Merge fix branch 'mai/knuth/phase-3j-pwa' (static-allowlist for PWA install)

2026-05-15 19:34:34 +02:00
parent a57f9162b8 d49a05b1f4
commit 037d41565c
1 changed files with 8 additions and 0 deletions
--- a/web/auth.go
+++ b/web/auth.go
@@ -95,6 +95,14 @@ func authMiddleware(cfg AuthConfig, logger *slog.Logger, next http.Handler) http
 			next.ServeHTTP(w, r)
 			return
 		}
+		// /static/* must be reachable pre-auth so the PWA install flow works
+		// on the login page (browser fetches the manifest + icon BEFORE the
+		// user signs in, so the "Add to Home Screen" affordance can render).
+		// These are non-sensitive embedded assets — no leakage risk.
+		if strings.HasPrefix(r.URL.Path, "/static/") {
+			next.ServeHTTP(w, r)
+			return
+		}

 		access := tokenFromBearer(r)
 		if access == "" {