Redirect unauthenticated browser requests to login page

- AuthMiddleware now detects browser vs API requests
- Browser requests (Accept: text/html) redirect to /session/begin
- API requests (Accept: application/json or XMLHttpRequest) return JSON 401
- Add docker:test:reset npm script for quick database reset

Author: DawoudIO

package.json

@@ -41,6 +41,7 @@
         "docker:dev:stop": "docker compose -f docker/docker-compose.yaml --profile dev stop",
         "docker:test": "cp docker/Config.php src/Include/Config.php && docker compose -f docker/docker-compose.yaml --profile test up -d",
         "docker:test:down": "docker compose -f docker/docker-compose.yaml --profile test down -v",
+        "docker:test:reset": "docker compose -f docker/docker-compose.yaml --profile ci down -v && docker compose -f docker/docker-compose.yaml -f docker/docker-compose.gh-actions.yaml --profile ci up -d --build",
         "docker:test:login:db": "docker compose -f docker/docker-compose.yaml --profile test exec database bash",
         "docker:test:login:web": "docker compose -f docker/docker-compose.yaml --profile test exec webserver-test bash",
         "docker:test:logs": "docker compose -f docker/docker-compose.yaml --profile test logs -f --tail=10",

src/ChurchCRM/Slim/Middleware/AuthMiddleware.php

@@ -4,6 +4,7 @@
 
 use ChurchCRM\Authentication\AuthenticationManager;
 use ChurchCRM\Authentication\Requests\APITokenAuthenticationRequest;
+use ChurchCRM\dto\SystemURLs;
 use ChurchCRM\Utils\LoggerUtils;
 use Laminas\Diactoros\Response;
 use Psr\Http\Message\ServerRequestInterface;
@@ -50,6 +51,12 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
                     'path' => $request->getUri()->getPath(),
                     'method' => $request->getMethod()
                 ]);
+
+                // Check if this is a browser request - redirect to login instead of JSON error
+                if ($this->isBrowserRequest($request)) {
+                    return $this->redirectToLogin();
+                }
+
                 $response = new Response();
                 $errorBody = json_encode(['error' => gettext('No logged in user'), 'code' => 401]);
                 $response->getBody()->write($errorBody);
@@ -69,4 +76,49 @@ private function isPath(ServerRequestInterface $request, string $pathPart): bool
 
         return false;
     }
+
+    /**
+     * Check if request is from a browser (expects HTML) vs API client (expects JSON)
+     */
+    private function isBrowserRequest(ServerRequestInterface $request): bool
+    {
+        $path = $request->getUri()->getPath();
+
+        // API routes should always return JSON
+        if (str_contains($path, '/api/')) {
+            return false;
+        }
+
+        // Check Accept header - browsers typically send text/html
+        $acceptHeader = $request->getHeaderLine('Accept');
+        if (!empty($acceptHeader)) {
+            // If client explicitly wants JSON, it's an API request
+            if (str_contains($acceptHeader, 'application/json') && !str_contains($acceptHeader, 'text/html')) {
+                return false;
+            }
+            // If client accepts HTML, treat as browser
+            if (str_contains($acceptHeader, 'text/html')) {
+                return true;
+            }
+        }
+
+        // Check X-Requested-With header (AJAX requests)
+        if ($request->getHeaderLine('X-Requested-With') === 'XMLHttpRequest') {
+            return false;
+        }
+
+        // Default to browser for non-API routes
+        return true;
+    }
+
+    /**
+     * Redirect to the login page
+     */
+    private function redirectToLogin(): ResponseInterface
+    {
+        $response = new Response();
+        $redirectUrl = SystemURLs::getRootPath() . '/session/begin';
+
+        return $response->withStatus(302)->withHeader('Location', $redirectUrl);
+    }
 }