From 724c0e16ba4441ac44cd1819ff994c43c56f17ac Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeffemmett@gmail.com>
Date: Tue, 24 Mar 2026 11:39:39 -0700
Subject: [PATCH] fix(auth): redirect logged-out visitors from private spaces
 to module landing

Non-demo space dashboards now redirect logged-out visitors to
rspace.online/ instead of showing another user's rApp grid. Private
space module pages redirect to rspace.online/{moduleId} instead of
showing the sign-in gate overlay.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 server/landing.ts | 19 ++++++++++++-------
 server/shell.ts   |  8 +++++++-
 2 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/server/landing.ts b/server/landing.ts
index 96574a1..9b1401f 100644
--- a/server/landing.ts
+++ b/server/landing.ts
@@ -340,15 +340,20 @@ export function renderSpaceDashboard(space: string, modules: ModuleInfo[]): stri
     document.querySelector('rstack-app-switcher')?.setModules(${moduleListJSON});
 
     // Logged-in users: redirect to rSpace canvas instead of showing the grid
+    // Non-demo spaces: redirect logged-out visitors to the main domain landing
     try {
       var raw = localStorage.getItem('encryptid_session');
-      if (raw) {
-        var session = JSON.parse(raw);
-        if (session?.accessToken) {
-          var dest = window.__rspaceNavUrl
-            ? window.__rspaceNavUrl('${escapeAttr(space)}', 'rspace')
-            : '/${escapeAttr(space)}/rspace';
-          window.location.replace(dest);
+      var loggedIn = raw && JSON.parse(raw)?.accessToken;
+      if (loggedIn) {
+        var dest = window.__rspaceNavUrl
+          ? window.__rspaceNavUrl('${escapeAttr(space)}', 'rspace')
+          : '/${escapeAttr(space)}/rspace';
+        window.location.replace(dest);
+      } else if ('${escapeAttr(space)}' !== 'demo') {
+        // Don't show other users' space dashboards to logged-out visitors
+        var host = window.location.host.split(':')[0];
+        if (host.endsWith('.rspace.online') || host === 'rspace.online') {
+          window.location.replace('https://rspace.online/');
         }
       }
     } catch(e) {}
diff --git a/server/shell.ts b/server/shell.ts
index de58189..3892309 100644
--- a/server/shell.ts
+++ b/server/shell.ts
@@ -636,8 +636,14 @@ export function renderShell(opts: ShellOptions): string {
         return;
       }
 
-      // Private spaces: need session + membership check
+      // Private spaces: redirect logged-out visitors to the module landing page
       if (!hasToken) {
+        var host = window.location.host.split(':')[0];
+        if (host.endsWith('.rspace.online') || host === 'rspace.online') {
+          var modId = document.body.getAttribute('data-module-id') || 'rspace';
+          window.location.replace('https://rspace.online/' + modId);
+          return;
+        }
         showGate('sign-in');
         return;
       }