From 1930eb37fbe1bbb25a22af252cc334586c2aa84f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leon=20B=C3=B6sche?= <leonboesche1999@gmail.com>
Date: Thu, 8 Jan 2026 20:40:07 +0100
Subject: [PATCH] Fix chi router middleware ordering - move auth middleware to
 protected routes subrouter

---
 go_cloud/internal/http/routes.go | 36 +++++++++++++++++---------------
 1 file changed, 19 insertions(+), 17 deletions(-)

diff --git a/go_cloud/internal/http/routes.go b/go_cloud/internal/http/routes.go
index ffb5903..a398024 100644
--- a/go_cloud/internal/http/routes.go
+++ b/go_cloud/internal/http/routes.go
@@ -59,25 +59,26 @@ func NewRouter(cfg *config.Config, db *database.DB, jwtManager *jwt.Manager, aut
 		})
 	})
 
-	// Auth middleware for protected routes
-	r.Use(middleware.Auth(jwtManager, db))
+	// Protected routes (with auth middleware)
+	r.Route("/", func(r chi.Router) {
+		r.Use(middleware.Auth(jwtManager, db))
 
-	// Org routes
-	r.Get("/orgs", func(w http.ResponseWriter, req *http.Request) {
-		listOrgsHandler(w, req, db, jwtManager)
-	})
-	r.Post("/orgs", func(w http.ResponseWriter, req *http.Request) {
-		createOrgHandler(w, req, db, auditLogger, jwtManager)
-	})
-
-	// Org-scoped routes
-	r.Route("/orgs/{orgId}", func(r chi.Router) {
-		r.Use(middleware.Org(db, auditLogger))
-
-		// File routes
-		r.With(middleware.Permission(db, auditLogger, permission.FileRead)).Get("/files", func(w http.ResponseWriter, req *http.Request) {
-			listFilesHandler(w, req)
+		// Org routes
+		r.Get("/orgs", func(w http.ResponseWriter, req *http.Request) {
+			listOrgsHandler(w, req, db, jwtManager)
 		})
+		r.Post("/orgs", func(w http.ResponseWriter, req *http.Request) {
+			createOrgHandler(w, req, db, auditLogger, jwtManager)
+		})
+
+		// Org-scoped routes
+		r.Route("/orgs/{orgId}", func(r chi.Router) {
+			r.Use(middleware.Org(db, auditLogger))
+
+			// File routes
+			r.With(middleware.Permission(db, auditLogger, permission.FileRead)).Get("/files", func(w http.ResponseWriter, req *http.Request) {
+				listFilesHandler(w, req)
+			})
 		r.Route("/files/{fileId}", func(r chi.Router) {
 			r.With(middleware.Permission(db, auditLogger, permission.DocumentView)).Get("/view", func(w http.ResponseWriter, req *http.Request) {
 				viewerHandler(w, req, db, auditLogger)
@@ -102,6 +103,7 @@ func NewRouter(cfg *config.Config, db *database.DB, jwtManager *jwt.Manager, aut
 			updateMemberRoleHandler(w, req, db, auditLogger)
 		})
 	})
+	}) // Close protected routes
 
 	return r
 }