isExemptPath returns true if the path should skip authentication.
(path string, appConfig *config.ApplicationConfig)
| 548 | |
| 549 | // isExemptPath returns true if the path should skip authentication. |
| 550 | func isExemptPath(path string, appConfig *config.ApplicationConfig) bool { |
| 551 | // Auth endpoints are always public |
| 552 | if strings.HasPrefix(path, "/api/auth/") { |
| 553 | return true |
| 554 | } |
| 555 | |
| 556 | // Node self-service endpoints — authenticated via registration token, not global auth. |
| 557 | // Only exempt the specific known endpoints, not the entire prefix. |
| 558 | if strings.HasPrefix(path, "/api/node/") { |
| 559 | if path == "/api/node/register" || |
| 560 | strings.HasSuffix(path, "/heartbeat") || |
| 561 | strings.HasSuffix(path, "/drain") || |
| 562 | strings.HasSuffix(path, "/deregister") { |
| 563 | return true |
| 564 | } |
| 565 | } |
| 566 | |
| 567 | // Check configured exempt paths |
| 568 | for _, p := range appConfig.PathWithoutAuth { |
| 569 | if strings.HasPrefix(path, p) { |
| 570 | return true |
| 571 | } |
| 572 | } |
| 573 | |
| 574 | return false |
| 575 | } |
| 576 | |
| 577 | // isAPIPath returns true for paths that always require authentication. |
| 578 | func isAPIPath(path string) bool { |