From 2bdb1010f8920df5188ba1410a6d3952e2c78e50 Mon Sep 17 00:00:00 2001 From: Marcel Raddatz Date: Thu, 2 Apr 2026 13:55:03 +0200 Subject: [PATCH] fix(auth): bypass auth guard for static assets and favicon MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Prevents redirect loop when backend is down — login page CSS/JS would otherwise be redirected to /login. Co-Authored-By: Claude Sonnet 4.6 --- frontend/src/hooks.server.test.ts | 9 +++++++++ frontend/src/hooks.server.ts | 5 +++++ 2 files changed, 14 insertions(+) diff --git a/frontend/src/hooks.server.test.ts b/frontend/src/hooks.server.test.ts index f56eadd..d1b16b6 100644 --- a/frontend/src/hooks.server.test.ts +++ b/frontend/src/hooks.server.test.ts @@ -39,6 +39,15 @@ describe('auth guard (hooks.server.ts handle)', () => { expect(resolve).toHaveBeenCalledWith(event); }); + it.each(['/_app/immutable/chunks/app.js', '/favicon.ico'])( + 'allows static asset %s without auth', + async (path) => { + const { event, resolve } = createEvent(path); + await handle({ event, resolve }); + expect(resolve).toHaveBeenCalledWith(event); + } + ); + it('redirects unauthenticated requests on protected routes', async () => { const { event, resolve } = createEvent('/planner'); try { diff --git a/frontend/src/hooks.server.ts b/frontend/src/hooks.server.ts index 4a690a1..6579fbc 100644 --- a/frontend/src/hooks.server.ts +++ b/frontend/src/hooks.server.ts @@ -4,7 +4,12 @@ import { apiClient } from '$lib/server/api'; const PUBLIC_ROUTES = ['/login', '/register', '/invite']; +const STATIC_PREFIXES = ['/_app/', '/favicon']; + function isPublicRoute(pathname: string): boolean { + if (STATIC_PREFIXES.some((prefix) => pathname.startsWith(prefix))) { + return true; + } return PUBLIC_ROUTES.some((route) => pathname === route || pathname.startsWith(route + '/')); }