Require access token presence in MainContainer auth gate before route entry

Co-Authored-By: Codex <codex@openai.com>

src/views/MainContainer.vue

@@ -56,23 +56,22 @@ export default {
   async beforeRouteEnter(to, from, next) {
     const loginStore = useLoginStoreInGuard();
     const relativeReturnTo = `${window.location.pathname}${window.location.search}${window.location.hash}`;
+    const hasLoginMarker = Boolean(getCookie("isLuciaLoggedIn"));
+    const hasAccessToken = Boolean(getCookie("luciaToken"));
+    const hasRefreshToken = Boolean(getCookie("luciaRefreshToken"));
 
-    if (!getCookie("isLuciaLoggedIn")) {
+    if (hasLoginMarker && hasAccessToken) {
-      if (getCookie("luciaRefreshToken")) {
+      next();
-        try {
+      return;
-          await loginStore.refreshToken();
+    }
-          loginStore.setIsLoggedIn(true);
+
-          setCookie("isLuciaLoggedIn", "true");
+    if (hasRefreshToken) {
-          next();
+      try {
-        } catch (error) {
+        await loginStore.refreshToken();
-          next({
+        loginStore.setIsLoggedIn(true);
-            path: "/login",
+        setCookie("isLuciaLoggedIn", "true");
-            query: {
+        next();
-              "return-to": btoa(relativeReturnTo),
+      } catch (error) {
-            },
-          });
-        }
-      } else {
         next({
           path: "/login",
           query: {
@@ -81,7 +80,12 @@ export default {
         });
       }
     } else {
-      next();
+      next({
+        path: "/login",
+        query: {
+          "return-to": btoa(relativeReturnTo),
+        },
+      });
     }
   },
   // Remember, Swal modal handling is called before beforeRouteUpdate

tests/views/MainContainerGuard.test.js

@@ -84,14 +84,25 @@ describe("MainContainer beforeRouteEnter", () => {
     );
   });
 
-  it("calls next() when already logged in", async () => {
+  it("calls next() when logged-in marker and access token both exist", async () => {
     document.cookie = "isLuciaLoggedIn=true";
+    document.cookie = "luciaToken=token";
 
     await callGuard();
 
     expect(next).toHaveBeenCalled();
   });
 
+  it("redirects to login when logged-in marker exists without access token", async () => {
+    document.cookie = "isLuciaLoggedIn=true";
+
+    await callGuard();
+
+    expect(next).toHaveBeenCalledWith(
+      expect.objectContaining({ path: "/login" }),
+    );
+  });
+
   it("stores a relative return-to path when redirecting to login", async () => {
     window.history.replaceState(
       {},