fix: resolve sign-in issue after inactivity by ensuring only valid access tokens trigger redirects, improving user experience

CHANGELOG.md

@@ -12,6 +12,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 
 ### Fixed
 
+- **Sign in after inactivity.** Clicking "Sign in" after a period of inactivity no longer does nothing. Previously, stale refresh cookies caused the middleware to redirect away from the login page; now only a valid access token triggers that redirect, so you can complete OAuth sign-in when your session has expired.
 - **2FA disable now requires password confirmation.** Disabling 2FA sends the derived password to the backend for verification. This prevents an attacker with a hijacked session from stripping 2FA.
 
 ## [0.11.1-alpha] - 2026-02-23

middleware.ts

@@ -34,8 +34,9 @@ export function middleware(request: NextRequest) {
   const hasRefresh = request.cookies.has('refresh_token')
   const hasSession = hasAccess || hasRefresh
 
-  // * Authenticated user hitting /login or /signup → send them home
+  // * Authenticated user (with access token) hitting /login or /signup → send them home.
-  if (hasSession && AUTH_ONLY_ROUTES.has(pathname)) {
+  // * Only check access_token; stale refresh_token alone must not block login (fixes post-inactivity sign-in).
+  if (hasAccess && AUTH_ONLY_ROUTES.has(pathname)) {
     return NextResponse.redirect(new URL('/', request.url))
   }