Require access token presence in MainContainer auth gate before route entry

Co-Authored-By: Codex <codex@openai.com>

src/views/MainContainer.vue

@@ -56,9 +56,16 @@ export default {
   async beforeRouteEnter(to, from, next) {
     const loginStore = useLoginStoreInGuard();
     const relativeReturnTo = `${window.location.pathname}${window.location.search}${window.location.hash}`;
+    const hasLoginMarker = Boolean(getCookie("isLuciaLoggedIn"));
+    const hasAccessToken = Boolean(getCookie("luciaToken"));
+    const hasRefreshToken = Boolean(getCookie("luciaRefreshToken"));
 
-    if (!getCookie("isLuciaLoggedIn")) {
-      if (getCookie("luciaRefreshToken")) {
+    if (hasLoginMarker && hasAccessToken) {
+      next();
+      return;
+    }
+
+    if (hasRefreshToken) {
       try {
         await loginStore.refreshToken();
         loginStore.setIsLoggedIn(true);
@@ -80,9 +87,6 @@ export default {
         },
       });
     }
-    } else {
-      next();
-    }
   },
   // Remember, Swal modal handling is called before beforeRouteUpdate
   beforeRouteUpdate(to, from, next) {

tests/views/MainContainerGuard.test.js

@@ -84,14 +84,25 @@ describe("MainContainer beforeRouteEnter", () => {
     );
   });
 
-  it("calls next() when already logged in", async () => {
+  it("calls next() when logged-in marker and access token both exist", async () => {
     document.cookie = "isLuciaLoggedIn=true";
+    document.cookie = "luciaToken=token";
 
     await callGuard();
 
     expect(next).toHaveBeenCalled();
   });
 
+  it("redirects to login when logged-in marker exists without access token", async () => {
+    document.cookie = "isLuciaLoggedIn=true";
+
+    await callGuard();
+
+    expect(next).toHaveBeenCalledWith(
+      expect.objectContaining({ path: "/login" }),
+    );
+  });
+
   it("stores a relative return-to path when redirecting to login", async () => {
     window.history.replaceState(
       {},