lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactoring-backend #3

Merged
lukas.pupkalipinski merged 403 commits from refactoring-backend into main 2026-05-20 20:23:46 +02:00
Conversation 0 Commits 403 Files Changed 549 -22
1 changed files with 0 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit a87d892584 - Show all commits

22
Docs/Tasks.md
View File

@@ -1,25 +1,3 @@
### TASK-STATE-04 — Token in `sessionStorage` Is Never Sent (Misleading Auth Model)
**Where found**
`frontend/src/providers/AuthProvider.tsx`. After login, a JWT token and `expires_at` timestamp are stored in `sessionStorage`. `isAuthenticated` is derived entirely from the `expires_at` check against the local clock. However, `frontend/src/api/client.ts` uses `credentials: "include"` (cookie auth) for every request and never reads the token from `sessionStorage`. The stored token is purely decorative.
**Goal**
Remove the `sessionStorage` token storage entirely. `isAuthenticated` should instead be determined by whether the backend considers the session valid. The practical check is: the user is authenticated when the last request did not return 401/403. A simple approach is to set `isAuthenticated = true` on successful login, set it to `false` when `SESSION_EXPIRED_EVENT` fires, and persist only a boolean (or nothing at all) in `sessionStorage` for page-reload continuity.
If the token is stored intentionally for future use (e.g. switching to Bearer token auth), add a clear comment explaining this, and add a `TODO` so it is not silently misleading.
**Possible traps and issues**
- If `expires_at` is used to proactively redirect the user to login before a request fails, removing it changes the UX: the user will stay on the page until the next request fails with 401. This is generally acceptable since the server is the authority on session validity.
- Test that `SetupGuard` and `RequireAuth` still work correctly after removing the `sessionStorage` check.
**Docs changes needed**
Update `Docs/Web-Development.md` auth section to accurately describe the cookie-based auth model.
**Why this is needed**
The misleading code makes the auth model appear to be token-based when it is actually cookie-based. This causes confusion during development and maintenance, and the local clock `expires_at` check can cause premature logouts if there is clock skew between client and server.
---
### TASK-PERF-01 — `ConfigListDetail` Calls `sortItems()` on Every Render
**Where found**