m/projax
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(phase 3j auth): allow /static/* through auth middleware for PWA install

Browse Source 
The manifest + icons + sw.js need to be reachable pre-auth so the iOS
'Add to Home Screen' flow can fetch the manifest from the /login page
(the browser fetches install metadata BEFORE the user signs in). Static
assets are embedded, non-sensitive, no leakage risk.
This commit is contained in:
mAi
2026-05-15 19:34:27 +02:00
parent 1d5db0fe7b
commit d49a05b1f4
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
web/auth.go
View File

@@ -95,6 +95,14 @@ func authMiddleware(cfg AuthConfig, logger *slog.Logger, next http.Handler) http
next.ServeHTTP(w, r)
return
}
// /static/* must be reachable pre-auth so the PWA install flow works
// on the login page (browser fetches the manifest + icon BEFORE the
// user signs in, so the "Add to Home Screen" affordance can render).
// These are non-sensitive embedded assets — no leakage risk.
if strings.HasPrefix(r.URL.Path, "/static/") {
next.ServeHTTP(w, r)
return
}
access := tokenFromBearer(r)
if access == "" {