fix(auth): blank login page — allow Vite /assets/ bundles during login

[knep]

Symptom

With authentication enabled (e.g. htpasswd), login.html renders blank. Browser console shows:

Failed to load module script: Expected a JavaScript-or-Wasm module script but the
server responded with a MIME type of "text/html".
Refused to apply style from '.../assets/css-*.css' because its MIME type ('text/html') ...

The login page's own bundles are being 302-redirected to login.html?next=/assets/... instead of served.

Root cause

is_allowed_during_login() (which exempts login-page resources from auth) still whitelists the old webpack paths — /js/login.js, /css/login.css, /img/... — that the Vite build no longer produces. Vite emits the login page's JS/CSS/fonts as hashed, often shared chunks under /assets/, none of which match the whitelist → they require auth → redirect to login → blank page.

This is a leftover from the Vite migration and only surfaces when auth is on (so it was invisible in the auth-disabled dev config).

Fix

Allow /assets/ during login. These are static client bundles (no secrets, no protected data); the app stays unusable without the authenticated API, and index.html / admin.html still require auth and redirect to login.

Verification

• Reproduced locally with an htpasswd config: before, /assets/login-*.js → 302→login (blank); after, → 200 and the credentials form renders (verified with Playwright: hasForm: true, hasUserInput: true, container populated; no module-load errors).
• pytest src/tests/ — 1744 passed (added /assets/* cases to web_auth_utils_test.py; admin.html still correctly prohibited).

Note

Backend-only change; not a regression of the recent dark-mode login work (the dark-mode toggle itself renders fine once the bundles load).

🤖 Generated with Claude Code

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!