fix(rcart): exempt payment endpoints from private space access gate

Payment creation, QR codes, and pay pages should be accessible to any authenticated user regardless of space visibility, since the payment goes to the creator's wallet. The route handlers enforce their own auth. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-23 14:30:55 -07:00 · 2026-03-23 14:30:55 -07:00 · cdfba02b03
parent 67f1927eb5
commit cdfba02b03
1 changed files with 3 additions and 1 deletions
--- a/server/index.ts
+++ b/server/index.ts
@ -2225,7 +2225,9 @@ for (const mod of getAllModules()) {
 			|| pathname.endsWith("/api/transak/config")
 			|| pathname.endsWith("/api/transak/webhook")
 			|| pathname.endsWith("/api/coinbase/webhook")
-			|| pathname.endsWith("/api/ramp/webhook");
+			|| pathname.endsWith("/api/ramp/webhook")
+			|| pathname.includes("/rcart/api/payments")
+			|| pathname.includes("/rcart/pay/");

 		if (!isHtmlRequest && !isPublicEndpoint && (vis === "private" || vis === "permissioned")) {
 			const token = extractToken(c.req.raw.headers);