Bug Description
Currently, when a user logs in, we receive an access_token from Supabase and store it in localStorage under the key fs_access_token. This works perfectly for initial authentication.
However, Supabase access tokens expire after 1 hour. Because we are not currently capturing or using the refresh_token, the user's session effectively dies when the access token expires. Any subsequent API requests fail with a 401 Unauthorized error, forcing the user to manually log out and log back in.
Steps to Reproduce
1. Backend Changes (backend/auth.py & backend/main.py)
- Create a new POST endpoint (e.g.,
/api/v1/auth/refresh) that accepts a refresh_token.
- Use the Supabase client to exchange the refresh token for a new session (
client.auth.refresh_session(refresh_token)).
- Return the new
access_token and refresh_token to the frontend.
2. Frontend Changes (src/lib/api.ts & src/pages/AuthPage.tsx)
- Update
AuthPage.tsx to extract both the access_token AND the refresh_token from the URL parameters and save them both to localStorage.
- In
api.ts, update the apiFetch wrapper. If a request returns a 401 Unauthorized, it should intercept the error, call the new backend refresh endpoint with the saved refresh_token, update localStorage with the new tokens, and then retry the original request.
- If the refresh attempt fails, clear the tokens and redirect the user to
/auth.
Expected Behavior
The application should automatically and silently refresh the user's session when the access token expires, ensuring a persistent login state across app reloads and extended usage.
Proposed Solution (Implementation Steps)
This issue requires changes to both the backend and frontend.
Environment
Os: macOS 14/ Windows 11/ Ubuntu 22.04
Additional Context
backend/auth.pybackend/main.pysrc/lib/api.tssrc/pages/AuthPage.tsx
Bug Description
Currently, when a user logs in, we receive an
access_tokenfrom Supabase and store it inlocalStorageunder the keyfs_access_token. This works perfectly for initial authentication.However, Supabase access tokens expire after 1 hour. Because we are not currently capturing or using the
refresh_token, the user's session effectively dies when the access token expires. Any subsequent API requests fail with a401 Unauthorizederror, forcing the user to manually log out and log back in.Steps to Reproduce
1. Backend Changes (
backend/auth.py&backend/main.py)/api/v1/auth/refresh) that accepts arefresh_token.client.auth.refresh_session(refresh_token)).access_tokenandrefresh_tokento the frontend.2. Frontend Changes (
src/lib/api.ts&src/pages/AuthPage.tsx)AuthPage.tsxto extract both theaccess_tokenAND therefresh_tokenfrom the URL parameters and save them both tolocalStorage.api.ts, update theapiFetchwrapper. If a request returns a401 Unauthorized, it should intercept the error, call the new backend refresh endpoint with the savedrefresh_token, updatelocalStoragewith the new tokens, and then retry the original request./auth.Expected Behavior
The application should automatically and silently refresh the user's session when the access token expires, ensuring a persistent login state across app reloads and extended usage.
Proposed Solution (Implementation Steps)
This issue requires changes to both the backend and frontend.
Environment
Os: macOS 14/ Windows 11/ Ubuntu 22.04
Additional Context
backend/auth.pybackend/main.pysrc/lib/api.tssrc/pages/AuthPage.tsx