Make public settings endpoint accessible without authentication #23

Merged

Copilot merged 3 commits from copilot/update-category-dropdown-visibility into main

2025-11-21 07:26:45 -06:00

Copilot commented

2025-11-20 20:37:25 -06:00

(Migrated from github.com)

The show_sort_dropdown admin setting only affected authenticated users because the /api/settings/public/:key endpoint required authentication. Non-logged-in users viewing public pages couldn't fetch the setting, causing the sort dropdown to always display.

Changes

Backend (routes/settings.js)

Remove authenticateToken middleware from /public/:key endpoint
Setting remains whitelisted for security

Frontend (utils/api.js)

Create separate publicApi axios instance without auth interceptor
Route settings.getPublic() through publicApi

Documentation (pages/SettingsPage.jsx)

Clarify display settings affect all users including non-authenticated

Before/After

// Before: Required authentication, blocking non-logged-in users
router.get('/public/:key', authenticateToken, async (req, res) => { ... });

// After: Publicly accessible while maintaining whitelist security
router.get('/public/:key', async (req, res) => { ... });

Admins can now control sort dropdown visibility for all users including non-logged-in visitors.

Original prompt

The checkmark for Admin's to control the category dropdown showing should also control whether a non-logged in user should see it as well

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

The `show_sort_dropdown` admin setting only affected authenticated users because the `/api/settings/public/:key` endpoint required authentication. Non-logged-in users viewing public pages couldn't fetch the setting, causing the sort dropdown to always display. ### Changes **Backend** (`routes/settings.js`) - Remove `authenticateToken` middleware from `/public/:key` endpoint - Setting remains whitelisted for security **Frontend** (`utils/api.js`) - Create separate `publicApi` axios instance without auth interceptor - Route `settings.getPublic()` through `publicApi` **Documentation** (`pages/SettingsPage.jsx`) - Clarify display settings affect all users including non-authenticated ### Before/After ```javascript // Before: Required authentication, blocking non-logged-in users router.get('/public/:key', authenticateToken, async (req, res) => { ... }); // After: Publicly accessible while maintaining whitelist security router.get('/public/:key', async (req, res) => { ... }); ``` Admins can now control sort dropdown visibility for all users including non-logged-in visitors.  <details> <summary>Original prompt</summary> > The checkmark for Admin's to control the category dropdown showing should also control whether a non-logged in user should see it as well </details>  --- ✨ Let Copilot coding agent [set things up for you](https://github.com/SluberskiHomeLab/noodlenook/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo.

SluberskiHomeLab (Migrated from github.com) reviewed

2025-11-20 20:37:25 -06:00