fix(auth): allow /lunch/pick public access for accountless external attendees
All checks were successful
Build and Push Docker Image / build (push) Successful in 7m30s
All checks were successful
Build and Push Docker Image / build (push) Successful in 7m30s
The external dish-picker page is reached via a signed token by attendees who
have no account. The middleware authorized() callback redirected any non
allowlisted path to /login, which is a dead end for accountless users — so the
picker shipped in 8d4f0ba was unreachable in prod (307 → /login). Add
/lunch/pick to publicPaths; data stays gated by token verification in tRPC.
Adds a regression test asserting the path is public and a protected path is not.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt
@@ -58,6 +58,7 @@ export const authConfig: NextAuthConfig = {
|
||||
'/forgot-password',
|
||||
'/reset-password',
|
||||
'/apply',
|
||||
'/lunch/pick', // external attendees pick a dish via signed token (no account)
|
||||
'/api/auth',
|
||||
'/api/trpc', // tRPC handles its own auth via procedures
|
||||
]
|
||||
|
||||
Reference in New Issue
Block a user