Cleaned up login/logout flows.

frontend/src/App.vue

@@ -22,8 +22,12 @@ import PermissionDeniedView from '@/components/PermissionDeniedView.vue'
 const store = useAuthStore()
 
 onMounted(async () => {
-  // Detect restricted mode: any path not starting with /auth/
-  if (!location.pathname.startsWith('/auth/')) {
+  // Detect restricted mode:
+  // We only allow full functionality on the exact /auth/ (or /auth) path.
+  // Any other path (including /, /foo, /auth/admin, etc.) is treated as restricted
+  // so the app will only show login or permission denied views.
+  const path = location.pathname
+  if (!(path === '/auth/' || path === '/auth')) {
     store.setRestrictedMode(true)
   }
   // Load branding / settings first (non-blocking for auth flow)

frontend/src/components/LoginView.vue

@@ -27,9 +27,9 @@ const handleLogin = async () => {
     await authStore.authenticate()
     authStore.showMessage('Authentication successful!', 'success', 2000)
     if (authStore.restrictedMode) {
-      // In restricted mode after successful auth show permission denied (no profile outside /auth/)
-      authStore.currentView = 'permission-denied'
-    } else if (location.pathname.startsWith('/auth/')) {
+      // Restricted mode: reload so the app re-mounts and selectView() applies (will become permission denied)
+      location.reload()
+    } else if (location.pathname === '/auth/') {
       authStore.currentView = 'profile'
     } else {
       location.reload()

frontend/src/components/PermissionDeniedView.vue

@@ -32,7 +32,6 @@ function back() {
 }
 async function logout() {
   await authStore.logout()
-  authStore.currentView = 'login'
 }
 </script>
 <style scoped>

frontend/src/components/ProfileView.vue

@@ -144,7 +144,6 @@ const deleteCredential = async (credentialId) => {
 
 const logout = async () => {
   await authStore.logout()
-  authStore.currentView = 'login'
 }
 
 const isAdmin = computed(() => !!(authStore.userInfo?.is_global_admin || authStore.userInfo?.is_org_admin))

frontend/src/stores/auth.js

@@ -8,7 +8,7 @@ export const useAuthStore = defineStore('auth', {
     settings: null, // Server provided settings (/auth/settings)
     isLoading: false,
     resetToken: null, // transient reset token
-    restrictedMode: false, // If true, app loaded outside /auth/ and should restrict to login or permission denied
+    restrictedMode: false, // Anywhere other than /auth/: restrict to login or permission denied
 
     // UI State
     currentView: 'login',
@@ -129,12 +129,13 @@ export const useAuthStore = defineStore('auth', {
     },
     async logout() {
       try {
-  await fetch('/auth/api/logout', {method: 'POST'})
+        await fetch('/auth/api/logout', {method: 'POST'})
+        this.userInfo = null
+        if (this.restrictedMode) location.reload()
       } catch (error) {
         console.error('Logout error:', error)
+        this.showMessage(error.message, 'error')
       }
-
-      this.userInfo = null
     },
   }
 })