middleware update for reauth

app/portal/account/page.tsx

@@ -2,7 +2,7 @@
 import { cookies } from "next/headers";
 import { redirect } from "next/navigation";
 import { dxGET } from "@/lib/directus";
-import AccountClient from "./AccountClient"; // client component below
+import AccountClient from "./AccountClient";
 
 type Me = {
     id: string;
@@ -14,7 +14,6 @@ type Me = {
     avatar?: { id: string; filename_download?: string } | string | null;
 };
 
-// Next 15 cookies() is async
 export default async function Page() {
     const jar = await cookies();
     const token = jar.get("ma_at")?.value;
@@ -23,7 +22,6 @@ export default async function Page() {
     }
     const bearer = `Bearer ${token}`;
 
-    // READ-ONLY fields only; no password calls here, ever.
     const fields =
     "id,username,first_name,last_name,email,location,avatar.id,avatar.filename_download";
 
@@ -34,13 +32,13 @@ export default async function Page() {
             const res = await dxGET<any>(`/users/me?fields=${encodeURIComponent(fields)}`, bearer);
             me = (res?.data ?? res) as Me;
         } catch (e: any) {
-            // If token is stale, push to sign-in; otherwise show a friendly message
+            const status = e?.status ?? 0;
             const msg = String(e?.message || "");
-            if (/401|403|unauth|expired|credential/i.test(msg)) {
-                redirect(`/auth/sign-in?next=${encodeURIComponent("/portal/account")}`);
-            } else {
-                loadError = "Couldn’t load your profile. Please try again.";
+            // Only force reauth on auth errors
+            if (status === 401 || status === 403 || /unauth|expired|credential/i.test(msg)) {
+                redirect(`/auth/sign-in?reauth=1&next=${encodeURIComponent("/portal/account")}`);
             }
+            loadError = "Couldn’t load your profile. Please try again.";
         }
 
         return (