mirror of
https://github.com/arsvendg/Stirling-PDF.git
synced 2026-07-14 10:34:06 +02:00
On returning to the app with an expired Supabase access token, bootstrap requests fired with the stale token and 401'd before Supabase finished refreshing. The global 401 handler then hard-redirected to /login?from=… (a full window.location navigation), and once the refresh landed the app sent the user straight back in — the login/logout/login flicker. Two holes in the SaaS apiClient response interceptor caused it: 1. "public" endpoints (e.g. /api/v1/config/app-config) skipped the refresh-and-retry path. The backend 401s any expired Bearer token regardless of route, so those bootstrap calls 401'd and fell through to handleHttpError, which redirected to /login. Now public endpoints also refresh-and-retry, and a 401 on a public endpoint sets skipAuthRedirect so it can never trigger the global login redirect. 2. Concurrent 401s each called supabase.auth.refreshSession() independently. Supabase rotates the refresh token on first use, so the racing refreshes failed with "Invalid Refresh Token: Already Used" and bounced the app even though the session was recoverable. Refreshes are now de-duplicated through a single in-flight promise. Existing apiClient unit tests (refresh-and-retry on protected 401, bare /login redirect on genuine refresh failure) are preserved. Co-Authored-By: Claude Opus 4.8 <[email protected]>