From cdfba02b0359dec69925562e1a134612cf4ee31e Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeffemmett@gmail.com>
Date: Mon, 23 Mar 2026 14:30:55 -0700
Subject: [PATCH] fix(rcart): exempt payment endpoints from private space
 access gate

Payment creation, QR codes, and pay pages should be accessible to any
authenticated user regardless of space visibility, since the payment
goes to the creator's wallet. The route handlers enforce their own auth.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 server/index.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server/index.ts b/server/index.ts
index 31b2ff3..f39250c 100644
--- a/server/index.ts
+++ b/server/index.ts
@@ -2225,7 +2225,9 @@ for (const mod of getAllModules()) {
 			|| pathname.endsWith("/api/transak/config")
 			|| pathname.endsWith("/api/transak/webhook")
 			|| pathname.endsWith("/api/coinbase/webhook")
-			|| pathname.endsWith("/api/ramp/webhook");
+			|| pathname.endsWith("/api/ramp/webhook")
+			|| pathname.includes("/rcart/api/payments")
+			|| pathname.includes("/rcart/pay/");
 
 		if (!isHtmlRequest && !isPublicEndpoint && (vis === "private" || vis === "permissioned")) {
 			const token = extractToken(c.req.raw.headers);