knep · knep · Jun 25, 2026 · Jun 25, 2026
diff --git a/src/tests/web/web_auth_utils_test.py b/src/tests/web/web_auth_utils_test.py
@@ -45,7 +45,12 @@ class LoginResourcesTest(TestCase):
         ('/fonts/roboto-latin-400.60fa3c06.woff'),
         ('/fonts/roboto-latin-400.479970ff.woff2'),
         ('/fonts/roboto-latin-500.020c97dc.woff2'),
-        ('/fonts/roboto-latin-500.87284894.woff')
+        ('/fonts/roboto-latin-500.87284894.woff'),
+        # Vite-built hashed bundles served from /assets/ (used by the login page)
+        ('/assets/login-jEjOHyEw.js'),
+        ('/assets/css-Bn4Yn0er.css'),
+        ('/assets/theme-C3Leg-oT.css'),
+        ('/assets/MaterialIcons-Regular-Bnsxcfr1.woff')
     ])
     def test_is_allowed_during_login_when_allowed(self, resource):
         request_handler = mock_request_handler(method='GET')

diff --git a/src/web/web_auth_utils.py b/src/web/web_auth_utils.py
@@ -117,6 +117,13 @@ def is_allowed_during_login(request_path, login_url, request_handler):
                        '/img/titleBackground_login.jpg',
                        '/img/gitlab-icon-rgb.png']
 
+    # Vite emits the bundled JS/CSS/fonts/images (used by the login page too,
+    # often as hashed and shared chunks) under /assets/. These are static client
+    # resources with no protected data, and the app stays unusable without the
+    # authenticated API, so they must be reachable to render the login page.
+    if request_path.startswith('/assets/'):
+        return True
+
     return (request_path in login_resources) or (request_path.startswith('/theme/'))