diff --git a/main.py b/main.py
index 782ca955..ab896428 100644
--- a/main.py
+++ b/main.py
@@ -1051,8 +1051,20 @@ class AuthMiddleware(BaseHTTPMiddleware):
         # only the host or other compose-network containers can reach it.
         # This lets host-side helpers (overlord-agent, discord-rare-monitor,
         # etc.) call any endpoint without forging a session cookie.
+        #
+        # IMPORTANT: We still try to decode the session cookie if present, so
+        # that endpoints like /me which check `request.state.user` work for
+        # real authenticated browsers proxied through nginx → docker-proxy
+        # (which makes them look like they're coming from 172.x). Without
+        # this, /me returned 401 even for logged-in users, silently
+        # disabling the admin-only UI on the dashboard.
         client_host = request.client.host if request.client else ""
         if client_host.startswith("172.") or client_host in ("127.0.0.1", "::1", "localhost"):
+            token = request.cookies.get("session")
+            if token:
+                user = verify_session_cookie(token)
+                if user:
+                    request.state.user = user
             return await call_next(request)
 
         # Check session cookie