

fix: add authentication to POST /schedule endpoint#179

Open
jakebromberg wants to merge 1 commit intomainfrom
fix/4-schedule-auth
Open

fix: add authentication to POST /schedule endpoint#179
jakebromberg wants to merge 1 commit intomainfrom
fix/4-schedule-auth

Conversation

@jakebromberg
Copy link
Member

@jakebromberg jakebromberg commented Feb 21, 2026

Summary

  • Bug: POST /schedule had no authentication middleware, allowing anonymous users to insert arbitrary schedule entries
  • Fix: Added requirePermissions({ flowsheet: ['write'] }) middleware to the POST route, matching the pattern used by flowsheet and other write endpoints
  • Test: Added unit test verifying POST /schedule returns 401 without auth and GET /schedule remains publicly accessible
  • Infrastructure: Added @wxyc/authentication mock and schedule/NewShift exports to the database mock for unit testing routes that use auth middleware

Test plan

  • New unit test fails before fix (POST returns 200)
  • New unit test passes after fix (POST returns 401)
  • All 122 existing unit tests continue to pass
  • Integration test: POST /schedule without auth header returns 401
  • Integration test: POST /schedule with valid DJ+ token succeeds

Made with Cursor

@cursoragent
fix: add authentication to POST /schedule endpoint
fb85abf 
POST /schedule had no auth middleware, allowing anonymous users to
insert arbitrary schedule entries. Added requirePermissions check
using flowsheet:write permission since no schedule-specific resource
is defined. Added unit test and auth mock infrastructure.

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jakebromberg