From cf1b735a4b3055dc6283ddfce6465cdbcd407af2 Mon Sep 17 00:00:00 2001
From: "Rodrigo Rodriguez (Pragmatismo)" <me@rodrigorodriguez.com>
Date: Sat, 10 Jan 2026 17:30:35 -0300
Subject: [PATCH] fix(auth): align auth middleware anonymous paths with RBAC
 config

- Remove broad /api/auth anonymous path that was matching /api/auth/me
- Add specific anonymous paths: /api/auth/login, /api/auth/refresh, /api/auth/bootstrap
- Remove /api/auth/logout, /api/auth/2fa/* from anonymous (require auth)
- Fix /api/auth/me returning 401 for authenticated users

The issue was auth middleware treating /api/auth/me as anonymous due to
prefix matching on /api/auth, while RBAC correctly required authentication.
---
 botserver | 2 +-
 botui     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/botserver b/botserver
index 9b1a012..2811272 160000
--- a/botserver
+++ b/botserver
@@ -1 +1 @@
-Subproject commit 9b1a01221efb80813159be59cafe15c7e885b167
+Subproject commit 2811272e072b2d18963b95ff717726a6796ea00b
diff --git a/botui b/botui
index 7bb230b..c6fc530 160000
--- a/botui
+++ b/botui
@@ -1 +1 @@
-Subproject commit 7bb230b59c290a09d6564b52e5af4d94c4a4116e
+Subproject commit c6fc5306c6706032c038042d49aa0aef789dfb67