From af93daeddc602d52040b157e70b2b9c144167a17 Mon Sep 17 00:00:00 2001
From: Lukas <lukas.pupkalipinski@lpl-mind.de>
Date: Sat, 6 Jun 2026 23:08:54 +0200
Subject: [PATCH] fix: allow unresolved page access during setup flow

- Remove premature auth redirect in unresolved.html fetchUnresolved()
- Add /api/setup/ to middleware exempt paths
- Unresolved page now loads without auth token (part of setup flow)
- Only redirect to login on 401 (expired token) or when all folders resolved
---
 src/server/middleware/setup_redirect.py  |  1 +
 src/server/web/templates/unresolved.html | 12 +++++-------
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/server/middleware/setup_redirect.py b/src/server/middleware/setup_redirect.py
index b24173e..7958b42 100644
--- a/src/server/middleware/setup_redirect.py
+++ b/src/server/middleware/setup_redirect.py
@@ -37,6 +37,7 @@ class SetupRedirectMiddleware(BaseHTTPMiddleware):
         "/login",  # Login page (needs to be accessible after setup)
         "/queue",  # Queue page (for initial load)
         "/api/auth/",  # All auth endpoints (setup, login, logout, register)
+        "/api/setup/",  # Setup API (unresolved folders, etc.)
         "/ws/connect",  # WebSocket connection (needed for loading page)
         "/api/queue/",  # Queue API endpoints
         "/api/downloads/",  # Download API endpoints
diff --git a/src/server/web/templates/unresolved.html b/src/server/web/templates/unresolved.html
index dfd7280..719fbb4 100644
--- a/src/server/web/templates/unresolved.html
+++ b/src/server/web/templates/unresolved.html
@@ -443,15 +443,13 @@
 
         // API client helpers
         async function fetchUnresolved() {
+            // Note: /api/setup/unresolved does not require auth
+            // It's accessible during the initial setup flow
             const token = localStorage.getItem('auth_token');
-            if (!token) {
-                window.location.href = '/login';
-                return null;
-            }
-            const res = await fetch('/api/setup/unresolved', {
-                headers: { 'Authorization': `Bearer ${token}` }
-            });
+            const headers = token ? { 'Authorization': `Bearer ${token}` } : {};
+            const res = await fetch('/api/setup/unresolved', { headers });
             if (res.status === 401) {
+                // Redirect to login only if we had a token but it expired
                 localStorage.removeItem('auth_token');
                 window.location.href = '/login';
                 return null;