Fix check_login decorator order so Flask registers the auth wrapper

@check_login was placed above @ui_bp.route on all protected routes.
Because Flask's Blueprint captures the view function reference at route
registration time (before @check_login wraps it), the auth wrapper was
never invoked — protected routes were accessible without credentials.

Flask's own documentation states: "When applying further decorators,
always remember that the route() decorator is the outermost."
https://flask.palletsprojects.com/en/stable/patterns/viewdecorators/

Swap decorator order to @ui_bp.route above @check_login on download_log,
series_images, movies_images, backup_download, and proxy so Flask
registers the check_login wrapper as the view function.

Also guard the pkg_resources import in tests/conftest.py, which was
removed from setuptools 82+ and broke the test suite on Python 3.14.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: elazar

bazarr/app/ui.py

@@ -118,14 +118,14 @@ def catch_all(path):
     return render_template("index.html", BAZARR_SERVER_INJECT=inject, baseUrl=template_url)
 
 
-@check_login
 @ui_bp.route('/' + FILE_LOG)
+@check_login
 def download_log():
     return send_file(get_log_file_path(), max_age=0, as_attachment=True)
 
 
-@check_login
 @ui_bp.route('/images/series/<path:url>', methods=['GET'])
+@check_login
 def series_images(url):
     url = url.strip("/")
     apikey = settings.sonarr.apikey
@@ -139,8 +139,8 @@ def series_images(url):
         return Response(stream_with_context(req.iter_content(2048)), content_type=req.headers['content-type'])
 
 
-@check_login
 @ui_bp.route('/images/movies/<path:url>', methods=['GET'])
+@check_login
 def movies_images(url):
     apikey = settings.radarr.apikey
     baseUrl = settings.radarr.base_url
@@ -153,8 +153,8 @@ def movies_images(url):
         return Response(stream_with_context(req.iter_content(2048)), content_type=req.headers['content-type'])
 
 
-@check_login
 @ui_bp.route('/system/backup/download/<path:filename>', methods=['GET'])
+@check_login
 def backup_download(filename):
     fullpath = os.path.normpath(os.path.join(settings.backup.folder, filename))
     if not fullpath.startswith(settings.backup.folder):
@@ -175,9 +175,9 @@ def swaggerui_static(filename):
         return send_file(fullpath)
 
 
-@check_login
 @ui_bp.route('/test', methods=['GET'])
 @ui_bp.route('/test/<protocol>/<path:url>', methods=['GET'])
+@check_login
 def proxy(protocol, url):
     if protocol.lower() not in ['http', 'https']:
         return dict(status=False, error='Unsupported protocol', code=0)

tests/bazarr/test_check_login_routing.py

@@ -0,0 +1,82 @@
+"""
+Tests that verify check_login is invoked through Flask's routing layer.
+
+The bug: @check_login is placed ABOVE @ui_bp.route in ui.py. Flask captures
+the original function reference before check_login wraps it, making check_login
+dead code — auth is never enforced for these routes regardless of configuration.
+
+    # broken: Flask registers original series_images, ignoring the wrapper
+    @check_login
+    @ui_bp.route('/images/series/<path:url>', methods=['GET'])
+    def series_images(url): ...
+
+Fix: @ui_bp.route must be the outermost decorator so Flask registers the
+check_login wrapper as the view function.
+
+    # correct: Flask registers the check_login wrapper
+    @ui_bp.route('/images/series/<path:url>', methods=['GET'])
+    @check_login
+    def series_images(url): ...
+"""
+import pytest
+from unittest.mock import patch
+from flask import Flask
+
+from bazarr.app.ui import ui_bp
+
+
+@pytest.fixture
+def app():
+    application = Flask(__name__)
+    application.register_blueprint(ui_bp)
+    application.config['TESTING'] = True
+    return application
+
+
+def test_series_images_requires_basic_auth(app):
+    """
+    GET /images/series/* must return 401 when basic auth is configured and no
+    credentials are supplied. Fails before fix: Flask dispatches directly to
+    the original series_images function, bypassing check_login entirely.
+    """
+    with patch('bazarr.app.ui.settings') as mock_settings:
+        mock_settings.auth.type = 'basic'
+        with app.test_client() as client:
+            response = client.get('/images/series/MediaCover/123/poster.jpg')
+            assert response.status_code == 401
+
+
+def test_movies_images_requires_basic_auth(app):
+    """
+    GET /images/movies/* must return 401 when basic auth is configured and no
+    credentials are supplied.
+    """
+    with patch('bazarr.app.ui.settings') as mock_settings:
+        mock_settings.auth.type = 'basic'
+        with app.test_client() as client:
+            response = client.get('/images/movies/MediaCover/456/poster.jpg')
+            assert response.status_code == 401
+
+
+def test_backup_download_requires_basic_auth(app):
+    """
+    GET /system/backup/download/* must return 401 when basic auth is configured
+    and no credentials are supplied.
+    """
+    with patch('bazarr.app.ui.settings') as mock_settings:
+        mock_settings.auth.type = 'basic'
+        with app.test_client() as client:
+            response = client.get('/system/backup/download/backup.zip')
+            assert response.status_code == 401
+
+
+def test_download_log_requires_basic_auth(app):
+    """
+    GET /bazarr.log must return 401 when basic auth is configured and no
+    credentials are supplied.
+    """
+    with patch('bazarr.app.ui.settings') as mock_settings:
+        mock_settings.auth.type = 'basic'
+        with app.test_client() as client:
+            response = client.get('/bazarr.log')
+            assert response.status_code == 401

tests/conftest.py

@@ -3,7 +3,10 @@
 import pkgutil
 import sys
 
-import pkg_resources
+try:
+    import pkg_resources
+except ImportError:
+    pkg_resources = None
 
 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "../libs/"))
 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "../bazarr/"))
@@ -20,6 +23,9 @@ def _get_conflicting(path):
     for _, package_name, _ in pkgutil.iter_modules([path]):
         libs_packages.append(package_name)
 
+    if pkg_resources is None:
+        return []
+
     installed_packages = pkg_resources.working_set
     package_names = [package.key for package in installed_packages]
     unique_package_names = set(package_names)