s0wlz (Matthias Puchstein)
08cb668bab
All checks were successful
Release / release (push) Successful in 7m12s
The admin layout guard rendered only a "Redirecting to login..." placeholder for the /admin/login child route, trapping every unauthenticated visitor. Exempt the login route from the auth gate so the form renders correctly. Also wire the new POST /api/auth/refresh endpoint (from the dual-token migration) into both auth.init() and the api request() 401 handler, so sessions survive the 15-minute access-token lifetime without a hard logout. Adds a Playwright regression test asserting the login form is visible in a clean (no-cookie) browser context.