poprawki

app.py

@@ -104,7 +104,7 @@ def serve_js(filename):
     response.cache_control.no_cache = True
     response.cache_control.no_store = True
     response.cache_control.must_revalidate = True
-    response.expires = 0
+    #response.expires = 0
     response.pragma = 'no-cache'
     response.headers.pop('Content-Disposition', None)
     response.headers.pop('Etag', None)
@@ -183,9 +183,21 @@ def inject_has_authorized_cookie():
 def require_system_password():
     if 'authorized' not in request.cookies \
        and request.endpoint != 'system_auth' \
-       and not request.endpoint.startswith('static') \
        and not request.endpoint.startswith('login') \
        and request.endpoint != 'favicon':
+        # specjalny wyjątek dla statycznych, ale sprawdzany ręcznie niżej
+        if request.endpoint == 'static_bp.serve_js':
+            # tu sprawdzamy czy to JS, który ma być chroniony
+            protected_js = ["live.js", "list_guest.js", "hide_list.js", "socket_reconnect.js"]
+            requested_file = request.view_args.get("filename", "")
+            if requested_file in protected_js:
+                return redirect(url_for('system_auth', next=request.url))
+            else:
+                return  # pozwól na inne pliki statyczne
+
+        if request.endpoint.startswith('static_bp.'):
+            return  # np. CSS, favicon, inne — pozwól
+
         if request.path == '/':
             return redirect(url_for('system_auth'))
         else: