Disable create new notes page when anonymous users read notes (with Traefik middleware)

[ToshY]

I've successfully setup Enclosed with docker compose (great documentation by the way 👍) and Traefik, and after playing around it works like expected.

What I wanted to achieve next is putting Enclosed behind Traefik authentication middleware, so that only authenticated users (from IDP) are able to create notes and that these notes can be read without authentication needed (anonymously).

The problem is however, even when I add bypass middleware for Traefik, anonymous users will still be able to navigate to the page to create new notes (as this doesn't seem to dispatch a new request but more like an URL rewrite; fyi I'm not very familiar with modern web applications). Still, when an anonymous users tries to create a note it will fail subsequently, as it will now create an underlying request to https://notes.example.com/api/notes which gets intercepted by Traefik correctly, resulting in a 302 redirect (to the authentication) and leading to a CORS error in the console.

TLDR

When adding authentication middleware in the reverse proxy, anonymous users are currently not able to create new notes but they are still able to navigate to this page (which I'm trying to prevent).

I'm not sure if this is currently possible with the current version of the application but any bit of help would be appreciated.

---

Setup

/enclosed/
├── .env
└── compose.yaml

.env

###> Image versions ###
ENCLOSED_IMAGE_VERSION="1.6.1"
###< Image versions ###

###> App ###
APP_DOMAIN="example.com"
ENCLOSED_DOMAIN="notes.${APP_DOMAIN}"
###< App ###

compose.yaml

name: enclosed
services:
  enclosed:
    image: ghcr.io/corentinth/enclosed:${ENCLOSED_IMAGE_VERSION:-latest}
    restart: unless-stopped
    environment:
      PORT: ${ENCLOSED_PORT:-8787}
      SERVER_API_ROUTES_TIMEOUT_MS: ${ENCLOSED_SERVER_API_ROUTES_TIMEOUT_MS:-5000}
      SERVER_CORS_ORIGINS: ${ENCLOSED_SERVER_CORS_ORIGINS:-}
      NOTES_MAX_ENCRYPTED_PAYLOAD_LENGTH: ${ENCLOSED_NOTES_MAX_ENCRYPTED_PAYLOAD_LENGTH:-5242880}
      TASK_DELETE_EXPIRED_NOTES_ENABLED: ${ENCLOSED_TASK_DELETE_EXPIRED_NOTES_ENABLED:-true}
      TASK_DELETE_EXPIRED_NOTES_CRON: ${ENCLOSED_TASK_DELETE_EXPIRED_NOTES_CRON:-0 * * * *}
      TASK_DELETE_EXPIRED_NOTES_RUN_ON_STARTUP: ${ENCLOSED_TASK_DELETE_EXPIRED_NOTES_RUN_ON_STARTUP:-true}
      STORAGE_DRIVER_FS_LITE_PATH: ${ENCLOSED_STORAGE_DRIVER_FS_LITE_PATH:-/app/.data}
      STORAGE_DRIVER_CLOUDFLARE_KV_BINDING: ${ENCLOSED_STORAGE_DRIVER_CLOUDFLARE_KV_BINDING:-notes}
      PUBLIC_IS_AUTHENTICATION_REQUIRED: ${ENCLOSED_PUBLIC_IS_AUTHENTICATION_REQUIRED:-false}
    labels:
      traefik.enable: true
      traefik.docker.network: proxy
      traefik.http.routers.enclosed.tls: true
      traefik.http.routers.enclosed.entrypoints: websecure
      traefik.http.routers.enclosed.rule: Host(`${ENCLOSED_DOMAIN:-notes.${APP_DOMAIN}}`)
      traefik.http.routers.enclosed.service: enclosed
      traefik.http.services.enclosed.loadbalancer.server.port: ${ENCLOSED_PORT:-8787}
      traefik.http.routers.enclosed.middlewares: oauth@file
      # Anonymous read
      traefik.http.routers.enclosed-read.tls: true
      traefik.http.routers.enclosed-read.entrypoints: websecure
      traefik.http.routers.enclosed-read.rule: Host(`${ENCLOSED_DOMAIN:-notes.${APP_DOMAIN}}`) && (PathRegexp(`/[a-z0-9]{22}`) || Path(`/api/config`))
      traefik.http.routers.enclosed-read.service: enclosed-read
      traefik.http.services.enclosed-read.loadbalancer.server.port: ${ENCLOSED_PORT:-8787}
    volumes:
      - enclosed_data:${ENCLOSED_STORAGE_DRIVER_FS_LITE_PATH:-/app/.data}
    networks:
      - enclosed
      - proxy

  wait:
    image: waisbrot/wait
    environment:
      TARGETS: enclosed:${ENCLOSED_PORT:-8787}
      TIMEOUT: 30
    networks:
      - enclosed

volumes:
  enclosed_data:
    driver: local

networks:
  enclosed:
    driver: bridge
  proxy:
    external: true

[ToshY]

Is the use case unclear? Or does nobody else has this (or similar) requirement for enclosed?