fix(web): exempt /register from auth guard so bootstrap admin can self-register
The +layout.svelte auth guard only treated /login as public, so any unauthenticated visit to /register bounced to /login?returnTo=%2Fregister. The "Register" link on the login page therefore looped back to itself, making the first-user-becomes-admin bootstrap path (handleRegister + CreateUserFirstAdminRace) unreachable in production. Extracted isPublicRoute() into web/src/lib/auth/publicRoutes.ts so the public-route set has one source of truth and is unit-testable. Test file explicitly comment-tags /register as a #376 regression guard. Closes the last gap in user-mgmt umbrella #376. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,9 @@
|
||||
// Routes that the +layout.svelte auth guard must NOT redirect away from
|
||||
// when the visitor is unauthenticated. Bootstrap-admin self-registration
|
||||
// (#376) requires /register to be reachable without a session — without
|
||||
// /register here, the login page's "Register" link bounces back to /login.
|
||||
const PUBLIC_ROUTES = new Set(['/login', '/register']);
|
||||
|
||||
export function isPublicRoute(pathname: string): boolean {
|
||||
return PUBLIC_ROUTES.has(pathname);
|
||||
}
|
||||
Reference in New Issue
Block a user