From 2a7d22e1c8ab682a69529476cdadc9692b144de0 Mon Sep 17 00:00:00 2001
From: Jake Kasper <jake.kasper@hpe.com>
Date: Thu, 21 Aug 2025 11:03:18 -0500
Subject: [PATCH] update auth

---
 backend/src/routes/auth.js   | 5 +++--
 frontend/src/services/api.js | 5 ++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/backend/src/routes/auth.js b/backend/src/routes/auth.js
index 3c4d52c..82f6795 100644
--- a/backend/src/routes/auth.js
+++ b/backend/src/routes/auth.js
@@ -7,6 +7,7 @@ const pool = require('../config/database');
 const { validateRequest } = require('../utils/validation');
 const { registerSchema, loginSchema, changePasswordSchema } = require('../utils/validation');
 const { AppError } = require('../middleware/errorHandler');
+const { authenticateToken } = require('../middleware/auth');
 
 const router = express.Router();
 
@@ -231,7 +232,7 @@ router.get('/authentik/callback',
 // @route   POST /api/auth/change-password
 // @desc    Change user password
 // @access  Private
-router.post('/change-password', validateRequest(changePasswordSchema), async (req, res, next) => {
+router.post('/change-password', authenticateToken, validateRequest(changePasswordSchema), async (req, res, next) => {
   try {
     const { currentPassword, newPassword } = req.body;
     const userId = req.user.id;
@@ -305,7 +306,7 @@ router.post('/forgot-password', async (req, res, next) => {
 // @route   GET /api/auth/me
 // @desc    Get current user info
 // @access  Private
-router.get('/me', async (req, res, next) => {
+router.get('/me', authenticateToken, async (req, res, next) => {
   try {
     const userResult = await pool.query(
       'SELECT id, email, first_name, last_name, role, created_at FROM users WHERE id = $1',
diff --git a/frontend/src/services/api.js b/frontend/src/services/api.js
index 1f259ce..a93dd58 100644
--- a/frontend/src/services/api.js
+++ b/frontend/src/services/api.js
@@ -35,7 +35,10 @@ apiClient.interceptors.response.use(
     if (error.response?.status === 401) {
       // Unauthorized - clear token and redirect to login
       localStorage.removeItem('authToken');
-      window.location.href = '/login';
+      // Use React Router navigation instead of hard redirect
+      if (window.location.pathname !== '/login' && window.location.pathname !== '/register') {
+        window.location.href = '/login';
+      }
     } else if (error.response?.status === 403) {
       // Forbidden
       toast.error('You do not have permission to perform this action');