Summary
There is no global 401 handling. When a cookie session expires mid-session, individual service calls reject but AuthContext is never notified — isAuthenticated stays true, no redirect to /login occurs, and the user is stranded on a protected page where every data fetch fails.
Severity
Medium
Affected code
ui/src/api/client.ts:108-114 — response interceptor never inspects error.response?.status; no 401 handling anywhere.
ui/src/services/authService.ts:39-46 — getMe only runs once on mount (AuthContext), so expiry is never detected afterward.
Impact
After session expiry the app keeps rendering protected pages with every request failing; the user must manually reload or log out.
Suggested fix
In the response interceptor, detect error.response?.status === 401 and trigger logout/redirect-to-login (e.g. dispatch an event the AuthProvider listens for, then navigate to /login). Coordinate with the interceptor-error-shape fix so status remains available.
Summary
There is no global 401 handling. When a cookie session expires mid-session, individual service calls reject but
AuthContextis never notified —isAuthenticatedstaystrue, no redirect to/loginoccurs, and the user is stranded on a protected page where every data fetch fails.Severity
Medium
Affected code
ui/src/api/client.ts:108-114— response interceptor never inspectserror.response?.status; no 401 handling anywhere.ui/src/services/authService.ts:39-46—getMeonly runs once on mount (AuthContext), so expiry is never detected afterward.Impact
After session expiry the app keeps rendering protected pages with every request failing; the user must manually reload or log out.
Suggested fix
In the response interceptor, detect
error.response?.status === 401and trigger logout/redirect-to-login (e.g. dispatch an event theAuthProviderlistens for, then navigate to/login). Coordinate with the interceptor-error-shape fix so status remains available.