Fix chi router middleware ordering - move auth middleware to protected routes subrouter

go_cloud/internal/http/routes.go

@@ -59,25 +59,26 @@ func NewRouter(cfg *config.Config, db *database.DB, jwtManager *jwt.Manager, aut
 		})
 	})
 
-	// Auth middleware for protected routes
-	r.Use(middleware.Auth(jwtManager, db))
+	// Protected routes (with auth middleware)
+	r.Route("/", func(r chi.Router) {
+		r.Use(middleware.Auth(jwtManager, db))
 
-	// Org routes
-	r.Get("/orgs", func(w http.ResponseWriter, req *http.Request) {
-		listOrgsHandler(w, req, db, jwtManager)
-	})
-	r.Post("/orgs", func(w http.ResponseWriter, req *http.Request) {
-		createOrgHandler(w, req, db, auditLogger, jwtManager)
-	})
-
-	// Org-scoped routes
-	r.Route("/orgs/{orgId}", func(r chi.Router) {
-		r.Use(middleware.Org(db, auditLogger))
-
-		// File routes
-		r.With(middleware.Permission(db, auditLogger, permission.FileRead)).Get("/files", func(w http.ResponseWriter, req *http.Request) {
-			listFilesHandler(w, req)
+		// Org routes
+		r.Get("/orgs", func(w http.ResponseWriter, req *http.Request) {
+			listOrgsHandler(w, req, db, jwtManager)
 		})
+		r.Post("/orgs", func(w http.ResponseWriter, req *http.Request) {
+			createOrgHandler(w, req, db, auditLogger, jwtManager)
+		})
+
+		// Org-scoped routes
+		r.Route("/orgs/{orgId}", func(r chi.Router) {
+			r.Use(middleware.Org(db, auditLogger))
+
+			// File routes
+			r.With(middleware.Permission(db, auditLogger, permission.FileRead)).Get("/files", func(w http.ResponseWriter, req *http.Request) {
+				listFilesHandler(w, req)
+			})
 		r.Route("/files/{fileId}", func(r chi.Router) {
 			r.With(middleware.Permission(db, auditLogger, permission.DocumentView)).Get("/view", func(w http.ResponseWriter, req *http.Request) {
 				viewerHandler(w, req, db, auditLogger)
@@ -102,6 +103,7 @@ func NewRouter(cfg *config.Config, db *database.DB, jwtManager *jwt.Manager, aut
 			updateMemberRoleHandler(w, req, db, auditLogger)
 		})
 	})
+	}) // Close protected routes
 
 	return r
 }