update auth

backend/src/routes/auth.js

@@ -7,6 +7,7 @@ const pool = require('../config/database');
 const { validateRequest } = require('../utils/validation');
 const { registerSchema, loginSchema, changePasswordSchema } = require('../utils/validation');
 const { AppError } = require('../middleware/errorHandler');
+const { authenticateToken } = require('../middleware/auth');
 
 const router = express.Router();
 
@@ -231,7 +232,7 @@ router.get('/authentik/callback',
 // @route   POST /api/auth/change-password
 // @desc    Change user password
 // @access  Private
-router.post('/change-password', validateRequest(changePasswordSchema), async (req, res, next) => {
+router.post('/change-password', authenticateToken, validateRequest(changePasswordSchema), async (req, res, next) => {
   try {
     const { currentPassword, newPassword } = req.body;
     const userId = req.user.id;
@@ -305,7 +306,7 @@ router.post('/forgot-password', async (req, res, next) => {
 // @route   GET /api/auth/me
 // @desc    Get current user info
 // @access  Private
-router.get('/me', async (req, res, next) => {
+router.get('/me', authenticateToken, async (req, res, next) => {
   try {
     const userResult = await pool.query(
       'SELECT id, email, first_name, last_name, role, created_at FROM users WHERE id = $1',

frontend/src/services/api.js

@@ -35,7 +35,10 @@ apiClient.interceptors.response.use(
     if (error.response?.status === 401) {
       // Unauthorized - clear token and redirect to login
       localStorage.removeItem('authToken');
-      window.location.href = '/login';
+      // Use React Router navigation instead of hard redirect
+      if (window.location.pathname !== '/login' && window.location.pathname !== '/register') {
+        window.location.href = '/login';
+      }
     } else if (error.response?.status === 403) {
       // Forbidden
       toast.error('You do not have permission to perform this action');