From 5c98f1c71796a9e73ef39d945528be6f0bf2ab80 Mon Sep 17 00:00:00 2001
From: CREDO23 <thierrybakera12@gmail.com>
Date: Tue, 24 Mar 2026 16:25:13 +0200
Subject: [PATCH] add ZERO_MUTATE_URL and no-op mutate endpoint for zero-cache
 auth passthrough

---
 docker/.env.example                        | 11 +++++++++--
 docker/docker-compose.dev.yml              |  1 +
 docker/docker-compose.yml                  |  1 +
 surfsense_web/app/api/zero/mutate/route.ts |  5 +++++
 4 files changed, 16 insertions(+), 2 deletions(-)
 create mode 100644 surfsense_web/app/api/zero/mutate/route.ts

diff --git a/docker/.env.example b/docker/.env.example
index 716405f8e..766f92dcc 100644
--- a/docker/.env.example
+++ b/docker/.env.example
@@ -85,13 +85,20 @@ EMBEDDING_MODEL=sentence-transformers/all-MiniLM-L6-v2
 # ZERO_CVR_DB=postgresql://surfsense:surfsense@db:5432/surfsense
 # ZERO_CHANGE_DB=postgresql://surfsense:surfsense@db:5432/surfsense
 
-# URL where zero-cache sends queries for resolution (server-to-server).
-# Default: http://frontend:3000/api/zero/query (Docker service networking).
+# ZERO_QUERY_URL: where zero-cache forwards query requests for resolution.
+# ZERO_MUTATE_URL: required by zero-cache when auth tokens are used, even though
+#   SurfSense does not use Zero mutators. Setting both URLs tells zero-cache to
+#   skip its own JWT verification and let the app endpoints handle auth instead.
+#   The mutate endpoint is a no-op that returns an empty response.
+# Default: Docker service networking (http://frontend:3000/api/zero/...).
 # Override when running the frontend outside Docker:
 #   ZERO_QUERY_URL=http://host.docker.internal:3000/api/zero/query
+#   ZERO_MUTATE_URL=http://host.docker.internal:3000/api/zero/mutate
 # Override for custom domain:
 #   ZERO_QUERY_URL=https://app.yourdomain.com/api/zero/query
+#   ZERO_MUTATE_URL=https://app.yourdomain.com/api/zero/mutate
 # ZERO_QUERY_URL=http://frontend:3000/api/zero/query
+# ZERO_MUTATE_URL=http://frontend:3000/api/zero/mutate
 
 # ------------------------------------------------------------------------------
 # Database (defaults work out of the box, change for security)
diff --git a/docker/docker-compose.dev.yml b/docker/docker-compose.dev.yml
index e6cb3fd1d..564ecd772 100644
--- a/docker/docker-compose.dev.yml
+++ b/docker/docker-compose.dev.yml
@@ -185,6 +185,7 @@ services:
       - ZERO_REPLICA_FILE=/data/zero.db
       - ZERO_ADMIN_PASSWORD=${ZERO_ADMIN_PASSWORD:-surfsense-zero-admin}
       - ZERO_QUERY_URL=${ZERO_QUERY_URL:-http://frontend:3000/api/zero/query}
+      - ZERO_MUTATE_URL=${ZERO_MUTATE_URL:-http://frontend:3000/api/zero/mutate}
     volumes:
       - zero_cache_data:/data
     restart: unless-stopped
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index 9b9993c7f..b03efdd2f 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -171,6 +171,7 @@ services:
       ZERO_REPLICA_FILE: /data/zero.db
       ZERO_ADMIN_PASSWORD: ${ZERO_ADMIN_PASSWORD:-surfsense-zero-admin}
       ZERO_QUERY_URL: ${ZERO_QUERY_URL:-http://frontend:3000/api/zero/query}
+      ZERO_MUTATE_URL: ${ZERO_MUTATE_URL:-http://frontend:3000/api/zero/mutate}
     volumes:
       - zero_cache_data:/data
     restart: unless-stopped
diff --git a/surfsense_web/app/api/zero/mutate/route.ts b/surfsense_web/app/api/zero/mutate/route.ts
new file mode 100644
index 000000000..0076e1ae8
--- /dev/null
+++ b/surfsense_web/app/api/zero/mutate/route.ts
@@ -0,0 +1,5 @@
+import { NextResponse } from "next/server";
+
+export async function POST() {
+	return NextResponse.json([]);
+}