Add auth expiry interceptor and session-expired redirect
This commit is contained in:
@@ -110,6 +110,7 @@ backend/
|
||||
- Use **Depends()** for dependency injection (database sessions, services, auth).
|
||||
- Group endpoints into routers by feature domain (`routers/jails.py`, `routers/bans.py`, …).
|
||||
- Use appropriate HTTP status codes: `201` for creation, `204` for deletion with no body, `404` for not found, etc.
|
||||
- Protected endpoints should return `401 Unauthorized` or `403 Forbidden` when the session is invalid or expired; the frontend treats these responses as a session-expiry event and redirects the user to `/login`.
|
||||
- Use **HTTPException** or custom exception handlers — never return error dicts manually.
|
||||
- **GET endpoints are read-only — never call `db.commit()` or execute INSERT/UPDATE/DELETE inside a GET handler.** If a GET path produces side-effects (e.g., caching resolved data), that write belongs in a background task, a scheduled flush, or a separate POST endpoint. Users and HTTP caches assume GET is idempotent and non-mutating.
|
||||
|
||||
|
||||
@@ -111,7 +111,7 @@ Issues are grouped by category and ordered roughly by severity. Each entry descr
|
||||
|
||||
---
|
||||
|
||||
### TASK-006 — No 401 interceptor: expired sessions show broken pages instead of redirecting
|
||||
### TASK-006 — No 401 interceptor: expired sessions show broken pages instead of redirecting (done)
|
||||
|
||||
**Where found:** `frontend/src/api/client.ts`, `request` function. All non-2xx responses including 401 are thrown as a generic `ApiError`. Consumers render "Failed to load…" messages instead of redirecting.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user