middleware passage for webhook paths

middleware.ts

@@ -6,21 +6,21 @@ import { NextResponse, NextRequest } from "next/server";
  * Everything else is considered protected (including most /api/*).
  */
  const PUBLIC_PAGES = new Set<string>([
-     "/",                // ← splash page is public
+     "/",                // splash page is public
      "/auth/sign-in",
      "/auth/sign-up",
  ]);
 
  /**
   * API paths that are explicitly allowed without auth.
-  * Keep this list tiny. If you don't need any public APIs, leave it empty.
+  * Keep this list tiny; add broad /api/webhooks to allow ALL webhook endpoints.
   */
  const PUBLIC_API_PREFIXES: string[] = [
      "/api/auth",                 // login/refresh/callback endpoints
-// 🔹 Allow the file server endpoints (read-only)
-"/api/files/list",
+"/api/files/list",           // read-only file endpoints
 "/api/files/raw",
 "/api/files/download",
+"/api/webhooks",             // ← allow ALL webhooks (e.g. /api/webhooks/kofi, /api/webhooks/*)
  ];
 
  /** Directus base (used to remotely validate the token after restarts). */
@@ -87,6 +87,12 @@ import { NextResponse, NextRequest } from "next/server";
      const url = req.nextUrl.clone();
      const { pathname } = url;
 
+     // ── -1) Always allow ALL webhook endpoints (no mapping, no gating, no redirects)
+     //      This lets external providers (Ko-fi, Patreon, etc.) POST without auth.
+     if (pathname === "/api/webhooks" || pathname.startsWith("/api/webhooks/")) {
+         return NextResponse.next();
+     }
+
      // ── 0) Root must never redirect (no mapping, no gating).
      if (pathname === "/") return NextResponse.next();
 
@@ -205,6 +211,7 @@ import { NextResponse, NextRequest } from "next/server";
      return false;
  }
 
+ // Match all except the usual static assets; webhooks are handled above.
  export const config = {
      matcher: ["/((?!_next/static|_next/image|favicon.ico|robots.txt|sitemap.xml|images|static).*)"],
  };