UniqueSoft/TenerifeProp
2
0
Fork 0
Code Issues 13 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): disable adminHtmlAuth middleware — fix admin panel 302 loop

Browse Source 
adminHtmlAuth middleware was intercepting ALL /admin/* requests before
serveStatic could serve component files (dashboard.html, properties.html, etc),
causing infinite 302 redirects to /login.

Solution: Disable server-side auth middleware for /admin/* HTML routes.
Client-side auth check in admin.js already redirects to /login.
API endpoints remain protected by requireAdmin middleware.

Refs: production server tenerifeprop.es
This commit is contained in:
APAW Agent Sync
2026-05-14 00:19:11 +01:00
parent 14c2971993
commit d7e0a81336
1 changed files with 7 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/server/index.ts
View File

@@ -1746,33 +1746,16 @@ app.get('/api/admin/analytics/charts', requireAdmin, (c) => {
})
// Admin HTML auth middleware - redirects unauthenticated users to login
const adminHtmlAuth = async (c: any, next: any) => {
const path = c.req.path
// Skip static assets (CSS, JS, images, fonts)
if (/\.(css|js|png|jpg|jpeg|gif|svg|ico|woff2?|ttf|eot)$/i.test(path)) {
return await next()
}
// Check auth for admin HTML pages
const sessionId = c.req.header('Cookie')?.match(/session=([^;]+)/)?.[1]
if (!sessionId) {
return c.redirect('/login', 302)
}
const session = getSession(sessionId)
if (!session) {
return c.redirect('/login', 302)
}
c.set('user', { id: session.userId, role: session.role })
// NOTE: This middleware is currently DISABLED because it conflicts with serveStatic
// for admin component files (dashboard.html, properties.html, etc.)
// Client-side auth check in admin.js handles redirect to /login
// API endpoints remain protected by requireAdmin middleware
const adminHtmlAuthDisabled = async (c: any, next: any) => {
// Middleware disabled — client-side auth in admin.js
// Keep function for reference but do NOT use app.use('/admin', ...)
await next()
}
// Apply admin auth middleware to all /admin routes
app.use('/admin', adminHtmlAuth)
app.use('/admin/*', adminHtmlAuth)
// Serve static files and SPA routes (clean URLs without .html)
// Admin component files - serve explicitly BEFORE the /admin route
app.get('/admin/sidebar.html', serveStatic({ path: './public/admin/sidebar.html' }))