From 9e24f3346590a903be5545b861bb5b3ec625eb1d Mon Sep 17 00:00:00 2001
From: Sami <sami@dashcaddy.net>
Date: Wed, 1 Apr 2026 01:10:24 -0700
Subject: [PATCH] fix: make /api/config and /api/services/status public
 endpoints

These endpoints must be accessible without TOTP auth for the dashboard
to load site config (TLD, DNS servers, custom logo) and service status
(bulk probe results). Without them, the dashboard shows all services
as OFF and loses custom branding after any session expiry.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 dashcaddy-api/middleware.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dashcaddy-api/middleware.js b/dashcaddy-api/middleware.js
index 132ff10..a6d25c9 100644
--- a/dashcaddy-api/middleware.js
+++ b/dashcaddy-api/middleware.js
@@ -297,6 +297,8 @@ module.exports = function configureMiddleware(app, {
     { path: '/api/themes',            exact: true,  method: 'GET' },
     { path: '/api/license/status',    exact: true,  method: 'GET' },
     { path: '/api/license/feature/',  prefix: true, method: 'GET' },
+    { path: '/api/config',             exact: true,  method: 'GET' },
+    { path: '/api/services/status',    exact: true,  method: 'GET' },
   ];
 
   function isPublicRoute(req) {