Skip to content

Add missing auth middleware to api-nango and api-subscription routers#3732

Closed
devin-ai-integration[bot] wants to merge 3 commits intomainfrom
devin/1770536148-fix-auth-middleware
Closed

Add missing auth middleware to api-nango and api-subscription routers#3732
devin-ai-integration[bot] wants to merge 3 commits intomainfrom
devin/1770536148-fix-auth-middleware

Conversation

@devin-ai-integration
Copy link
Contributor

@devin-ai-integration devin-ai-integration bot commented Feb 8, 2026
edited
Loading

Add missing auth middleware to api-nango and api-subscription routers

Summary

Fixes two bugs identified by Devin Review on PR #3728: handlers in api-nango and api-subscription were refactored to extract Extension<AuthContext>, but the routers were never updated to apply the require_auth middleware that inserts it. Without this fix, every request to these endpoints returns 500 Internal Server Error ("Missing request extension").

Changes per crate:

  • api-nango: Added supabase_url to IntegrationConfig (breaking signature change to ::new()), added auth: AuthState to AppState, and applied route_layer with require_auth only to /connect-session (not /webhook, which uses its own HMAC signature auth).
  • api-subscription: Added auth: AuthState to AppState, applied route_layer with require_auth to all routes (/can-start-trial, /start-trial).

Follows the same pattern already used in api-calendar/src/routes/mod.rs.

Review & Testing Checklist for Human

  • Cargo.lock contamination: The diff includes three phantom entries (tauri-plugin-cli2, tauri-plugin-db, tauri-plugin-export) that are artifacts from temporary build stubs — these should be reverted/dropped before merging.
  • route_layer ordering in api-nango router: Verify that placing route_layer between the /connect-session and /webhook route definitions correctly applies auth only to /connect-session. In axum, route_layer applies to previously-defined routes, so this should be correct — but worth a quick sanity check.
  • IntegrationConfig::new signature change: Now requires a third &SupabaseEnv argument. Confirm that all call sites (likely in the API server or integration tests that wire up these configs) are updated accordingly.
  • End-to-end test plan: Deploy or run locally and confirm: (1) /connect-session returns 401 without a token and 200 with a valid token, (2) /webhook still works with HMAC auth and does NOT require a Bearer token, (3) /can-start-trial and /start-trial return 401 without a token.

Notes

Open with Devin

yujonglee and others added 2 commits February 8, 2026 15:43
@yujonglee @cursoragent
Refactor auth, calendar, and nango API crates
1951e73 
- Extract shared env config types (SupabaseEnv, NangoEnv) into new api-env crate
- Introduce AuthContext in api-auth middleware, removing duplicated extract_token helpers across crates
- Move calendar routes and nango_http from api-nango to api-calendar where they belong
- Add list_calendars and create_event endpoints to api-calendar
- Replace hardcoded NangoIntegration enum with fluent client.integration().connection() API
- Simplify config constructors to accept env structs directly

Co-authored-by: Cursor <cursoragent@cursor.com>
@devin-ai-integration @yujonglee
Add missing auth middleware to api-nango and api-subscription routers
5af69cb 
Co-Authored-By: yujonglee <yujonglee.dev@gmail.com>
@devin-ai-integration
Copy link
Contributor Author

devin-ai-integration bot commented Feb 8, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR that start with 'DevinAI' or '@devin'.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@devin-ai-integration @yujonglee
Revert Cargo.lock stub artifacts
961e171 
Co-Authored-By: yujonglee <yujonglee.dev@gmail.com>
devin-ai-integration[bot]
devin-ai-integration bot commented Feb 8, 2026
View reviewed changes
Copy link
Contributor Author

@devin-ai-integration devin-ai-integration bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.

Open in Devin Review

Base automatically changed from refactor/api-auth-calendar-separation to main February 8, 2026 07:52
@yujonglee yujonglee closed this Feb 8, 2026
@yujonglee yujonglee deleted the devin/1770536148-fix-auth-middleware branch February 8, 2026 12:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yujonglee yujonglee Awaiting requested review from yujonglee

Assignees

@yujonglee yujonglee

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yujonglee