From 1dfa5d807927f74141336a3cebf3f7224c04b4fb Mon Sep 17 00:00:00 2001
From: Jonathan Miller <jmiller-moko@noreply.git.mokoconsulting.tech>
Date: Tue, 2 Jun 2026 08:25:31 -0500
Subject: [PATCH] =?UTF-8?q?SECURITY:=20require=20login=20for=20licenses=20?=
 =?UTF-8?q?page=20=E2=80=94=20was=20accessible=20anonymously?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The repo licenses route used optSignIn (login optional), allowing
anonymous users to view license packages and keys. Changed to
reqSignIn to require authentication.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 routers/web/web.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/routers/web/web.go b/routers/web/web.go
index 31d6dbb9bd..5da4e44b9a 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -1540,7 +1540,7 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) {
 		m.Post("/keys/{id}/revoke", repo.LicensesRevokeKey)
 		m.Post("/keys/{id}/renew", repo.LicensesRenewKey)
 		m.Post("/keys/{id}/delete", repo.LicensesDeleteKey)
-	}, optSignIn, context.RepoAssignment)
+	}, reqSignIn, context.RepoAssignment)
 	// end "/{username}/{reponame}": licenses
 
 	m.Group("/{username}/{reponame}", func() { // to maintain compatibility with old attachments
-- 
2.52.0