From b0c15d64647abdc257d8642fe918acae72cc9e1d Mon Sep 17 00:00:00 2001
From: Usman Baig <mubaig@pm.me>
Date: Wed, 25 Feb 2026 21:15:09 +0100
Subject: [PATCH] Fix: allow script.js to load without auth for embedded sites
 (Shopify) - Add /script.js to PUBLIC_ROUTES in middleware - Fixes 307
 redirect to /login when tracking script loads from third-party sites

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 middleware.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/middleware.ts b/middleware.ts
index 9ab1a7c..80eb554 100644
--- a/middleware.ts
+++ b/middleware.ts
@@ -12,6 +12,7 @@ const PUBLIC_ROUTES = new Set([
   '/faq',
   '/changelog',
   '/installation',
+  '/script.js', // * Tracking script – must load without auth for embedded sites (Shopify, etc.)
 ])
 
 const PUBLIC_PREFIXES = [