jeffemmett
/
rspace-online
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(rflows): exempt public on-ramp endpoints from space auth middleware 

Space visibility defaults to "private", blocking unauthenticated API calls.
The on-ramp and webhook endpoints are designed for unauthenticated users,
so they need to bypass the space-level auth check.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jeff Emmett 2026-03-23 14:23:44 -07:00
parent f5de97c60c
commit 67f1927eb5
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
server/index.ts
View File

@ -2218,7 +2218,16 @@ for (const mod of getAllModules()) {
const accept = c.req.header("Accept") || "";
const isHtmlRequest = accept.includes("text/html");
if (!isHtmlRequest && (vis === "private" || vis === "permissioned")) {
// Exempt public-facing endpoints that are designed for unauthenticated users
const pathname = new URL(c.req.url).pathname;
const isPublicEndpoint = pathname.endsWith("/api/flows/user-onramp")
|| pathname.endsWith("/api/onramp/config")
|| pathname.endsWith("/api/transak/config")
|| pathname.endsWith("/api/transak/webhook")
|| pathname.endsWith("/api/coinbase/webhook")
|| pathname.endsWith("/api/ramp/webhook");
if (!isHtmlRequest && !isPublicEndpoint && (vis === "private" || vis === "permissioned")) {
const token = extractToken(c.req.raw.headers);
if (!token) {
return c.json({ error: "Authentication required" }, 401);