fix(middleware): remove redirect on stale token so login page can load

[eliteprox]

Summary

Fixes a bug where users with a stale or invalid auth token were unable to reach the login page. Middleware redirected them to the dashboard, which would then fail auth and could leave the app stuck. This PR lets the login page load for auth routes regardless of token presence, and validates the token client-side so valid sessions still redirect to the dashboard.

Changes

• middleware.ts: Removed the redirect that sent users with a token from /login and /register to /dashboard. Auth routes are now allowed through; AuthProvider handles validation and redirects.
• login/page.tsx: Added a useEffect that redirects authenticated users to /dashboard when AuthProvider confirms a valid session.
• login/page.tsx: Imported useRouter for the redirect logic.

Type

• Feature
• Bug fix
• Refactor
• Documentation
• CI / Tooling
• Plugin (new or update)
• Dependencies

Plugin(s) Affected

Checklist

• Tests pass locally
• Lint passes (npm run lint)
• Build succeeds (npm run build)
• No new lint warnings introduced
• Breaking changes documented below
• Database migration included (if Prisma schema changed)

Breaking Changes

None

Screenshots / Recordings

Summary by CodeRabbit

• Bug Fixes

  • Login page now performs a safe client-side redirect to the dashboard (or a provided return path) when users are already authenticated, preventing unnecessary access to the login form.

• Chores

  • Removed the automatic server-side redirect that previously blocked authenticated users from visiting auth pages, allowing direct access when needed.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
naap-platform	Ready	Preview, Comment	Feb 11, 2026 9:59pm

[Copilot]

Pull request overview

Fixes an auth-flow edge case where a stale/invalid token cookie prevented users from reaching /login by removing middleware-based redirects for auth routes and shifting redirect behavior to the client after session validation.

Changes:

• Removed middleware redirect that forced any token-bearing request on auth routes to /dashboard.
• Added client-side redirect on the login page when AuthProvider confirms an authenticated session.
• Updated login page navigation imports to support the redirect.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
apps/web-next/src/middleware.ts	Stops redirecting auth routes based solely on token presence, allowing login/register pages to load even with stale cookies.
apps/web-next/src/app/(auth)/login/page.tsx	Redirects authenticated users away from /login after client-side session validation.

Comments suppressed due to low confidence (2)

apps/web-next/src/middleware.ts:208

• The middleware change fixes a regression-prone redirect edge case (stale/invalid token on /login). There isn’t an automated test covering this behavior today; please add a Playwright test that sets a bogus naap_auth_token cookie and verifies /login renders (and does not redirect to /dashboard).

  const response = NextResponse.next();
  response.headers.set('x-request-id', requestId);
  response.headers.set('x-trace-id', traceId);
  return response;

apps/web-next/src/middleware.ts:208

• After removing the auth-route redirect block, authRoutes is no longer referenced anywhere in this middleware file, which will trigger the configured ESLint @typescript-eslint/no-unused-vars warning. Please remove authRoutes (and update the associated comment) or re-introduce a concrete usage so the list isn’t dead code.

  const response = NextResponse.next();
  response.headers.set('x-request-id', requestId);
  response.headers.set('x-trace-id', traceId);
  return response;

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

📝 Walkthrough

Walkthrough

Relocates auth redirect logic from server-side middleware to the client-side login page: middleware no longer auto-redirects authenticated users away from auth routes; the login page now performs a client-side redirect to a safe path when auth state indicates the user is authenticated.

Changes

Cohort / File(s)	Summary
Client-side Auth Redirect apps/web-next/src/app/(auth)/login/page.tsx	Imported useRouter, expanded useAuth usage to include isAuthenticated, added a useEffect that, when not loading and authenticated, computes a safe redirect (query redirect or /dashboard) and calls router.replace.
Middleware Auth Check Removal apps/web-next/src/middleware.ts	Removed the branch that redirected authenticated users away from auth routes (server-side redirect to /dashboard); other middleware behaviors remain unchanged.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Browser
participant Middleware
participant LoginPage
participant AuthProvider
participant Router
note over Browser,Middleware: Old flow (before change)
Browser->>Middleware: Request /login
Middleware-->>Browser: Detect auth token -> Redirect to /dashboard
note over Browser,LoginPage,AuthProvider,Router: New flow (after change)
Browser->>Middleware: Request /login
Middleware-->>Browser: Serve login page (no auth redirect)
Browser->>LoginPage: Render
LoginPage->>AuthProvider: Query auth state (isLoading, isAuthenticated)
AuthProvider-->>LoginPage: Return auth state
LoginPage->>Router: router.replace(safeRedirect)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main fix: removing middleware redirect logic for stale tokens to allow the login page to load.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch jm/fix-stale-login-token

---

No actionable comments were generated in the recent review. 🎉

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

The merge-base changed after approval.

[github-actions]

⚠️ This PR is very large (33568 lines changed). Please split it into smaller, focused PRs if possible.