fix: auth loop — exempt only /login and /logout, not entire /api/auth/ prefix

2026-05-14 20:18:37 +02:00
parent efbee1540c
commit e5abd22d34
1 changed files with 6 additions and 3 deletions
--- a/app/beauty_main.py
+++ b/app/beauty_main.py
@@ -123,9 +123,12 @@ app = FastAPI(title="BeautyLeads", lifespan=lifespan)
 # ── Auth middleware ───────────────────────────────────────────────────────────

 class AuthMiddleware(BaseHTTPMiddleware):
-    # Paths that don't require a session
-    _EXEMPT_PREFIXES = ("/api/auth/",)
-    _EXEMPT_EXACT    = {"/login.html", "/favicon.ico"}
+    # Only these exact paths skip the session check:
+    # - login (no session yet)
+    # - logout (gracefully accepts expired/missing session)
+    # - login page and favicon
+    _EXEMPT_PREFIXES = ()
+    _EXEMPT_EXACT    = {"/api/auth/login", "/api/auth/logout", "/login.html", "/favicon.ico"}

    async def dispatch(self, request: Request, call_next):
        path = request.url.path