From 7f327eb07a96ef953b97f0d2eff69a34c3ec4034 Mon Sep 17 00:00:00 2001 From: Jeff Emmett Date: Tue, 24 Mar 2026 12:58:21 -0700 Subject: [PATCH] fix: whitelist rvote GET API as public + guard campaign wizard auth client-side 1. Add GET /rvote/api/* to public endpoint whitelist so proposal listings work on private/permissioned spaces without auth. 2. Campaign wizard now checks for auth token before POSTing, showing "Please sign in" instead of a cryptic 401. Co-Authored-By: Claude Opus 4.6 --- modules/rsocials/components/folk-campaign-wizard.ts | 6 ++++++ server/index.ts | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/modules/rsocials/components/folk-campaign-wizard.ts b/modules/rsocials/components/folk-campaign-wizard.ts index a569bec..658ea81 100644 --- a/modules/rsocials/components/folk-campaign-wizard.ts +++ b/modules/rsocials/components/folk-campaign-wizard.ts @@ -170,6 +170,12 @@ export class FolkCampaignWizard extends HTMLElement { } private async createWizard(): Promise { + const token = (window as any).__authToken || localStorage.getItem('auth_token') || ''; + if (!token) { + this._error = 'Please sign in to create a campaign wizard'; + this.render(); + return null; + } try { const res = await this.apiFetch('/api/campaign/wizard', { method: 'POST', diff --git a/server/index.ts b/server/index.ts index 8a2922b..4987d8a 100644 --- a/server/index.ts +++ b/server/index.ts @@ -2322,7 +2322,8 @@ for (const mod of getAllModules()) { || pathname.includes("/rcart/api/payments") || pathname.includes("/rcart/pay/") || pathname.includes("/rwallet/api/") - || pathname.includes("/rdesign/api/"); + || pathname.includes("/rdesign/api/") + || (c.req.method === "GET" && pathname.includes("/rvote/api/")); if (!isHtmlRequest && !isPublicEndpoint && (vis === "private" || vis === "permissioned")) { const token = extractToken(c.req.raw.headers);