security: Router.Route ignores AuthUser — relies on middleware for enforcement

[cristim]

In internal/api/router.go (Route method, ~line 213-231), the per-route Auth level is only checked when it equals AuthAdmin. Routes declared as Auth: AuthUser (e.g., /api/auth/logout, /api/api-keys, /api/federation/iac, and now /api/commitment-options from #54) fall through the if-block with no router-level auth check.

Currently these endpoints are still protected by validateSecurity → authenticate in handler.go, but that's an indirect safety net. A future refactor that reorders middleware, or a new route that bypasses validateSecurity, would silently expose every AuthUser endpoint.

Fix direction

• Add an else if route.Auth == AuthUser branch in Router.Route that returns 401 when no valid session is present, independent of middleware ordering.
• Update the AuthLevel doc comment at router.go:23 to accurately describe what enforcement happens where.

Surfaced during review of #54. Not blocking that PR.

[cristim]

P1 security: Router.Route silently skips auth enforcement for AuthUser-level routes — a future middleware reordering or bypass would expose every AuthUser endpoint. The fix is an else if route.Auth == AuthUser branch with a 401 return, fully independent of middleware. Effort is xs (single-digit LOC), but the security blast radius is all authenticated endpoints. Should be addressed this sprint before any middleware refactor touches router.go. (triage agent wave1-A)

[cristim]

Verification — fix landed

Original concern

Router.Route only enforced auth when the matched route had Auth == AuthAdmin. Routes declared as Auth: AuthUser (e.g. /api/auth/logout, /api/api-keys, /api/federation/iac) fell through the dispatch with no router-level check, leaving the validateSecurity → authenticate middleware as the single line of defence.

What PR #84 did

Replaced the AuthAdmin-only if in Router.Route with a switch route.Auth { ... } covering all three levels. Added a new requireAuth helper in middleware.go that wraps h.authenticate and returns a 401 ClientError on rejection. Updated the AuthLevel doc comments to spell out where each level is enforced. Added unit tests in router_authuser_test.go pinning the new behaviour.

Code state today (on feat/multicloud-web-frontend)

• internal/api/router.go:240-251 — switch route.Auth dispatches AuthAdmin → requireAdmin, AuthUser → requireAuth, AuthPublic → no-op. Doc block at lines 234-243 explains the defence-in-depth model.
• internal/api/middleware.go:212-227 — requireAuth helper present, returns NewClientError(401, "authentication required") when h.authenticate rejects.
• internal/api/router_authuser_test.go — test file landed and pins: rejects with no credentials, rejects with invalid bearer, accepts valid non-admin user session, AuthPublic still dispatches without credentials.

Recommendation

Close. The defence-in-depth router-level check is in place, doc comments are tightened, and regression tests pin the behaviour.