From 0f956cf23f204e8e13617ee4ab498e1034acb734 Mon Sep 17 00:00:00 2001
From: Matt <matt@letsbe.solutions>
Date: Wed, 4 Feb 2026 00:26:05 +0100
Subject: [PATCH] Fix invitation flow by allowing unauthenticated tRPC requests

The middleware was blocking /api/trpc requests for unauthenticated users,
which prevented the accept-invite page from calling the public
validateInviteToken procedure. tRPC handles its own authentication
via procedure middleware, so the NextAuth middleware should allow
all tRPC requests through.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 src/lib/auth.config.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/lib/auth.config.ts b/src/lib/auth.config.ts
index b023041..09f61e2 100644
--- a/src/lib/auth.config.ts
+++ b/src/lib/auth.config.ts
@@ -45,6 +45,7 @@ export const authConfig: NextAuthConfig = {
         '/accept-invite',
         '/apply',
         '/api/auth',
+        '/api/trpc', // tRPC handles its own auth via procedures
       ]
 
       // Check if it's a public path