// Routes that the +layout.svelte auth guard must NOT redirect away from // when the visitor is unauthenticated. Bootstrap-admin self-registration // (#376) requires /register to be reachable without a session — without // /register here, the login page's "Register" link bounces back to /login. // // Drift #558: /forgot-password and /reset-password/ were missing // from this set. The email-link reset flow is by definition entered // without a session — a signed-out user clicking their reset link was // being bounced to /login, breaking account recovery. const PUBLIC_ROUTES = new Set(['/login', '/register', '/forgot-password']); const PUBLIC_PREFIXES = ['/reset-password/']; export function isPublicRoute(pathname: string): boolean { if (PUBLIC_ROUTES.has(pathname)) return true; return PUBLIC_PREFIXES.some((p) => pathname.startsWith(p)); }