From e5abd22d34863b87de0bdb6ad9b50cf8eb5fac02 Mon Sep 17 00:00:00 2001
From: Malin <malin@cloudhost.es>
Date: Thu, 14 May 2026 20:18:37 +0200
Subject: [PATCH] =?UTF-8?q?fix:=20auth=20loop=20=E2=80=94=20exempt=20only?=
 =?UTF-8?q?=20/login=20and=20/logout,=20not=20entire=20/api/auth/=20prefix?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/beauty_main.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/app/beauty_main.py b/app/beauty_main.py
index 7ddce33..c425209 100644
--- a/app/beauty_main.py
+++ b/app/beauty_main.py
@@ -123,9 +123,12 @@ app = FastAPI(title="BeautyLeads", lifespan=lifespan)
 # ── Auth middleware ───────────────────────────────────────────────────────────
 
 class AuthMiddleware(BaseHTTPMiddleware):
-    # Paths that don't require a session
-    _EXEMPT_PREFIXES = ("/api/auth/",)
-    _EXEMPT_EXACT    = {"/login.html", "/favicon.ico"}
+    # Only these exact paths skip the session check:
+    # - login (no session yet)
+    # - logout (gracefully accepts expired/missing session)
+    # - login page and favicon
+    _EXEMPT_PREFIXES = ()
+    _EXEMPT_EXACT    = {"/api/auth/login", "/api/auth/logout", "/login.html", "/favicon.ico"}
 
     async def dispatch(self, request: Request, call_next):
         path = request.url.path