From 856ba94f3b3c7e310a3603a3cd79d8a152b8d5b0 Mon Sep 17 00:00:00 2001
From: giles <giles.bradshaw@sigyl.com>
Date: Mon, 23 Feb 2026 20:19:25 +0000
Subject: [PATCH] Exempt AP paths from auth state check

/.well-known/, /users/, /nodeinfo/ now skip the prompt=none
OAuth redirect so ActivityPub endpoints work for unauthenticated
remote servers.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 infrastructure/factory.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure/factory.py b/infrastructure/factory.py
index 9692ca8..208d2f7 100644
--- a/infrastructure/factory.py
+++ b/infrastructure/factory.py
@@ -159,7 +159,7 @@ def create_base_app(
         async def _check_auth_state():
             from quart import session as qs
             from urllib.parse import quote as _quote
-            if request.path.startswith("/auth/") or request.path.startswith("/static/"):
+            if request.path.startswith(("/auth/", "/static/", "/.well-known/", "/users/", "/nodeinfo/")):
                 return
 
             uid = qs.get("uid")