From b297fdd88dadcabeb93f47abea9f24f70b7d4b71 Mon Sep 17 00:00:00 2001 From: Matt Van Horn Date: Mon, 6 Apr 2026 13:01:28 -0700 Subject: [PATCH] fix: allow public access to search API for frontend LiveSearch (#107) * fix: allow public access to search and suggest API endpoints The search and suggest endpoints required search:read permission, blocking unauthenticated visitors from using the LiveSearch component. This is safe because the search query layer defaults to status=published, so public users only see published content. Fixes #104 * fix: add changeset for public search API access Patch bump for emdash - allows public access to search API endpoints. Co-Authored-By: Claude Opus 4.6 (1M context) --------- Co-authored-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com> Co-authored-by: Matt Kane Co-authored-by: Claude Opus 4.6 (1M context) --- .changeset/public-search-api.md | 5 +++++ packages/core/src/astro/routes/api/search/index.ts | 6 +----- packages/core/src/astro/routes/api/search/suggest.ts | 6 +----- 3 files changed, 7 insertions(+), 10 deletions(-) create mode 100644 .changeset/public-search-api.md diff --git a/.changeset/public-search-api.md b/.changeset/public-search-api.md new file mode 100644 index 0000000..c5eeaaf --- /dev/null +++ b/.changeset/public-search-api.md @@ -0,0 +1,5 @@ +--- +"emdash": patch +--- + +Allows public access to search API for frontend LiveSearch diff --git a/packages/core/src/astro/routes/api/search/index.ts b/packages/core/src/astro/routes/api/search/index.ts index 104bed3..502be30 100644 --- a/packages/core/src/astro/routes/api/search/index.ts +++ b/packages/core/src/astro/routes/api/search/index.ts @@ -6,7 +6,6 @@ import type { APIRoute } from "astro"; -import { requirePerm } from "#api/authorize.js"; import { apiError, apiSuccess, handleError } from "#api/error.js"; import { isParseError, parseQuery } from "#api/parse.js"; import { searchQuery } from "#api/schemas.js"; @@ -24,10 +23,7 @@ export const prerender = false; * - limit: Maximum results (optional, defaults to 20) */ export const GET: APIRoute = async ({ url, locals }) => { - const { emdash, user } = locals; - - const denied = requirePerm(user, "search:read"); - if (denied) return denied; + const { emdash } = locals; if (!emdash?.db) { return apiError("NOT_CONFIGURED", "EmDash not configured", 500); diff --git a/packages/core/src/astro/routes/api/search/suggest.ts b/packages/core/src/astro/routes/api/search/suggest.ts index a212755..4680104 100644 --- a/packages/core/src/astro/routes/api/search/suggest.ts +++ b/packages/core/src/astro/routes/api/search/suggest.ts @@ -6,7 +6,6 @@ import type { APIRoute } from "astro"; -import { requirePerm } from "#api/authorize.js"; import { apiError, apiSuccess, handleError } from "#api/error.js"; import { isParseError, parseQuery } from "#api/parse.js"; import { searchSuggestQuery } from "#api/schemas.js"; @@ -23,10 +22,7 @@ export const prerender = false; * - limit: Maximum suggestions (optional, defaults to 5) */ export const GET: APIRoute = async ({ url, locals }) => { - const { emdash, user } = locals; - - const denied = requirePerm(user, "search:read"); - if (denied) return denied; + const { emdash } = locals; if (!emdash?.db) { return apiError("NOT_CONFIGURED", "EmDash not configured", 500);