From cc504d4a861e12863eaf8230a5af2bc1ac0f5490 Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeffemmett@gmail.com>
Date: Sat, 21 Mar 2026 18:06:36 -0700
Subject: [PATCH] fix(spaces): make DID resolve endpoint public (no auth needed
 for profile data)

The resolve-dids endpoint was returning 401 because unsigned fallback tokens
fail HS256 verification. Since username/displayName is public profile data,
remove auth requirement from the endpoint and client call.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 shared/components/rstack-space-settings.ts | 4 ++--
 src/encryptid/server.ts                    | 5 +----
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/shared/components/rstack-space-settings.ts b/shared/components/rstack-space-settings.ts
index a951627..3aa60f7 100644
--- a/shared/components/rstack-space-settings.ts
+++ b/shared/components/rstack-space-settings.ts
@@ -144,11 +144,11 @@ export class RStackSpaceSettings extends HTMLElement {
 
 		// Resolve missing displayNames from EncryptID
 		const unresolvedDids = this._members.filter(m => !m.displayName).map(m => m.did);
-		if (unresolvedDids.length && token) {
+		if (unresolvedDids.length) {
 			try {
 				const res = await fetch("/api/users/resolve-dids", {
 					method: "POST",
-					headers: { "Authorization": `Bearer ${token}`, "Content-Type": "application/json" },
+					headers: { "Content-Type": "application/json" },
 					body: JSON.stringify({ dids: unresolvedDids }),
 				});
 				if (res.ok) {
diff --git a/src/encryptid/server.ts b/src/encryptid/server.ts
index 6ae4c2a..988c1f1 100644
--- a/src/encryptid/server.ts
+++ b/src/encryptid/server.ts
@@ -3817,11 +3817,8 @@ app.get('/api/users/lookup', async (c) => {
   });
 });
 
-// POST /api/users/resolve-dids — batch-resolve DIDs to usernames
+// POST /api/users/resolve-dids — batch-resolve DIDs/userIds to usernames (public profile data)
 app.post('/api/users/resolve-dids', async (c) => {
-  const claims = await verifyTokenFromRequest(c.req.header('Authorization'));
-  if (!claims) return c.json({ error: 'Authentication required' }, 401);
-
   const body = await c.req.json();
   const dids: string[] = Array.isArray(body.dids) ? body.dids.slice(0, 100) : [];
   if (!dids.length) return c.json({});