From d88419ccfba93ddf8d1abfd190c336cbca1b4ba3 Mon Sep 17 00:00:00 2001
From: Nathan Esquenazi <nesquena@gmail.com>
Date: Fri, 3 Apr 2026 13:11:07 +0000
Subject: [PATCH] fix(auth): redirect to /login when auth is enabled and
 accessing root

'/' and '/index.html' were in PUBLIC_PATHS, so setting a password
and refreshing the root URL would show the app blank (JS loaded
but all API calls returned 401) instead of redirecting to /login.

Root and index.html must be protected paths so the browser gets a
302 -> /login when auth is active and no valid session cookie exists.
---
 api/auth.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/auth.py b/api/auth.py
index 34eb5e8..2490c4e 100644
--- a/api/auth.py
+++ b/api/auth.py
@@ -14,7 +14,7 @@ from api.config import STATE_DIR, load_settings
 
 # ── Public paths (no auth required) ─────────────────────────────────────────
 PUBLIC_PATHS = frozenset({
-    '/', '/index.html', '/login', '/health', '/favicon.ico',
+    '/login', '/health', '/favicon.ico',
     '/api/auth/login', '/api/auth/status',
 })