From cb63e4743d08712d2988f1125102fc567a69bf7f Mon Sep 17 00:00:00 2001
From: ZGaetano <zgaetano@wilddragon.net>
Date: Mon, 18 May 2026 13:21:37 -0400
Subject: [PATCH] fix: /me returns guest user when AUTH_ENABLED is false so
 auth-guard never fires on dev

---
 services/mam-api/src/routes/auth.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/services/mam-api/src/routes/auth.js b/services/mam-api/src/routes/auth.js
index 8eb9d0b..efbb4f3 100644
--- a/services/mam-api/src/routes/auth.js
+++ b/services/mam-api/src/routes/auth.js
@@ -74,6 +74,12 @@ router.post('/logout', (req, res, next) => {
 // GET /me
 // ---------------------------------------------------------------------------
 router.get('/me', async (req, res) => {
+  // When auth is disabled return a synthetic guest/admin user so the frontend
+  // auth-guard never receives a 401 and never redirects to login.html.
+  if (process.env.AUTH_ENABLED !== 'true') {
+    return res.json({ id: null, username: 'admin', display_name: 'Admin', role: 'admin' });
+  }
+
   if (!req.session || !req.session.userId) {
     return res.status(401).json({ error: 'Not authenticated' });
   }