From 46bd8aaef1d11d895aaf6b3a8d7ef2bb8302cff2 Mon Sep 17 00:00:00 2001
From: Matt Ciaccio <matt@Matts-MacBook-Pro.local>
Date: Wed, 22 Apr 2026 17:22:53 +0200
Subject: [PATCH] fix: allow /portal and /api/portal paths without CRM session

The portal has its own JWT-based auth (withPortalAuth). The CRM
middleware was redirecting /portal/login and /api/portal/auth/request
to /login, breaking the magic-link flow for unauthenticated clients.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/middleware.ts | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/middleware.ts b/src/middleware.ts
index 3657667..82211a6 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -12,6 +12,8 @@ const PUBLIC_PATHS: string[] = [
   '/api/public/',
   '/api/health',
   '/scan',
+  '/portal/',
+  '/api/portal/',
 ];
 
 function isPublicPath(pathname: string): boolean {
@@ -35,10 +37,7 @@ export function middleware(request: NextRequest): NextResponse {
   if (!sessionToken?.value) {
     if (isApiRoute(pathname)) {
       // API routes return 401 JSON — never redirect
-      return NextResponse.json(
-        { error: 'Authentication required' },
-        { status: 401 },
-      );
+      return NextResponse.json({ error: 'Authentication required' }, { status: 401 });
     }
 
     // Page routes redirect to /login, preserving the intended destination