From e15b19b2237739c945010d8addb3108b06733219 Mon Sep 17 00:00:00 2001
From: "J. Nick Koston" <nick@koston.org>
Date: Thu, 12 Mar 2026 14:48:29 -1000
Subject: [PATCH] [captive_portal] Fix captive portal inaccessible when
 web_server auth is configured (#14734)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 esphome/components/captive_portal/captive_portal.cpp   | 4 ++--
 esphome/components/web_server_base/web_server_base.cpp | 4 ++++
 esphome/components/web_server_base/web_server_base.h   | 8 ++++++++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/esphome/components/captive_portal/captive_portal.cpp b/esphome/components/captive_portal/captive_portal.cpp
index 5af6ab29a2..183f16c5f8 100644
--- a/esphome/components/captive_portal/captive_portal.cpp
+++ b/esphome/components/captive_portal/captive_portal.cpp
@@ -61,7 +61,7 @@ void CaptivePortal::handle_wifisave(AsyncWebServerRequest *request) {
   // Defer save to main loop thread to avoid NVS operations from HTTP thread
   this->defer([ssid, psk]() { wifi::global_wifi_component->save_wifi_sta(ssid.c_str(), psk.c_str()); });
 #endif
-  request->redirect(ESPHOME_F("/?save"));
+  request->send(200, ESPHOME_F("text/plain"), ESPHOME_F("Saved. Connecting..."));
 }
 
 void CaptivePortal::setup() {
@@ -71,7 +71,7 @@ void CaptivePortal::setup() {
 void CaptivePortal::start() {
   this->base_->init();
   if (!this->initialized_) {
-    this->base_->add_handler(this);
+    this->base_->add_handler_without_auth(this);
   }
 
   network::IPAddress ip = wifi::global_wifi_component->wifi_soft_ap_ip();
diff --git a/esphome/components/web_server_base/web_server_base.cpp b/esphome/components/web_server_base/web_server_base.cpp
index dbbcd10d8d..3e1baf34ba 100644
--- a/esphome/components/web_server_base/web_server_base.cpp
+++ b/esphome/components/web_server_base/web_server_base.cpp
@@ -11,6 +11,10 @@ void WebServerBase::add_handler(AsyncWebHandler *handler) {
     handler = new internal::AuthMiddlewareHandler(handler, &credentials_);
   }
 #endif
+  this->add_handler_without_auth(handler);
+}
+
+void WebServerBase::add_handler_without_auth(AsyncWebHandler *handler) {
   this->handlers_.push_back(handler);
   if (this->server_ != nullptr) {
     this->server_->addHandler(handler);
diff --git a/esphome/components/web_server_base/web_server_base.h b/esphome/components/web_server_base/web_server_base.h
index 54421c851e..48e13ad71e 100644
--- a/esphome/components/web_server_base/web_server_base.h
+++ b/esphome/components/web_server_base/web_server_base.h
@@ -122,6 +122,14 @@ class WebServerBase {
 #endif
 
   void add_handler(AsyncWebHandler *handler);
+  /**
+   * WARNING: Registers a handler that bypasses the USE_WEBSERVER_AUTH middleware.
+   *
+   * This should only be used for endpoints that are intentionally unauthenticated
+   * (for example, captive portal or very limited-status endpoints). For normal
+   * endpoints that should respect web server authentication, use add_handler().
+   */
+  void add_handler_without_auth(AsyncWebHandler *handler);
 
   void set_port(uint16_t port) { port_ = port; }
   uint16_t get_port() const { return port_; }