Fix: Correct middleware ordering for session access in auth

The root cause of login button not working was middleware ordering.
In FastAPI/Starlette, middleware runs in REVERSE order (LIFO).

Before: Auth ran BEFORE Session, so request.session wasn't available
After: Session runs BEFORE Auth, properly setting up request.session

This fixes the error:
"Session access failed: SessionMiddleware must be installed to access request.session"

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/app.py

@@ -56,9 +56,9 @@ app.add_middleware(
     allow_headers=["*"],
 )
 
-# Add session middleware (second, so auth can read session data)
-# HF Spaces specific session configuration
-session_secret = os.getenv("SESSION_SECRET_KEY") or secrets.token_urlsafe(32)
+# IMPORTANT: Middleware runs in REVERSE order of add_middleware() calls!
+# We need Session to run BEFORE Auth so that request.session is available.
+# Therefore: Add Auth FIRST, then Session SECOND.
 
 # Detect if running in HF Spaces and adjust session config accordingly
 from utils.environment import is_huggingface_space
@@ -67,32 +67,35 @@ from utils.environment import is_huggingface_space
 logger.info(f"🔍 Environment detection: is_huggingface_space() = {is_huggingface_space()}")
 logger.info(f"🔍 SPACE_ID env var: {os.getenv('SPACE_ID')}")
 
+# Add auth middleware FIRST (will run AFTER session middleware)
+app.add_middleware(ConditionalAuthMiddleware)
+
+# Add session middleware SECOND (will run BEFORE auth middleware, setting up request.session)
+# HF Spaces specific session configuration
+session_secret = os.getenv("SESSION_SECRET_KEY") or secrets.token_urlsafe(32)
+
 if is_huggingface_space():
     # HF Spaces optimized session configuration
     logger.info("🏗️ Configuring session middleware for HF Spaces environment")
     app.add_middleware(
         SessionMiddleware,
         secret_key=session_secret,
-        max_age=3600,  # Shorter expiry for HF Spaces (1 hour)  
+        max_age=3600,  # Shorter expiry for HF Spaces (1 hour)
         same_site="none",  # CRITICAL: Required for iframe cookies in HF Spaces
         https_only=True,  # HF Spaces uses HTTPS
-        # Note: SessionMiddleware doesn't support custom cookie name, using default
     )
 else:
     # Local development session configuration
     logger.info("🏠 Configuring session middleware for local development")
     app.add_middleware(
-        SessionMiddleware, 
+        SessionMiddleware,
         secret_key=session_secret,
         max_age=86400,  # 24 hours for local dev
         same_site="lax",  # Better for OAuth redirects
         https_only=False,  # HTTP for local dev
     )
 
-# Add conditional authentication middleware (after session)
-app.add_middleware(ConditionalAuthMiddleware)
-
-# Add usage tracking middleware (last, to track authenticated requests)
+# Add usage tracking middleware (last added = runs first, outermost)
 app.add_middleware(UsageTrackingMiddleware)
 
 # Custom exception handler for authentication redirects