66b9c60c68
Frontend authFetch was bouncing every 401 straight to /login, ignoring the 30-day refresh-token cookie the backend already issues. Result: access-token TTL is 15 min, so the operator was kicked to login every 15 min of idle. Now: on 401, authFetch silently calls /api/auth/refresh, retries the original request once with the new access token, and only bounces to /login if refresh ALSO fails (refresh cookie expired or revoked). Concurrent 401s coalesce onto a single in-flight refresh to avoid rotating the refresh-token jti N times in a burst.
2.0 KiB
2.0 KiB