login fix

server/src/index.ts

@@ -30,7 +30,7 @@ app.use('/api/uploads', express.static(UPLOAD_PATH));
 app.use('/api/projects', requireAuth, projectsRouter);
 app.use('/api/tools', requireAuth, toolsRouter);
 app.use('/api/uploads', requireAuth, uploadsRouter); // handles POST + DELETE only
-app.use('/api/settings', requireAuth, settingsRouter);
+app.use('/api/settings', settingsRouter); // GET is public (branding on login page); PUT/POST require admin (per-method in router)
 app.use('/api/users', usersRouter); // requireAdmin applied inside router
 
 // Serve built React client in production

server/src/routes/settings.ts

@@ -3,6 +3,7 @@ import multer from 'multer';
 import path from 'path';
 import { v4 as uuidv4 } from 'uuid';
 import db, { UPLOAD_PATH } from '../db/schema';
+import { requireAdmin } from '../middleware/auth';
 
 const router = Router();
 
@@ -27,7 +28,7 @@ router.get('/', (_req: Request, res: Response) => {
   res.json(settings);
 });
 
-router.put('/', (req: Request, res: Response) => {
+router.put('/', requireAdmin, (req: Request, res: Response) => {
   const allowed = ['app_title', 'logo_url', 'accent_color', 'company_name'];
   const upsert = db.prepare('INSERT OR REPLACE INTO settings (key, value) VALUES (?, ?)');
   const update = db.transaction((body: Record<string, any>) => {
@@ -45,7 +46,7 @@ router.put('/', (req: Request, res: Response) => {
   res.json(settings);
 });
 
-router.post('/logo', logoUpload.single('logo'), (req: Request, res: Response) => {
+router.post('/logo', requireAdmin, logoUpload.single('logo'), (req: Request, res: Response) => {
   if (!req.file) return res.status(400).json({ error: 'No file uploaded' });
   const url = `/api/uploads/${req.file.filename}`;
   db.prepare('INSERT OR REPLACE INTO settings (key, value) VALUES (?, ?)').run('logo_url', JSON.stringify(url));