Problem
apps/web/src/middleware.ts exports NextAuth middleware for nearly every route except API/static/image/favicon (apps/web/src/middleware.ts lines 1-5). The auth config points sign-in to /auth/signin, but that route is not present in the current app.
This can create a broken first-run experience where protected routing sends users to a missing sign-in page, or future public pages become protected unintentionally.
Suggested fix
Define an explicit route access policy:
- keep
/, /auth/signin, and other public pages public
- protect dashboard/module/private app routes
- add the actual sign-in page or remove the custom sign-in override until it exists
Acceptance criteria
- Public routes remain accessible without a session.
- Protected routes redirect to a real sign-in page.
- Missing
/auth/signin behavior is resolved.
- Route matcher includes a short comment explaining the policy.
Problem
apps/web/src/middleware.ts exports NextAuth middleware for nearly every route except API/static/image/favicon (apps/web/src/middleware.ts lines 1-5). The auth config points sign-in to /auth/signin, but that route is not present in the current app.
This can create a broken first-run experience where protected routing sends users to a missing sign-in page, or future public pages become protected unintentionally.
Suggested fix
Define an explicit route access policy:
/,/auth/signin, and other public pages publicAcceptance criteria
/auth/signinbehavior is resolved.