Restricting access to logged in users for static files in google app engine app by way of yaml rules fails

I tried to use the documented way of restricting access to urls marked as static by way of login: required rules in the app.yaml file. My intention is to have access to script urls handled by the go programming language by xmlhttprequests, but the first step of authenticating the user before she can load the file dist/index.html fails.

Surprisingly for me the user is not prompted to login, instead receives the dist/index.html file and all other files it asks for from the static folder as if no restricting rule were present.

This is my app.yaml file:

application: helloworld
version: 1
runtime: go
api_version: go1

handlers:

- url: /
  static_files: dist/index.html
  upload: dist/index.html
  secure: always 
  login: required - this is what fails as far as I'm concerned

- url: /(.*\.(txt|html|json|png|js|log|md|css|ico))
  static_files: dist/
  upload: dist/(.*\.(txt|html|json|png|js|log|md|css|ico))
  secure: always 
  login: required

- url: /.*
  script: _go_app
  secure: always
  login: required

The folder that I uploaded to appengine looks like this:

app.yaml
index.yaml
xhr_responses.go - this is the intended future non static AJAX part
dist/
 index.html
 loads of other stuff that is static

The 'login:' handler options in the .yaml config files rely on Google's authentication, which can be persisted using cookies and survive a browser restart.

To properly test the authentication you need to either use a fresh incognito browser session or go to one of the Google sites and ensure you're not logged in (explicitly log out from all Google accounts if needed) before testing.

Apparently I was signed in when trying stuff on the live google app engine, which I just forgot is the way it knows not to redirect access to a new login prompt.