fix(spaces): make DID resolve endpoint public (no auth needed for profile data)

The resolve-dids endpoint was returning 401 because unsigned fallback tokens fail HS256 verification. Since username/displayName is public profile data, remove auth requirement from the endpoint and client call. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-21 18:06:36 -07:00 · 2026-03-21 18:06:36 -07:00 · cc504d4a86
parent 21236ccd15
commit cc504d4a86
2 changed files with 3 additions and 6 deletions
--- a/shared/components/rstack-space-settings.ts
+++ b/shared/components/rstack-space-settings.ts
@ -144,11 +144,11 @@ export class RStackSpaceSettings extends HTMLElement {

 		// Resolve missing displayNames from EncryptID
 		const unresolvedDids = this._members.filter(m => !m.displayName).map(m => m.did);
-		if (unresolvedDids.length && token) {
+		if (unresolvedDids.length) {
 			try {
 				const res = await fetch("/api/users/resolve-dids", {
 					method: "POST",
-					headers: { "Authorization": `Bearer ${token}`, "Content-Type": "application/json" },
+					headers: { "Content-Type": "application/json" },
 					body: JSON.stringify({ dids: unresolvedDids }),
 				});
 				if (res.ok) {
--- a/src/encryptid/server.ts
+++ b/src/encryptid/server.ts
@ -3817,11 +3817,8 @@ app.get('/api/users/lookup', async (c) => {
  });
 });

-// POST /api/users/resolve-dids — batch-resolve DIDs to usernames
+// POST /api/users/resolve-dids — batch-resolve DIDs/userIds to usernames (public profile data)
 app.post('/api/users/resolve-dids', async (c) => {
-  const claims = await verifyTokenFromRequest(c.req.header('Authorization'));
-  if (!claims) return c.json({ error: 'Authentication required' }, 401);
-
  const body = await c.req.json();
  const dids: string[] = Array.isArray(body.dids) ? body.dids.slice(0, 100) : [];
  if (!dids.length) return c.json({});