cloud: Fix forward_auth to use handle_response for unauthorized redirect

- Use handle_response inside forward_auth instead of handle_errors
- Remove redundant /rest/rpc/auth_gate route (handled by /rest/*)
- Remove redundant (error_handlers) snippet from site blocks

Author: jhf

cloud/Caddyfile.example

@@ -53,7 +53,12 @@
 	handle /pgadmin* {
 		forward_auth localhost:{args[0]} {
 			uri /rpc/auth_gate
-			copy_headers Cookie
+
+			# Handle unauthorized - redirect to login
+			@unauthorized status 401
+			handle_response @unauthorized {
+				redir /?login=required&redirect={uri} 302
+			}
 		}
 		reverse_proxy localhost:{$PGADMIN_PORT:5050} {
 			header_up Host {host}
@@ -73,26 +78,12 @@
 		reverse_proxy localhost:{args[1]}
 	}
 
-	# Auth gate endpoint (for pgAdmin forward_auth)
-	handle /rest/rpc/auth_gate {
-		reverse_proxy localhost:{args[1]}
-	}
-
 	# Next.js application (catch-all)
 	handle {
 		reverse_proxy localhost:{args[0]}
 	}
 }
 
-(error_handlers) {
-	handle_errors {
-		@unauthorized expression {http.error.status_code} == 401
-		handle @unauthorized {
-			redir /?login=required&redirect={uri} 302
-		}
-	}
-}
-
 # =============================================================================
 # TENANT SITE BLOCKS
 # =============================================================================
@@ -101,21 +92,18 @@
 ma.statbus.org {
 	import pgadmin_route 3023
 	import tenant_routes 3022 3023
-	import error_handlers
 }
 
 # Norway tenant (slot offset 3: ports 3030-3035)
 no.statbus.org {
 	import pgadmin_route 3033
 	import tenant_routes 3032 3033
-	import error_handlers
 }
 
 # Albania tenant (slot offset 4: ports 3040-3045)
 al.statbus.org {
 	import pgadmin_route 3043
 	import tenant_routes 3042 3043
-	import error_handlers
 }
 
 # =============================================================================

cloud/caddy-pgadmin.snippet

@@ -39,8 +39,12 @@
 		# The {args[0]} placeholder receives the tenant's REST port
 		forward_auth localhost:{args[0]} {
 			uri /rpc/auth_gate
-			# Copy cookies for JWT authentication
-			copy_headers Cookie
+
+			# Handle unauthorized - redirect to login
+			@unauthorized status 401
+			handle_response @unauthorized {
+				redir /?login=required&redirect={uri} 302
+			}
 		}
 
 		# If authenticated, proxy to shared pgAdmin
@@ -52,14 +56,6 @@
 			header_up X-Forwarded-Host {host}
 		}
 	}
-
-	# Redirect unauthenticated users to login page
-	handle_errors {
-		@unauthorized expression {http.error.status_code} == 401
-		handle @unauthorized {
-			redir /?login=required&redirect=/pgadmin 302
-		}
-	}
 }
 
 # Example tenant site blocks (customize for your deployment)