fix: close auth, permission, contract and e2e review blockers

internal/api/router/router.go

@@ -142,6 +142,7 @@ func (r *Router) Setup() *gin.Engine {
 			authGroup.POST("/login/totp-verify", r.rateLimitMiddleware.Login(), r.authHandler.VerifyTOTPAfterPasswordLogin)
 			authGroup.POST("/refresh", r.rateLimitMiddleware.Refresh(), r.authHandler.RefreshToken)
 			authGroup.GET("/capabilities", r.authHandler.GetAuthCapabilities)
+			authGroup.GET("/csrf-token", r.authHandler.GetCSRFToken)
 
 			authGroup.POST("/activate-email", r.authHandler.ActivateEmail)
 			authGroup.POST("/resend-activation", r.authHandler.ResendActivationEmail)
@@ -189,7 +190,6 @@ func (r *Router) Setup() *gin.Engine {
 		protected.Use(r.authMiddleware.Required())
 		protected.Use(r.rateLimitMiddleware.API())
 		{
-			protected.GET("/auth/csrf-token", r.authHandler.GetCSRFToken)
 			protected.POST("/auth/logout", r.authHandler.Logout)
 			protected.GET("/auth/userinfo", r.authHandler.GetUserInfo)
 
@@ -206,8 +206,8 @@ func (r *Router) Setup() *gin.Engine {
 			users := protected.Group("/users")
 			{
 				users.POST("", middleware.RequirePermission("user:manage"), r.userHandler.CreateUser)
-				users.GET("", r.userHandler.ListUsers)
-				users.GET("/:id", r.userHandler.GetUser)
+				users.GET("", middleware.RequirePermission("user:manage"), r.userHandler.ListUsers)
+				users.GET("/:id", middleware.RequirePermission("user:manage"), r.userHandler.GetUser)
 				users.PUT("/:id", r.userHandler.UpdateUser)
 				users.DELETE("/:id", middleware.RequirePermission("user:delete"), r.userHandler.DeleteUser)
 				users.PUT("/:id/password", r.userHandler.UpdatePassword)