fix: implement automatic token refresh to prevent frequent re-logins, enhancing user experience during inactivity

2026-02-23 18:57:03 +01:00
parent f62d142adb
commit 3cb5416251
2 changed files with 16 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 ### Fixed

 - **Sign in after inactivity.** Clicking "Sign in" after a period of inactivity no longer does nothing. Previously, stale refresh cookies caused the middleware to redirect away from the login page; now only a valid access token triggers that redirect, so you can complete OAuth sign-in when your session has expired.
+- **Frequent re-login.** You no longer have to sign in multiple times a day. When the access token expires after 15 minutes of inactivity, the app now automatically refreshes it using your refresh token on the next page load, so you stay logged in for up to 30 days.
 - **2FA disable now requires password confirmation.** Disabling 2FA sends the derived password to the backend for verification. This prevents an attacker with a hijacked session from stripping 2FA.

 ## [0.11.1-alpha] - 2026-02-23
--- a/lib/auth/context.tsx
+++ b/lib/auth/context.tsx
@@ -110,8 +110,20 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
  useEffect(() => {
    const init = async () => {
        // * 1. Check server-side session (cookies)
-        const session = await getSessionAction()
-        
+        let session = await getSessionAction()
+
+        // * 2. If no access_token but refresh_token may exist, try refresh (fixes 15-min inactivity logout)
+        if (!session && typeof window !== 'undefined') {
+          const refreshRes = await fetch('/api/auth/refresh', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            credentials: 'include',
+          })
+          if (refreshRes.ok) {
+            session = await getSessionAction()
+          }
+        }
+
        if (session) {
            setUser(session)
            localStorage.setItem('user', JSON.stringify(session))
@@ -129,7 +141,7 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
            localStorage.removeItem('user')
            setUser(null)
        }
-        
+
        // * Clear legacy tokens if they exist (migration)
        if (localStorage.getItem('token')) {
            localStorage.removeItem('token')