Postgres

innungsapp/apps/admin/middleware.ts

@@ -4,6 +4,7 @@ import type { NextRequest } from 'next/server'
 const PUBLIC_PREFIXES = [
   '/login',
   '/api/auth',
+  '/api/health',
   '/api/trpc/stellen.listPublic',
   '/api/setup',
   '/registrierung',
@@ -11,6 +12,7 @@ const PUBLIC_PREFIXES = [
   '/datenschutz',
 ]
 const PUBLIC_EXACT_PATHS = ['/']
+const TENANT_SHARED_PATHS = ['/login', '/api', '/superadmin', '/registrierung', '/impressum', '/datenschutz', '/passwort-aendern']
 
 // Reserved subdomains that shouldn't be treated as tenant slugs
 const RESERVED_SUBDOMAINS = [
@@ -40,6 +42,19 @@ export function middleware(request: NextRequest) {
     }
   }
 
+  // Normalize stale tenant-prefixed shared paths like /test/login to /login
+  // before auth checks, otherwise callbackUrl can get stuck on /test/login.
+  if (slug) {
+    for (const sharedPath of TENANT_SHARED_PATHS) {
+      const prefixedPath = `/${slug}${sharedPath}`
+      if (pathname === prefixedPath || pathname.startsWith(`${prefixedPath}/`)) {
+        const canonicalUrl = request.nextUrl.clone()
+        canonicalUrl.pathname = pathname.replace(prefixedPath, sharedPath)
+        return NextResponse.redirect(canonicalUrl)
+      }
+    }
+  }
+
   // Allow static files from /public
   const isStaticFile = pathname.includes('.') && !pathname.startsWith('/api')
   const isPublic =
@@ -62,8 +77,7 @@ export function middleware(request: NextRequest) {
   if (slug) {
     // Paths that should not be rewritten into the slug folder
     // because they are shared across the entire app
-    const SHARED_PATHS = ['/login', '/api', '/superadmin', '/registrierung', '/impressum', '/datenschutz', '/passwort-aendern']
-    const isSharedPath = SHARED_PATHS.some((p) => pathname.startsWith(p)) ||
+    const isSharedPath = TENANT_SHARED_PATHS.some((p) => pathname.startsWith(p)) ||
                          pathname.startsWith('/_next') ||
                          /\.(png|jpg|jpeg|gif|svg|webp|ico|txt|xml)$/i.test(pathname)