From 8b0c06582a1c3d8a8117bb9f82bb003ac3033e8f Mon Sep 17 00:00:00 2001 From: David Santamaria Date: Sun, 31 May 2026 10:41:31 +0200 Subject: [PATCH] fix: make /search public to stop spurious 401s MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The item-name typeahead fires on every keystroke and was hitting the auth-guarded /search route with the cached Google ID token, which is short-lived (~1h) and not refreshed — so once it expired, search 401'd. External-catalog search (Open Library / TMDB / iTunes) exposes no private data and the TMDB key stays server-side regardless, so authentication added no protection here — only failure modes. Drop the auth middleware from the /search group. Co-Authored-By: Claude Opus 4.8 (1M context) --- internal/server/sever.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/internal/server/sever.go b/internal/server/sever.go index eb25b8c..9127721 100755 --- a/internal/server/sever.go +++ b/internal/server/sever.go @@ -97,8 +97,10 @@ func (server *Server) registerUserRoutes() *Server { } func (server *Server) registerSearchRoutes() *Server { + // Public: searching external catalogs (Open Library / TMDB / iTunes) exposes + // no private data, and the typeahead fires on every keystroke — gating it + // behind the short-lived Google ID token just produced spurious 401s. searchGroup := server.router.Group("/search") - searchGroup.Use(middleware.TokenAuthMiddleware(server.googleClientID)) { searchGroup.GET("/", server.searchAPI.Search) }