From b45f84d62b100670f1b006401dc2896756340508 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 2 Jul 2026 14:19:45 -0400 Subject: [PATCH] The dashboard middleware was treating /dashboard/api/v1/* as protected dashboard pages, so even the login request: /dashboard/api/v1/auth/employee/login was getting 307 redirected to /dashboard/sign-in. That meant sign-in could never set/read the employee_session cookie, and every dashboard page kept bouncing back to sign-in. --- apps/dashboard/src/middleware.test.ts | 9 +++++++++ apps/dashboard/src/middleware.ts | 1 + 2 files changed, 10 insertions(+) diff --git a/apps/dashboard/src/middleware.test.ts b/apps/dashboard/src/middleware.test.ts index cc9960e..3228429 100644 --- a/apps/dashboard/src/middleware.test.ts +++ b/apps/dashboard/src/middleware.test.ts @@ -122,4 +122,13 @@ describe('dashboard middleware', () => { expect(response).toEqual({ kind: 'next' }) expect(nextServer.next).toHaveBeenCalledTimes(1) }) + + it('allows dashboard API requests through so auth endpoints can set and read cookies', async () => { + const { default: middleware } = await loadMiddleware() + + const response = middleware(request('https://workspace.example.com/dashboard/api/v1/auth/employee/login') as never) + + expect(response).toEqual({ kind: 'next' }) + expect(nextServer.redirect).not.toHaveBeenCalled() + }) }) diff --git a/apps/dashboard/src/middleware.ts b/apps/dashboard/src/middleware.ts index 5f28032..fb18c80 100644 --- a/apps/dashboard/src/middleware.ts +++ b/apps/dashboard/src/middleware.ts @@ -67,6 +67,7 @@ function isInternalHost(host: string | null): boolean { function isProtectedRoute(req: NextRequest) { const pathname = toDashboardAppPath(req.nextUrl.pathname) + if (pathname === '/api' || pathname.startsWith('/api/') || pathname === '/trpc' || pathname.startsWith('/trpc/')) return false if (['/sign-in', '/sign-up', '/forgot-password', '/reset-password', '/onboarding', '/verify-email'].some((p) => pathname === p || pathname.startsWith(p + '/'))) return false return pathname === '/' || (pathname.startsWith('/') && !pathname.startsWith('/_next')) }