mirror of
https://github.com/screentinker/screentinker.git
synced 2026-06-17 03:32:32 -06:00
3305e79e61
POST /api/provision was a second pairing endpoint that paired a device by code but, unlike POST /api/provision/pair, did NOT assign a workspace, enforce checkDeviceLimit, or emit device:paired / dashboard:device-added - a silently-diverging duplicate that no client ever called. It now returns 410 Gone and points callers at /pair, so /api/provision/pair is the single, fully-protected pairing endpoint. The mount stays in the JWT-only partition, so a Bearer st_ token still gets 401 (requireAuth) before the 410. Closes #90 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
18 lines
943 B
JavaScript
18 lines
943 B
JavaScript
const express = require('express');
|
|
const router = express.Router();
|
|
|
|
// #90: the bare POST /api/provision was a vestigial SECOND pairing endpoint. It paired a
|
|
// device by pairing code but - unlike POST /api/provision/pair (server.js) - did NOT
|
|
// assign the device to a workspace, did NOT enforce checkDeviceLimit, and did NOT emit
|
|
// device:paired / dashboard:device-added. A silently-diverging duplicate of /pair that
|
|
// no client ever called (verified). Consolidated to /pair (the single, fully-protected
|
|
// pairing endpoint); this path now returns 410 Gone and points callers at the right one.
|
|
//
|
|
// The mount stays in the JWT-only partition (config/api-surface.js), so a Bearer st_
|
|
// token still gets 401 from requireAuth before ever reaching this handler.
|
|
router.post('/', (req, res) => {
|
|
res.status(410).json({ error: 'This endpoint has been removed. Pair a device with POST /api/provision/pair.' });
|
|
});
|
|
|
|
module.exports = router;
|