From f57e5a19a543b1619dc7f5f52a40955adecf17bf Mon Sep 17 00:00:00 2001
From: Alexander Bocken <alexander@bocken.org>
Date: Fri, 20 Mar 2026 06:52:57 +0100
Subject: [PATCH] fitness: require authentication for all fitness routes

---
 src/hooks.server.ts | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/hooks.server.ts b/src/hooks.server.ts
index 7593fbd..ca8f849 100644
--- a/src/hooks.server.ts
+++ b/src/hooks.server.ts
@@ -55,6 +55,19 @@ async function authorization({ event, resolve }: Parameters<Handle>[0]) {
 		}
 	}
 
+	// Protect fitness routes and API endpoints
+	if (event.url.pathname.startsWith('/fitness') || event.url.pathname.startsWith('/api/fitness')) {
+		if (!session) {
+			if (event.url.pathname.startsWith('/api/fitness')) {
+				error(401, {
+					message: 'Authentication required.'
+				});
+			}
+			const callbackUrl = encodeURIComponent(event.url.pathname + event.url.search);
+			redirect(303, `/login?callbackUrl=${callbackUrl}`);
+		}
+	}
+
 	// If the request is still here, just proceed as normally
 	return resolve(event);
 }