From 92e26aafcbf5c734ed73aede2e263baeba14fbfd Mon Sep 17 00:00:00 2001
From: ScreenTinker <hello@screentinker.com>
Date: Mon, 11 May 2026 23:17:28 -0500
Subject: [PATCH] fix(server): mount activityLogger middleware before workspace
 routes so POST/PUT/DELETE actually get logged - pre-existing bug, the
 middleware was a no-op for every API route because route mounts came first in
 server.js (L305 routes vs L368 middleware). Zero double-log risk: the one
 inline logActivity caller at routes/auth.js:452 is on /api/auth which mounts
 before the new middleware position. activity_log row growth will pick up
 significantly going forward (pruneActivityLog 90-day retention already
 handles the bound). Surfaced by Phase 2.2 migration discipline.

---
 server/server.js | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/server/server.js b/server/server.js
index b2a55bf..8b3bb4c 100644
--- a/server/server.js
+++ b/server/server.js
@@ -302,6 +302,16 @@ app.get('/api/content/:id/thumbnail', (req, res) => {
 // yet (they still filter by user_id); 2.2 will migrate them one route at a time.
 const { requireAuth } = require('./middleware/auth');
 const { resolveTenancy } = require('./lib/tenancy');
+
+// activityLogger wraps res.json on every subsequent route to auto-log
+// successful POST/PUT/DELETE mutations. Mount it BEFORE the workspace routes
+// (this fix corrects a pre-existing bug where it was mounted after them and
+// silently never fired). Auth / subscription / stripe routes are already
+// mounted above and stay opt-out from the auto-logger (login has its own
+// inline writers; payment webhooks don't belong in activity_log).
+const { activityLogger } = require('./services/activity');
+app.use(activityLogger);
+
 app.use('/api/devices', requireAuth, resolveTenancy, require('./routes/devices'));
 app.use('/api/content', requireAuth, resolveTenancy, require('./routes/content'));
 app.use('/api/folders', requireAuth, resolveTenancy, require('./routes/folders'));
@@ -363,9 +373,8 @@ app.get('/api/version', (req, res) => {
 // Public status page
 app.use('/api/status', require('./routes/status'));
 
-// Activity logging middleware (after auth, before routes respond)
-const { activityLogger } = require('./services/activity');
-app.use(activityLogger);
+// Activity logging middleware now mounted earlier (just before the workspace
+// route block) - leaving this comment here as a breadcrumb for the move.
 
 // APK version check endpoint (public, used by devices to check for updates)
 app.get('/api/update/check', (req, res) => {