From ccaef33a20c03ae2c321926db250912dc8685766 Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeffemmett@gmail.com>
Date: Mon, 6 Apr 2026 19:00:38 -0400
Subject: [PATCH] fix(rtasks): exempt rtasks API from space auth middleware

The clf space is private, so all API calls were getting 401'd by the
space access middleware before reaching the rtasks routes. Add
/rtasks/api/ to the public endpoint exemption list (like rwallet,
rdesign, rvote already are).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 server/index.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/index.ts b/server/index.ts
index b12741d..66d401c 100644
--- a/server/index.ts
+++ b/server/index.ts
@@ -2812,8 +2812,8 @@ for (const mod of getAllModules()) {
 			|| pathname.includes("/rcart/pay/")
 			|| pathname.includes("/rwallet/api/")
 			|| pathname.includes("/rdesign/api/")
-			|| (c.req.method === "GET" && pathname.includes("/rvote/api/"))
-			|| (c.req.method === "POST" && pathname.endsWith("/rtasks/api/clickup/webhook"));
+			|| pathname.includes("/rtasks/api/")
+			|| (c.req.method === "GET" && pathname.includes("/rvote/api/"));
 
 		if (!isHtmlRequest && !isPublicEndpoint && (vis === "private" || vis === "permissioned")) {
 			const token = extractToken(c.req.raw.headers);