From 308691fcd6817bb07acbc4a80c5f2ea02717f66e Mon Sep 17 00:00:00 2001
From: "Aaron K. Clark" <akclark@thenetwerk.net>
Date: Tue, 19 May 2026 07:57:44 -0500
Subject: [PATCH] chore(auth): drop dead `attachOk` guard in resolveAuth

Cleanup follow-up to #162, which removed the outer try/catch in
attachAuth. Since attachAuth no longer has any 500-emitting path (its
internal callees swallow infrastructure errors into sentinels and
always invoke next()), the `attachOk` boolean was guaranteed true
after the awaited Promise resolved.

The dead `if (!attachOk) return;` line and its stale
"attachAuth already sent a 500" comment misled readers into thinking
resolveAuth still had a divergent error path. Drop both. Behavior
unchanged.

All 688 tests still pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 app/middleware/auth.js | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/app/middleware/auth.js b/app/middleware/auth.js
index 5845490..ae42a4e 100644
--- a/app/middleware/auth.js
+++ b/app/middleware/auth.js
@@ -326,11 +326,9 @@ function requireAuth(req, res, next) {
  * out of the strict 403 (like /v1/whoami).
  */
 async function resolveAuth(req, res, next) {
-    let attachOk = false;
     await new Promise((resolve) => {
-        attachAuth(req, res, () => { attachOk = true; resolve(); });
+        attachAuth(req, res, () => resolve());
     });
-    if (!attachOk) return; // attachAuth already sent a 500
     return requireAuth(req, res, next);
 }