Machine auth escape hatch does not gate login endpoint by header check #585
Description
Bug
The legacy username/password login endpoint (/auth/login) is intended to be restricted to requests with specific headers (server: Netlify and access-control-expose-headers containing x-trigger-jwt) so that only FairCopy Cloud 1/2 can authenticate this way post-Clerk migration. However, the header check is not enforced on the login endpoint — any request with valid pre-Clerk credentials succeeds regardless of headers.
The export_variables route correctly enforces the header check, so the guard logic exists but wasn't applied to login.
Test Results (staging)
| Test | Expected | Actual |
|---|---|---|
POST /auth/login with magic headers + valid creds |
200 | 200 |
GET /core_data/projects/:id/export_variables with token + magic headers |
200 | 200 |
GET /core_data/projects/:id/export_variables with token, no magic headers |
401 | 401 |
POST /auth/login without magic headers + valid creds |
401 | 200 |
Expected Behavior
POST /auth/login should return 401 when the request does not include the required FairCopy headers, even if the username/password are valid.
Note
Fixing this will also exclude programmatic API clients that currently authenticate with username/password. See #584 for a feature to reestablish programmatic access through a supported mechanism.