From d4c82867d428f783944468663e7265712d60d4e6 Mon Sep 17 00:00:00 2001 From: Philip Date: Wed, 18 Feb 2026 08:26:42 -0800 Subject: [PATCH] Fix guest signup not showing payment info after purchase /api/settings was missing from the middleware public routes allowlist, causing unauthenticated (guest) requests to be blocked before reaching the route handler. The error was silently caught, leaving settings null and hiding the amount owed, payment methods, and payment instructions. Logged-in users were unaffected as their session token passed middleware. Also update CLAUDE.md to reflect the WebSocket userId-based auth change. Co-Authored-By: Claude Sonnet 4.6 --- .claude/settings.local.json | 7 ++++++- CLAUDE.md | 2 +- src/middleware.ts | 1 + 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.claude/settings.local.json b/.claude/settings.local.json index 3a791c2..3070d9e 100644 --- a/.claude/settings.local.json +++ b/.claude/settings.local.json @@ -19,7 +19,12 @@ "Bash(iptables:*)", "Bash(npx tsc:*)", "Bash(npx prisma generate:*)", - "Bash(timeout 3 node:*)" + "Bash(timeout 3 node:*)", + "Bash(git commit:*)", + "Bash(git config:*)", + "Bash(git remote add:*)", + "Bash(git push:*)", + "Bash(git remote set-url:*)" ] } } diff --git a/CLAUDE.md b/CLAUDE.md index c3418cd..95ce198 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -64,7 +64,7 @@ Next.js runs behind a custom HTTP server that also handles WebSocket upgrades. T - **Production standalone mode**: Monkey-patches `http.createServer` to intercept the HTTP server that Next.js's `startServer()` creates, injecting WebSocket upgrade handling for `/ws/chat` before Next.js registers its own upgrade handler. Reads the embedded `nextConfig` from `server.standalone.js` (saved during Docker build) and sets `__NEXT_PRIVATE_STANDALONE_CONFIG` env var so Next.js skips webpack loading. The server also runs: -- Chat message broadcasting with blacklist filtering and JWT token decoding for user identity +- Chat message broadcasting with blacklist filtering; user identity resolved by looking up `userId` (sent from client session) in the DB — the NextAuth session cookie is HttpOnly so the JWT cannot be read client-side - `squares:changed` → `squares:refresh` broadcast for real-time grid updates - Payment reminder scheduler (15-minute interval) that checks unconfirmed squares approaching grace period deadline diff --git a/src/middleware.ts b/src/middleware.ts index 82c4e05..b789607 100644 --- a/src/middleware.ts +++ b/src/middleware.ts @@ -36,6 +36,7 @@ export default withAuth( pathname.startsWith('/api/auth') || pathname.startsWith('/api/setup') || pathname.startsWith('/api/squares') || + pathname.startsWith('/api/settings') || pathname.startsWith('/api/users') || pathname.startsWith('/_next') || pathname.startsWith('/images')