OAuth unlink routes missing isAuthenticated middleware.

[Piyushrathoree]

p5.js version

No response

What is your operating system?

None

Web browser and version

No response

Actual Behavior

The DELETE /auth/github and DELETE /auth/google routes in

server/routes/user.routes.ts
do not use the isAuthenticated middleware. Every other account-management route in the same file uses it (PUT /account, POST /account/api-keys, PUT /cookie-consent, PUT /preferences).

Without the middleware, unauthenticated requests receive a 404 status from the controller's inline guard instead of the standard 401.
The JSDoc for both handlers in authManagement.ts even notes Authenticated: false -- TODO: update to true?.

Expected Behavior

Both routes should use isAuthenticated middleware, returning 401 for unauthenticated requests — consistent with every other account route.

Steps to reproduce

Steps:

1. Start the dev server with npm start
2. Without logging in, send DELETE /auth/github (e.g. via curl)
3. Observe: response is 404 with "You must be logged in..."
4. Expected: response should be 401 (from isAuthenticated middleware)

Relevant code:

// server/routes/user.routes.ts lines 48-51
// DELETE /auth/github
router.delete('/auth/github', UserController.unlinkGithub);        // ← missing isAuthenticated
// DELETE /auth/google
router.delete('/auth/google', UserController.unlinkGoogle);        // ← missing isAuthenticated

// Compare with adjacent route (line 47):
router.put('/account', isAuthenticated, UserController.updateSettings);  // ← has it

[Piyushrathoree]

@raclim please check this issue and please confirm it. I'm ready with a PR please assign me as well.

[saurabh24thakur]

I've verified this in server/routes/user.routes.ts. The JSDoc in authManagement.ts actually already has a TODO to fix this, so it's definitely a missing piece.

My Proposed Plan:

Add Middleware: Insert the isAuthenticated check to the Google and GitHub unlink routes.

Update Tests: Refactor the unit tests to expect a 401 Unauthorized status instead of the current 404.

I have experience with Node.js/Express and secure authentication flows, so I can ensure this fix is consistent with the rest of the app. If the author isn't already working on it, I'd love to take this up??

[Piyushrathoree]

I've verified this in server/routes/user.routes.ts. The JSDoc in authManagement.ts actually already has a TODO to fix this, so it's definitely a missing piece.

My Proposed Plan:

Add Middleware: Insert the isAuthenticated check to the Google and GitHub unlink routes.

Update Tests: Refactor the unit tests to expect a 401 Unauthorized status instead of the current 404.

I have experience with Node.js/Express and secure authentication flows, so I can ensure this fix is consistent with the rest of the app. If the author isn't already working on it, I'd love to take this up??

hello, @saurabh24thakur I already solved the issue I'm just waiting for the maintainer's approval to raise a PR.