From ef21004519bd21536f7b5e8e8307eeba1ee849ed Mon Sep 17 00:00:00 2001
From: Usman Baig <mubaig@pm.me>
Date: Sun, 22 Mar 2026 13:47:02 +0100
Subject: [PATCH] fix: skip auth token refresh for public API endpoints

Public dashboard endpoints use password auth, not session tokens.
A 401 on /public/ should surface to the caller (for password prompt),
not trigger a token refresh that fails and shows "Session expired".
---
 lib/api/client.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/api/client.ts b/lib/api/client.ts
index 4d348e5..3919cb4 100644
--- a/lib/api/client.ts
+++ b/lib/api/client.ts
@@ -238,8 +238,9 @@ async function apiRequest<T>(
     if (response.status === 401) {
       // * Attempt Token Refresh if 401
       if (typeof window !== 'undefined') {
-        // * Prevent infinite loop: Don't refresh if the failed request WAS a refresh request (unlikely via apiRequest but safe to check)
-        if (!endpoint.includes('/auth/refresh')) {
+        // * Skip token refresh for public endpoints (they use password auth, not session tokens)
+        // * and for refresh requests themselves (prevent infinite loop)
+        if (!endpoint.includes('/auth/refresh') && !endpoint.includes('/public/')) {
           if (isRefreshing) {
             // * If refresh is already in progress, wait for it to complete (or fail)
             return new Promise<T>((resolve, reject) => {