From 93a3aabf7d725513a59d0cef928295abac3c5f5c Mon Sep 17 00:00:00 2001
From: Andrej Mickov <andrej@ferdzo.xyz>
Date: Mon, 2 Mar 2026 23:51:46 +0100
Subject: [PATCH] allow signed admin routes before S3 policy resolution

---
 auth/service.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/auth/service.go b/auth/service.go
index f5ed690..9672cd7 100644
--- a/auth/service.go
+++ b/auth/service.go
@@ -187,6 +187,17 @@ func (s *Service) AuthenticateRequest(r *http.Request) (RequestContext, error) {
 	if input.Presigned {
 		authType = "sigv4-presign"
 	}
+
+	// Admin API authorization is enforced in admin handlers (bootstrap-only).
+	// We still require valid SigV4 credentials here, but skip S3 action policy checks.
+	if strings.HasPrefix(r.URL.Path, "/_admin/") {
+		return RequestContext{
+			Authenticated: true,
+			AccessKeyID:   identity.AccessKeyID,
+			AuthType:      authType,
+		}, nil
+	}
+
 	return RequestContext{
 		Authenticated: true,
 		AccessKeyID:   identity.AccessKeyID,