From adb5d144a04cff1e02c8fad4d032e3d11f10e353 Mon Sep 17 00:00:00 2001
From: jerick <jerick.oates@proton.me>
Date: Mon, 20 Apr 2026 16:49:01 -0400
Subject: [PATCH] fix: allow unauthenticated access to /login to prevent
 redirect loop

Unauthenticated requests to /login were hitting the auth gate and
redirecting back to /login?callbackUrl=/login, causing a loop.
Let the login page render for unauthenticated users; only redirect
away from /login when the user is already logged in.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/middleware.ts | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/middleware.ts b/src/middleware.ts
index bf12286..f2a9f02 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -84,11 +84,15 @@ export default auth((req) => {
     if (pathname.startsWith('/api/')) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
-    const loginUrl = siteUrl(req, '/login')
-    loginUrl.searchParams.set('callbackUrl', pathname)
-    return NextResponse.redirect(loginUrl)
+    if (pathname !== '/login') {
+      const loginUrl = siteUrl(req, '/login')
+      loginUrl.searchParams.set('callbackUrl', pathname)
+      return NextResponse.redirect(loginUrl)
+    }
+    return NextResponse.next()
   }
 
+  // Logged-in users hitting /login get sent to the dashboard
   if (pathname === '/login') {
     return NextResponse.redirect(siteUrl(req, '/dashboard'))
   }