From d1c5234a03ab0e0f201fd32a93e33495c68fd8cf Mon Sep 17 00:00:00 2001
From: BOHA <boha@boha.cz>
Date: Tue, 28 Apr 2026 11:52:24 +0200
Subject: [PATCH] fix: allow logo endpoint without auth for <img> tag loading
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Logo images are loaded via <img src> which doesn't carry auth cookies
reliably during login transitions. Changed from requireAuth to
optionalAuth — logos are not sensitive data.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 src/routes/admin/company-settings.ts | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/routes/admin/company-settings.ts b/src/routes/admin/company-settings.ts
index 0257dbc..1fabcce 100644
--- a/src/routes/admin/company-settings.ts
+++ b/src/routes/admin/company-settings.ts
@@ -1,6 +1,10 @@
 import { FastifyInstance } from "fastify";
 import prisma from "../../config/database";
-import { requireAuth, requirePermission } from "../../middleware/auth";
+import {
+  requireAuth,
+  requirePermission,
+  optionalAuth,
+} from "../../middleware/auth";
 import { logAudit } from "../../services/audit";
 import { success, error } from "../../utils/response";
 import multipart from "@fastify/multipart";
@@ -60,7 +64,7 @@ export default async function companySettingsRoutes(
   await fastify.register(multipart, { limits: { fileSize: 5 * 1024 * 1024 } });
 
   // GET /api/admin/company-settings/logo?variant=light|dark
-  fastify.get("/logo", { preHandler: requireAuth }, async (request, reply) => {
+  fastify.get("/logo", { preHandler: optionalAuth }, async (request, reply) => {
     const query = request.query as Record<string, string>;
     const variant = query.variant === "dark" ? "dark" : "light";
     const column = variant === "dark" ? "logo_data_dark" : "logo_data";