From 086ac02205a9cb0e439ba54fb479a6a09749802b Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeffemmett@gmail.com>
Date: Sun, 12 Apr 2026 11:53:45 -0400
Subject: [PATCH] fix(auth): add missing same-origin proxy routes for EncryptID
 session APIs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The auth proxy only covered /api/auth/*, /api/register/*, /api/account/*
but the identity component also calls /api/session/verify, /api/session/refresh,
/api/guardians, /api/user/*, /api/device-link/*, /api/recovery/* — all of which
were hitting 404 on the rspace server. The session verify 404 was interpreted
as "session revoked", clearing localStorage and logging users out on every page
load after the 5-minute validation interval.

Also fix profile/recovery links in header that opened empty string (same-origin
root) instead of auth.rspace.online.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 lib/rspace-header.ts | 4 ++--
 server/index.ts      | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/rspace-header.ts b/lib/rspace-header.ts
index 3feda39a..f8323cb8 100644
--- a/lib/rspace-header.ts
+++ b/lib/rspace-header.ts
@@ -897,10 +897,10 @@ export function mountHeader(options: HeaderOptions): void {
             onAuthChange?.();
             break;
           case 'profile':
-            window.open(ENCRYPTID_URL, '_blank');
+            window.open('https://auth.rspace.online', '_blank');
             break;
           case 'recovery':
-            window.open(`${ENCRYPTID_URL}/recover`, '_blank');
+            window.open('https://auth.rspace.online/recover', '_blank');
             break;
         }
         document.getElementById('header-dropdown')?.classList.remove('open');
diff --git a/server/index.ts b/server/index.ts
index 10658af6..1ac023ef 100644
--- a/server/index.ts
+++ b/server/index.ts
@@ -563,6 +563,12 @@ const proxyToEncryptid = async (c: any) => {
 app.all("/api/auth/*", proxyToEncryptid);
 app.all("/api/register/*", proxyToEncryptid);
 app.all("/api/account/*", proxyToEncryptid);
+app.all("/api/session/*", proxyToEncryptid);
+app.all("/api/guardians/*", proxyToEncryptid);
+app.all("/api/guardians", proxyToEncryptid);
+app.all("/api/user/*", proxyToEncryptid);
+app.all("/api/device-link/*", proxyToEncryptid);
+app.all("/api/recovery/*", proxyToEncryptid);
 
 // ── EncryptID proxy (forward /encryptid/* to encryptid container) ──
 app.all("/encryptid/*", async (c) => {