how to exclude a specific route from middlewares that wrap that scope

[MrAliSalehi]

the title might not be the best, but TBH I cant think of anything else, forgive me for that

I have this App:

App::new()
            .service(index)
            .service(
                web::scope("/api")
                    .service(login)
                    .service(
                        web::scope("")
                            .service(index)
                            .service(logout)
                            .service(
                                web::scope("/hello")
                                    .service(hello)
                            )
                            .wrap(middlewares::auth::JwtMiddleware)
                    )
            )
            .wrap(Logger::new("%a [%t] - size:%bB, took %D ms : %r %{Referer}i STATUS %s "))
            .app_data(Data::clone(&pool))

which defines a /api scope that contains login, logout and another /hello scope
what Im trying to achieve is that the login shouldn't be processed by JwtMiddleware and also if a user is already logged-in, the login should not be allowed to call.
which is where the problem is, this is how im trying to do it:

#[get("/login/{id}")]
pub async fn login(db: web::Data<PgPool>, user:Path<User>,req:HttpRequest) -> actix_web::Result<impl Responder> {

    if let Some(user) = req.extensions().get::<User>() {
        return Ok(HttpResponse::Ok().json(json!({"message":format!("you are already logged in with {}",user.id)})))
    }

    match db::user::exists(&db, &user.id).await {
        Ok(exist) => {
            if !exist{
                return Ok(HttpResponse::BadRequest().json(json!({"message":"user not found"})));
            }
        }
        Err(_) => {
          return Ok(HttpResponse::InternalServerError().json(json!({"message":"internal error"})));
        }
    };

    let now = Utc::now();
    let claims: TokenClaims = TokenClaims {
        sub: user.id.to_string(),
        exp: (now + Duration::days(365)).timestamp() as usize,
        iat: now.timestamp() as usize,
    };
    let token = encode(&Header::default(), &claims,
                       &EncodingKey::from_secret("some secret".as_bytes()) ).unwrap();


    let cookie = Cookie::build("token", token.to_owned())
        .path("/")
        .max_age(actix_web::cookie::time::Duration::days(365))
        .http_only(true)
        .finish();

    req.extensions_mut().insert::<User>(user.into_inner());

    Ok(
        HttpResponse::Ok()
            .cookie(cookie)
            .json(json!({"status": "success", "token": token}))
    )
}

the JwtMiddleware call:

fn call(&self, req: ServiceRequest) -> Self::Future {
    if let Some(token) = req.cookie("token") {
        match decode::<TokenClaims>(
            token.value(),
            &DecodingKey::from_secret("some secret".as_bytes()),
            &Validation::default(),
        ) {
            Ok(decoded) => {
                let user = User { id: uuid::Uuid::parse_str(decoded.claims.sub.as_str()).unwrap() };

                if req.extensions().contains::<User>() {
                    return Box::pin(async move {
                        Ok(req.into_response(HttpResponse::Ok()
                            .json(json!({"message":format!("you are already logged in with {}",user.id)})))
                            .map_into_boxed_body())
                    });
                }
                req.extensions_mut().insert::<User>(user);

                let fut = self.service.call(req);

                Box::pin(async move {
                    let res = fut.await?;
                    Ok(res.map_into_boxed_body())
                })
            }
            Err(_) => {
                Box::pin(async move {
                    Ok(
                        req.into_response(HttpResponse::Unauthorized().json(json!({"message":"Invalid Token"})))
                            .map_into_boxed_body()
                    )
                })
            }
        }
    } else {
        Box::pin(async move {
            Ok(
                req.into_response(HttpResponse::Unauthorized().json(json!({"message":"You are not logged in"})))
                    .map_into_boxed_body()
            )
        })
    }
}

notice that im inserting the user in extensions as well as cookies, and at the beginning im checking if it already exist then do not proceed, but the check fails and it seems the extension is not storing the user or... IDK.
im not sure if this is even the best practice or not, but it doesn't work anyway..
what could be the problem here?