fix(web): /register reachable for bootstrap admin (closes #376) #32
Reference in New Issue
Block a user
Delete Branch "dev"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Production deploy hit a chicken-and-egg bootstrap blocker: the
+layout.svelteauth guard only treated/loginas a public route, so any unauthenticated visit to/registergot bounced to/login?returnTo=%2Fregisterand the "Register" link on the login page looped back to itself. The first-user-becomes-admin path (handleRegister+CreateUserFirstAdminRace) was therefore unreachable without direct DB surgery.This PR adds
/registerto the public-route allowlist and closes the last gap on user-mgmt umbrella #376.Changes
web/src/lib/auth/publicRoutes.ts—isPublicRoute()helper with/login+/registeras the public set. Single source of truth so future auth-guard changes don't require touching+layout.svelte.web/src/routes/+layout.svelte— guard now callsisPublicRoute(path)instead of an inlinepath === '/login'check.web/src/lib/auth/publicRoutes.test.ts— six unit tests, including an explicit comment-tagged regression guard for the/registercase so this can't silently regress.Test plan
publicRoutes.test.tshttps://minstrel.fabledsword.com/registerwhile logged out, register a fresh user, confirmis_admin = trueon first user/registerand confirm the redirect to/still fires (authenticated user shouldn't see the form)Notes
localhost) for the SPA to load at all —crypto.randomUUIDis gated to secure contexts and SvelteKit's client runtime calls it. Operator already movedminstrel.fabledsword.combehind TLS while diagnosing this; documenting here for the next operator.