pguzman/squares_game
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix guest signup not showing payment info after purchase

Browse Source 
/api/settings was missing from the middleware public routes allowlist,
causing unauthenticated (guest) requests to be blocked before reaching
the route handler. The error was silently caught, leaving settings null
and hiding the amount owed, payment methods, and payment instructions.
Logged-in users were unaffected as their session token passed middleware.

Also update CLAUDE.md to reflect the WebSocket userId-based auth change.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Philip
2026-02-18 08:26:42 -08:00
parent b4e89ea9ee
commit d4c82867d4
3 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.claude/settings.local.json
+6 -1
View File
@@ -19,7 +19,12 @@
"Bash(iptables:*)",
"Bash(npx tsc:*)",
"Bash(npx prisma generate:*)",
"Bash(timeout 3 node:*)"
"Bash(timeout 3 node:*)",
"Bash(git commit:*)",
"Bash(git config:*)",
"Bash(git remote add:*)",
"Bash(git push:*)",
"Bash(git remote set-url:*)"
]
}
}
CLAUDE.md
+1 -1
View File
@@ -64,7 +64,7 @@ Next.js runs behind a custom HTTP server that also handles WebSocket upgrades. T
- **Production standalone mode**: Monkey-patches `http.createServer` to intercept the HTTP server that Next.js's `startServer()` creates, injecting WebSocket upgrade handling for `/ws/chat` before Next.js registers its own upgrade handler. Reads the embedded `nextConfig` from `server.standalone.js` (saved during Docker build) and sets `__NEXT_PRIVATE_STANDALONE_CONFIG` env var so Next.js skips webpack loading.
The server also runs:
- Chat message broadcasting with blacklist filtering and JWT token decoding for user identity
- Chat message broadcasting with blacklist filtering; user identity resolved by looking up `userId` (sent from client session) in the DB — the NextAuth session cookie is HttpOnly so the JWT cannot be read client-side
- `squares:changed``squares:refresh` broadcast for real-time grid updates
- Payment reminder scheduler (15-minute interval) that checks unconfirmed squares approaching grace period deadline
src/middleware.ts
+1
View File
@@ -36,6 +36,7 @@ export default withAuth(
pathname.startsWith('/api/auth') ||
pathname.startsWith('/api/setup') ||
pathname.startsWith('/api/squares') ||
pathname.startsWith('/api/settings') ||
pathname.startsWith('/api/users') ||
pathname.startsWith('/_next') ||
pathname.startsWith('/images')