I already have a working Google Apps Script web-app with several standalone pages delivered through individual doGet handlers. I recently built a custom login flow that stores user data in a Google Sheet, but at the moment only the first page is tied into that flow. I need the whole project refactored so every page is protected by the same session-based authentication and users cannot bypass it via direct URL access. What I have in place • A Spreadsheet-driven user table (username, hashed password, status) • A basic login HTML form served by HTMLService • Initial server-side checks that create a session token in Script Properties What I want from you • Extend the current login logic so all existing doGet pages check the session token before rendering. • Route unauthenticated visitors automatically to the login page, preserving the requested URL so I can redirect them back after successful sign-in. • Keep everything client-side lightweight—prefer vanilla JS or the Apps Script HTML templating helpers I already use. • Make the code clean, modular, and commented so I can maintain it later. Acceptance criteria 1. Any direct link to a protected page prompts for login first. 2. Successful login redirects to the originally requested page. 3. Manual manipulation of URLs or parameters never reveals page content without a valid session token. 4. All updates are delivered as a single .gs project file plus any modified HTML templates. I will share the current code repository along with a demo account so you can test locally in the Apps Script IDE.