Skip to content

fix(auth): prevent infinite refresh loop on invalid auth token#7310

Merged
davidecavaliere merged 5 commits intonewarchitecturefrom
fix/SER-2791_infinite_refreshes
Feb 25, 2026
Merged

fix(auth): prevent infinite refresh loop on invalid auth token#7310
davidecavaliere merged 5 commits intonewarchitecturefrom
fix/SER-2791_infinite_refreshes

Conversation

@davidecavaliere
Copy link
Contributor

@davidecavaliere davidecavaliere commented Feb 20, 2026

Summary

  • Show user-friendly "Session Expired" dialog when auth token becomes invalid
  • Fix GET /logout to properly clear session (previously only redirected without clearing)
  • Save URL hash before logout so users return to the same page after re-login
  • Add flag to prevent multiple session expired dialogs from concurrent failed requests

Problem

When auth token was manually deleted or became invalid, the frontend would enter an infinite refresh loop. This was caused by:

  1. API calls returning "Token not valid"
  2. CountlyHelpers.logout() calling window.location.reload()
  3. Page reloading with session cookie still present
  4. Repeat indefinitely

Solution

  1. Changed logout() to redirect to /logout endpoint instead of reloading
  2. Fixed GET /logout route to call membersUtility.logout() to properly clear session
  3. Added session expired dialog with "Go to Login" button
  4. Preserve URL hash in sessionStorage so users return to their original page after re-login

Test plan

  • Delete auth token from MongoDB while logged in
  • Verify no infinite refresh loop occurs
  • Verify user is redirected to login page
  • Verify after re-login, user returns to the same page they were on

🤖 Generated with Claude Code

@davidecavaliere @claude
fix(auth): prevent infinite refresh loop on invalid auth token 🔄
367bd9b 
- Show user-friendly "Session Expired" dialog instead of silently reloading
- Fix GET /logout to properly clear session (was only redirecting)
- Save URL hash before logout so users return to same page after re-login
- Add flag to prevent multiple session expired dialogs from concurrent requests

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Copilot AI reviewed Feb 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@davidecavaliere davidecavaliere merged commit e9d237a into newarchitecture Feb 25, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Cookiezaurs Cookiezaurs Cookiezaurs approved these changes

@pnrgenc pnrgenc Awaiting requested review from pnrgenc

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@davidecavaliere @Cookiezaurs @pnrgenc