from django.conf import settings from django.contrib.auth.views import redirect_to_login class AppLoginRequiredMiddleware: """Require a logged-in session for the /app/ HTMX UI. Deliberately scoped to /app/ only: - /api/ uses DRF token auth (its user isn't resolved until the view runs, so a blanket login check here would wrongly reject valid tokens). - /admin/ has its own login. - the login page and /static/ must stay reachable while logged out. """ def __init__(self, get_response): self.get_response = get_response def __call__(self, request): if request.path.startswith("/app/") and not request.user.is_authenticated: return redirect_to_login(request.get_full_path(), settings.LOGIN_URL) return self.get_response(request)