From 937de9d0587aab722e55a08df5ccc2dfd9383f4a Mon Sep 17 00:00:00 2001
From: Vernon Stinebaker <vernon.stinebaker@gmail.com>
Date: Tue, 5 May 2026 15:00:57 +0800
Subject: [PATCH] fix(auth): protect bare api root path

---
 src/auth.zig | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/auth.zig b/src/auth.zig
index 6275210..071429e 100644
--- a/src/auth.zig
+++ b/src/auth.zig
@@ -30,6 +30,7 @@ pub fn extractBearerToken(raw_request: []const u8) ?[]const u8 {
 /// Public paths: GET /health and any path not starting with /api/.
 pub fn isPublicPath(path: []const u8) bool {
     if (std.mem.eql(u8, path, "/health")) return true;
+    if (std.mem.eql(u8, path, "/api")) return false;
     if (!std.mem.startsWith(u8, path, "/api/")) return true;
     return false;
 }
@@ -79,3 +80,7 @@ test "isPublicPath returns true for static paths like /index.html" {
 test "isPublicPath returns false for /api/status" {
     try std.testing.expect(isPublicPath("/api/status") == false);
 }
+
+test "isPublicPath returns false for bare /api" {
+    try std.testing.expect(isPublicPath("/api") == false);
+}