diff --git a/src/layouts/DashboardLayout.astro b/src/layouts/DashboardLayout.astro
index 640950e..d377614 100644
--- a/src/layouts/DashboardLayout.astro
+++ b/src/layouts/DashboardLayout.astro
@@ -201,11 +201,11 @@ function isActive(item: { href: string; exact?: boolean }) {
         window.location.reload();
       });
 
-      // Logout - invalidate session via fetch, then redirect
+
       const logoutBtn = document.getElementById('logout-btn');
       logoutBtn?.addEventListener('click', async () => {
         await fetch('/api/auth/logout', { method: 'POST' });
-        window.location.href = '/';
+        window.location.reload();
       });
     </script>
 	</body>
diff --git a/src/middleware.ts b/src/middleware.ts
index 05fa032..3098eaf 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -2,7 +2,11 @@ import { defineMiddleware } from "astro/middleware";
 import { validateSession } from "./lib/auth";
 import { validateApiToken } from "./lib/api-auth";
 
+const PUBLIC_ROUTES = ["/", "/login", "/signup"];
+
 export const onRequest = defineMiddleware(async (context, next) => {
+  const { pathname } = context.url;
+
   const authHeader = context.request.headers.get("Authorization");
   if (authHeader?.startsWith("Bearer ")) {
     const token = authHeader.substring(7);
@@ -18,24 +22,30 @@ export const onRequest = defineMiddleware(async (context, next) => {
 
   const sessionId = context.cookies.get("session_id")?.value;
 
-  if (!sessionId) {
-    context.locals.user = null;
-    context.locals.session = null;
-    context.locals.scopes = null;
-    return next();
-  }
+  if (sessionId) {
+    const result = await validateSession(sessionId);
 
-  const result = await validateSession(sessionId);
-
-  if (result) {
-    context.locals.user = result.user;
-    context.locals.session = result.session;
-    context.locals.scopes = null;
+    if (result) {
+      context.locals.user = result.user;
+      context.locals.session = result.session;
+      context.locals.scopes = null;
+    } else {
+      context.locals.user = null;
+      context.locals.session = null;
+      context.locals.scopes = null;
+      context.cookies.delete("session_id", { path: "/" });
+    }
   } else {
     context.locals.user = null;
     context.locals.session = null;
     context.locals.scopes = null;
-    context.cookies.delete("session_id");
+  }
+
+  const isPublic =
+    PUBLIC_ROUTES.includes(pathname) || pathname.startsWith("/api/");
+
+  if (!isPublic && !context.locals.user) {
+    return context.redirect("/login");
   }
 
   return next();