From 3448c6febd05863dee510ee77cf347563bbca061 Mon Sep 17 00:00:00 2001
From: Marko Djordjevic <marko.homoludens@gmail.com>
Date: Wed, 18 Feb 2026 23:07:42 +0100
Subject: [PATCH] fix(auth): allow same-origin browser requests through API
 middleware

---
 src/proxy.ts | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/proxy.ts b/src/proxy.ts
index 68cbe74..f97c340 100644
--- a/src/proxy.ts
+++ b/src/proxy.ts
@@ -21,6 +21,15 @@ export function proxy(request: NextRequest) {
 
   const requestApiKey = request.headers.get("X-API-Key");
 
+  // Allow same-origin browser requests (UI -> /api/*) without exposing API_KEY to client JS.
+  // Keep API key auth for non-browser/external clients.
+  const fetchSite = request.headers.get("sec-fetch-site");
+  const isSameOriginBrowserRequest = fetchSite === "same-origin";
+
+  if (isSameOriginBrowserRequest) {
+    return NextResponse.next();
+  }
+
   if (!requestApiKey || requestApiKey !== apiKey) {
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
   }