From 1dd8627c304cbb2d313b85ac214bb53fb4987be0 Mon Sep 17 00:00:00 2001
From: kovakmedya <egecankomur@gmail.com>
Date: Thu, 21 May 2026 18:46:31 +0300
Subject: [PATCH] fix(middleware): protect jobs/products/finance/connections
 routes

These DLS module routes were added in the previous bootstrap but the auth
middleware's PROTECTED_PREFIXES list still mirrored isletmem's CRM modules,
so /jobs/inbound etc. were returning 200 without a session and exposing the
placeholder shell. Build smoke test caught it; layout-level redirect alone
was not enforcing it for those paths.
---
 src/middleware.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/middleware.ts b/src/middleware.ts
index 5408694..d9e094d 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -16,7 +16,15 @@ const PUBLIC_AUTH_PATHS = [
   "/reset-password",
 ];
 
-const PROTECTED_PREFIXES = ["/dashboard", "/onboarding", "/settings"];
+const PROTECTED_PREFIXES = [
+  "/dashboard",
+  "/onboarding",
+  "/settings",
+  "/jobs",
+  "/products",
+  "/finance",
+  "/connections",
+];
 
 export function middleware(request: NextRequest) {
   const { pathname } = request.nextUrl;