From 4c80e9aa3c62a24b07037de034daa4145fa8ee38 Mon Sep 17 00:00:00 2001
From: Jean-Luc Makiola <business@jeanlucmakiola.de>
Date: Mon, 13 Apr 2026 20:34:13 +0200
Subject: [PATCH] fix: allow unauthenticated access to /items/* with setup
 context

Items accessed via ?setup= or ?share= query params are now treated as
public routes, preventing the auth redirect to /login.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/client/routes/__root.tsx | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/client/routes/__root.tsx b/src/client/routes/__root.tsx
index 3ca7970..7f8eed4 100644
--- a/src/client/routes/__root.tsx
+++ b/src/client/routes/__root.tsx
@@ -126,13 +126,16 @@ function RootLayout() {
 	const currentThreadId = threadMatch ? Number(threadMatch.threadId) : null;
 
 	// Allow public routes through without auth
+	const searchParams = new URLSearchParams(location.search);
 	const isPublicRoute =
 		location.pathname === "/" ||
 		location.pathname.startsWith("/users/") ||
 		location.pathname.startsWith("/global-items") ||
 		location.pathname === "/setups" ||
 		location.pathname.startsWith("/setups/") ||
-		location.pathname === "/login";
+		location.pathname === "/login" ||
+		(location.pathname.startsWith("/items/") &&
+			(searchParams.has("setup") || searchParams.has("share")));
 
 	// FAB visibility: show on all authenticated, non-public routes
 	const isSetupsPage = !!matchRoute({ to: "/setups", fuzzy: true });