middleware update for reauth

middleware.ts

@@ -86,6 +86,12 @@ import { NextResponse, NextRequest } from "next/server";
      const isAuthRoute = pathname.startsWith("/auth/");
      const isProtected = !isPublicPath(pathname);
 
+     // NEW: allow explicit reauth flow even if a (possibly stale) token cookie exists
+     const forceAuth =
+     isAuthRoute &&
+     (url.searchParams.get("reauth") === "1" ||
+     url.searchParams.get("force") === "1");
+
      // If unauthenticated and the route is protected, send to sign-in
      if (!token && isProtected) {
          return kickToSignIn(req);
@@ -97,8 +103,8 @@ import { NextResponse, NextRequest } from "next/server";
          const expired = !exp || exp * 1000 <= Date.now();
 
          // If it's an auth route and token looks valid, keep your existing UX:
-         // bounce away from auth pages.
-         if (isAuthRoute && !expired) {
+         // bounce away from auth pages — unless this is a forced reauth.
+         if (isAuthRoute && !expired && !forceAuth) {
              url.pathname = "/portal";
              url.search = "";
              return NextResponse.redirect(url);
@@ -149,7 +155,7 @@ import { NextResponse, NextRequest } from "next/server";
          }
      }
 
-     // If signed-in and visiting /auth/* but token is expired/invalid, fall through (let them sign in).
+     // If signed-in and visiting /auth/* but token is expired/invalid or reauth was requested, fall through (let them sign in).
      // If public or already validated, proceed.
      return NextResponse.next();
  }