Bug
The legacy username/password login endpoint (/auth/login) is intended to be restricted to requests with specific headers (server: Netlify and access-control-expose-headers containing x-trigger-jwt) so that only FairCopy Cloud 1/2 can authenticate this way post-Clerk migration. However, the header check is not enforced on the login endpoint — any request with valid pre-Clerk credentials succeeds regardless of headers.
The export_variables route correctly enforces the header check, so the guard logic exists but wasn't applied to login.
Test Results (staging)
| Test |
Expected |
Actual |
POST /auth/login with magic headers + valid creds |
200 |
200 |
GET /core_data/projects/:id/export_variables with token + magic headers |
200 |
200 |
GET /core_data/projects/:id/export_variables with token, no magic headers |
401 |
401 |
POST /auth/login without magic headers + valid creds |
401 |
200 |
Expected Behavior
POST /auth/login should return 401 when the request does not include the required FairCopy headers, even if the username/password are valid.
Note
Fixing this will also exclude programmatic API clients that currently authenticate with username/password. See #584 for a feature to reestablish programmatic access through a supported mechanism.
Bug
The legacy username/password login endpoint (
/auth/login) is intended to be restricted to requests with specific headers (server: Netlifyandaccess-control-expose-headerscontainingx-trigger-jwt) so that only FairCopy Cloud 1/2 can authenticate this way post-Clerk migration. However, the header check is not enforced on the login endpoint — any request with valid pre-Clerk credentials succeeds regardless of headers.The
export_variablesroute correctly enforces the header check, so the guard logic exists but wasn't applied to login.Test Results (staging)
POST /auth/loginwith magic headers + valid credsGET /core_data/projects/:id/export_variableswith token + magic headersGET /core_data/projects/:id/export_variableswith token, no magic headersPOST /auth/loginwithout magic headers + valid credsExpected Behavior
POST /auth/loginshould return 401 when the request does not include the required FairCopy headers, even if the username/password are valid.Note
Fixing this will also exclude programmatic API clients that currently authenticate with username/password. See #584 for a feature to reestablish programmatic access through a supported mechanism.