From 0b47d81c51a4b4200a3130173803a7c0cd66cdef Mon Sep 17 00:00:00 2001
From: Talon <talon@iamtalon.me>
Date: Wed, 13 May 2026 17:03:03 +0200
Subject: [PATCH] Fix: allow static files without auth, only protect /api/*
 routes

---
 src/server/middleware/auth.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/server/middleware/auth.ts b/src/server/middleware/auth.ts
index 82025fe..1db1271 100644
--- a/src/server/middleware/auth.ts
+++ b/src/server/middleware/auth.ts
@@ -4,7 +4,8 @@ const AUTH_USERNAME = process.env.SERVER_USERNAME || 'admin';
 const AUTH_PASSWORD = process.env.SERVER_PASSWORD || 'aidio2024';
 
 export function basicAuth(req: Request, res: Response, next: NextFunction): void {
-  if (req.path === '/api/auth/login' || req.path === '/api/auth/check') {
+  // Allow login/check endpoints and all non-API routes (static files, HTML)
+  if (req.path === '/api/auth/login' || req.path === '/api/auth/check' || !req.path.startsWith('/api/')) {
     next();
     return;
   }