Context
The finance tracker at /finance was redirecting unauthenticated users to WordPress wp-admin instead of the app login page. Header links appeared to go through wp-admin because the middleware auth redirect was missing the /finance basePath prefix.
Root Cause
The middleware used new URL("/login", req.url) which constructs an absolute URL at /login, ignoring Next.js basePath. When deployed at /finance, this sent users to pezant.ca/login, which WordPress caught and redirected to wp-login.php.
Fix
Changed to req.nextUrl.clone() with .pathname = "/login", which respects the configured basePath and correctly redirects to /finance/login.
Deploy Script
During the fix deployment, rsync --delete overwrote the VM production .env (DATABASE_URL on port 5432) with the local dev config (port 15432), breaking the DB connection. Created scripts/deploy.sh that standardizes the deploy flow with --exclude='.env', .env integrity checks, PM2 restart, and health verification with retries.
Decisions
- req.nextUrl.clone() over hardcoded path – works in both local dev (no basePath) and production (/finance)
- Deploy script over documented manual steps – eliminates forgot-a-step errors entirely
- Config via .deploy.env – gitignored file keeps sensitive hostnames out of public repo
Commits
6b4b9cc– Fix middleware redirect missing basePath3cf493d– Add deploy script with .env protection and health verification52b20a3– Update context.md and progress.md
Key Learning
Next.js middleware redirects behind a basePath must always use req.nextUrl methods, never raw new URL(). The latter ignores basePath and produces bare paths that fall through to whatever else handles the domain root.