fix installer script

internal/httpapp/auth_middleware.go

@@ -18,7 +18,7 @@ const (
 func (a *App) authMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Skip auth for public endpoints (includes web UI pages and read-only GET endpoints)
-		if a.isPublicEndpoint(r.URL.Path) {
+		if a.isPublicEndpoint(r.URL.Path, r.Method) {
 			next.ServeHTTP(w, r)
 			return
 		}
@@ -98,7 +98,9 @@ func (a *App) requireRole(allowedRoles ...models.Role) func(http.Handler) http.H
 }
 
 // isPublicEndpoint checks if an endpoint is public (no auth required)
-func (a *App) isPublicEndpoint(path string) bool {
+// It validates both path and HTTP method to prevent unauthenticated mutations
+func (a *App) isPublicEndpoint(path, method string) bool {
+	// Always public paths (any method)
 	publicPaths := []string{
 		"/healthz",
 		"/health",
@@ -126,13 +128,14 @@ func (a *App) isPublicEndpoint(path string) bool {
 		}
 	}
 
-	// Static files are public
+	// Static files are public (any method)
 	if strings.HasPrefix(path, "/static/") {
 		return true
 	}
 
-	// Make read-only GET endpoints public for web UI (but require auth for mutations)
-	// This allows the UI to display data without login, but operations require auth
+	// Read-only GET endpoints are public for web UI (but require auth for mutations)
+	// SECURITY: Only GET requests are allowed without authentication
+	// POST, PUT, DELETE, PATCH require authentication
 	publicReadOnlyPaths := []string{
 		"/api/v1/dashboard",         // Dashboard data
 		"/api/v1/disks",             // List disks
@@ -149,7 +152,9 @@ func (a *App) isPublicEndpoint(path string) bool {
 
 	for _, publicPath := range publicReadOnlyPaths {
 		if path == publicPath {
-			return true
+			// Only allow GET requests without authentication
+			// All mutation methods (POST, PUT, DELETE, PATCH) require authentication
+			return method == http.MethodGet
 		}
 	}