From 413b5709422d8869c9d7f93571407517d55c22ef Mon Sep 17 00:00:00 2001
From: Garry Tan <garrytan@gmail.com>
Date: Sat, 4 Apr 2026 21:22:56 -0700
Subject: [PATCH] fix: make cookie picker auth mandatory (H2)

Remove the conditional if(authToken) guard that skipped auth when
authToken was undefined. Now all cookie picker data/action routes
reject unauthenticated requests. Closes H2 from security audit #783.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 browse/src/cookie-picker-routes.ts | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/browse/src/cookie-picker-routes.ts b/browse/src/cookie-picker-routes.ts
index f36a6660..6b8499a0 100644
--- a/browse/src/cookie-picker-routes.ts
+++ b/browse/src/cookie-picker-routes.ts
@@ -81,14 +81,13 @@ export async function handleCookiePickerRoute(
     }
 
     // ─── Auth gate: all data/action routes below require Bearer token ───
-    if (authToken) {
-      const authHeader = req.headers.get('authorization');
-      if (!authHeader || authHeader !== `Bearer ${authToken}`) {
-        return new Response(JSON.stringify({ error: 'Unauthorized' }), {
-          status: 401,
-          headers: { 'Content-Type': 'application/json' },
-        });
-      }
+    // Auth is mandatory — if authToken is undefined, reject all requests
+    const authHeader = req.headers.get('authorization');
+    if (!authToken || !authHeader || authHeader !== `Bearer ${authToken}`) {
+      return new Response(JSON.stringify({ error: 'Unauthorized' }), {
+        status: 401,
+        headers: { 'Content-Type': 'application/json' },
+      });
     }
 
     // GET /cookie-picker/browsers — list installed browsers