From af2fc47c8381c97a126e8c2ab85e8d0649e1f1c7 Mon Sep 17 00:00:00 2001
From: Joshua Smith <jbsmith7741@gmail.com>
Date: Fri, 12 Jun 2026 18:48:11 -0600
Subject: [PATCH 1/2] fix(server): remove auth from proceed-db-migration
 endpoint

  * Auth tables may not exist when migration is pending, causing a bootstrap deadlock
  * Restores pre-auth-hardening behavior for the idempotent migration endpoint

Signed-off-by: Joshua Smith <jbsmith7741@gmail.com>
---
 backend/server/api/api.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/backend/server/api/api.go b/backend/server/api/api.go
index 82f80ff30a6..01415801260 100644
--- a/backend/server/api/api.go
+++ b/backend/server/api/api.go
@@ -127,8 +127,9 @@ func SetupApiServer(router *gin.Engine) {
 	router.UseRawPath = true
 	// router.UnescapePathValues = false
 
-	// Endpoint to proceed database migration (now requires authentication)
-	router.GET("/proceed-db-migration", auth.RequireAuth(), func(ctx *gin.Context) {
+	// Endpoint to proceed database migration — must be unauthenticated because
+	// auth tables may not exist yet when migration is pending.
+	router.GET("/proceed-db-migration", func(ctx *gin.Context) {
 		// Execute database migration
 		errors.Must(services.ExecuteMigration())
 		// Return success response

From fac1253041fd8668970ecf90bf8fc30536016702 Mon Sep 17 00:00:00 2001
From: Joshua Smith <jbsmith7741@gmail.com>
Date: Tue, 16 Jun 2026 12:54:58 -0600
Subject: [PATCH 2/2] fix(server): add proceed-db-migration to publicPaths

Signed-off-by: Joshua Smith <jbsmith7741@gmail.com>
---
 backend/server/api/api.go             |  2 +-
 backend/server/api/auth/middleware.go | 19 ++++++++++---------
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/backend/server/api/api.go b/backend/server/api/api.go
index 01415801260..b0dfd74dd94 100644
--- a/backend/server/api/api.go
+++ b/backend/server/api/api.go
@@ -127,7 +127,7 @@ func SetupApiServer(router *gin.Engine) {
 	router.UseRawPath = true
 	// router.UnescapePathValues = false
 
-	// Endpoint to proceed database migration — must be unauthenticated because
+	// Endpoint to proceed database migration — listed in auth.publicPaths because
 	// auth tables may not exist yet when migration is pending.
 	router.GET("/proceed-db-migration", func(ctx *gin.Context) {
 		// Execute database migration
diff --git a/backend/server/api/auth/middleware.go b/backend/server/api/auth/middleware.go
index b668de032f6..231f4d5460c 100644
--- a/backend/server/api/auth/middleware.go
+++ b/backend/server/api/auth/middleware.go
@@ -34,15 +34,16 @@ import (
 // and clear its session even when the cookie has lapsed; both handlers
 // short-circuit gracefully when no user is set.
 var publicPaths = map[string]struct{}{
-	"/ping":      {},
-	"/ready":     {},
-	"/health":    {},
-	"/version":   {},
-	PathMethods:  {},
-	PathLogin:    {},
-	PathCallback: {},
-	PathLogout:   {},
-	PathUserInfo: {},
+	"/ping":                 {},
+	"/ready":                {},
+	"/health":               {},
+	"/version":              {},
+	"/proceed-db-migration": {},
+	PathMethods:             {},
+	PathLogin:               {},
+	PathCallback:            {},
+	PathLogout:              {},
+	PathUserInfo:            {},
 }
 
 func OIDCAuthentication() gin.HandlerFunc { return defaultService.OIDCAuthentication() }