fix(middleware): allow public access to search API at middleware layer (#424)

PR #107 removed the handler-level `requirePerm()` check from the search
endpoints, but the auth middleware still returned 401 before the handlers
ran because `/_emdash/api/search` was not in `PUBLIC_API_EXACT`. The
handler-level changes therefore never executed for anonymous callers,
and the shipped `LiveSearch` component (which fetches without credentials)
silently showed "No results found" on every query.

This change adds `/_emdash/api/search` to `PUBLIC_API_EXACT` so the
middleware lets anonymous GET requests reach the handler. The query
layer already hardcodes `status='published'`, so anonymous callers
still only see published content. Admin endpoints (`/enable`, `/rebuild`,
`/stats`, and `/suggest`) remain authenticated because they are not in
the set.

The existing E2E test `"search endpoint requires authentication"` asserted
the buggy behavior and is replaced with two new tests: one verifying
public access to `/_emdash/api/search`, and one verifying that `/stats`
and `/enable` remain gated.

Closes #104. Follows up on #107.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Matt Kane <mkane@cloudflare.com>

Author: 3 people

.changeset/public-search-middleware.md

@@ -0,0 +1,5 @@
+---
+"emdash": patch
+---
+
+Fixes public access to the search API (#104). The auth middleware blocked `/_emdash/api/search` before the handler ran, so #107's handler-level change never took effect for anonymous callers. Adds the endpoint to `PUBLIC_API_EXACT` so the shipped `LiveSearch` component works on public sites without credentials. Admin endpoints (`/search/enable`, `/search/rebuild`, `/search/stats`, `/search/suggest`) remain authenticated.

e2e/tests/search.spec.ts

@@ -186,11 +186,26 @@ test.describe("Search", () => {
 	});
 
 	test.describe("Search API", () => {
-		test("search endpoint requires authentication", async ({ serverInfo }) => {
-			// Request without auth token
+		test("search endpoint is publicly accessible", async ({ serverInfo }) => {
+			// The LiveSearch component is shipped for public-site use and calls this
+			// endpoint without credentials. The query layer hardcodes status='published',
+			// so anonymous callers can only see published content.
 			const res = await fetch(`${serverInfo.baseUrl}/_emdash/api/search?q=test`);
-			// Should be 401 or 403
-			expect([401, 403]).toContain(res.status);
+			expect(res.status).toBe(200);
+		});
+
+		test("search admin endpoints still require authentication", async ({ serverInfo }) => {
+			// Admin-only: enable, rebuild, stats must stay gated even though the
+			// read endpoint is public.
+			const stats = await fetch(`${serverInfo.baseUrl}/_emdash/api/search/stats`);
+			expect([401, 403]).toContain(stats.status);
+
+			const enable = await fetch(`${serverInfo.baseUrl}/_emdash/api/search/enable`, {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({ collection: "posts" }),
+			});
+			expect([401, 403]).toContain(enable.status);
 		});
 
 		test("search endpoint requires a query parameter", async ({ serverInfo }) => {

packages/core/src/astro/middleware/auth.ts

@@ -109,6 +109,10 @@ const PUBLIC_API_EXACT = new Set([
 	"/_emdash/api/auth/passkey/verify",
 	"/_emdash/api/oauth/token",
 	"/_emdash/api/snapshot",
+	// Public site search — read-only. The query layer hardcodes status='published'
+	// so unauthenticated callers only see published content. Admin endpoints
+	// (/enable, /rebuild, /stats) remain private because they're not in this set.
+	"/_emdash/api/search",
 ]);
 
 function isPublicEmDashRoute(pathname: string): boolean {