From a0a069c5250e6885e071e49032e1f756b0dee295 Mon Sep 17 00:00:00 2001
From: alvis <allogn@gmail.com>
Date: Mon, 11 May 2026 11:12:16 +0000
Subject: [PATCH] fix(admin): break redirect loop on /forbidden for non-admin
 users
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The middleware was redirecting non-admins to /forbidden but /forbidden
wasn't excluded from the matcher, so the middleware ran again on that
page, saw a non-admin, and redirected again — infinite loop. Added
/forbidden to the pass-through list alongside /login.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 apps/admin/src/middleware.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/admin/src/middleware.ts b/apps/admin/src/middleware.ts
index f21cf3f..67a3114 100644
--- a/apps/admin/src/middleware.ts
+++ b/apps/admin/src/middleware.ts
@@ -4,8 +4,8 @@ import type { NextRequest } from 'next/server';
 export async function middleware(req: NextRequest) {
   const { pathname } = req.nextUrl;
 
-  // Pass through the login page and API calls
-  if (pathname.startsWith('/login') || pathname.startsWith('/api/')) {
+  // Pass through the login page, forbidden page, and API calls
+  if (pathname.startsWith('/login') || pathname.startsWith('/forbidden') || pathname.startsWith('/api/')) {
     return NextResponse.next();
   }