fix(auth): reject expired JWT on session read #2

Open
jules wants to merge 1 commits from fix/audit-jwt-expiry-main into main
Owner

Backports the JWT-expiry check to session read so an expired token redirects to /login instead of mounting an authed shell that 401s on every call. Frontend audit 2026-06-20, rank 1. Pattern from skyai-finance; cn/type-identical. Also clears the localStorage session in onUnauthorized.

🤖 Generated with Claude Code

Backports the JWT-expiry check to session read so an expired token redirects to /login instead of mounting an authed shell that 401s on every call. Frontend audit 2026-06-20, rank 1. Pattern from skyai-finance; cn/type-identical. Also clears the localStorage session in onUnauthorized. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
jules added 1 commit 2026-06-20 10:25:04 +00:00
readFromStorage validated token shape but never checked exp, so an expired
token mounted the full authed shell and every API call 401d silently. Decode
the JWT and treat an expired token as no session. Pattern backported from
skyai-finance. Frontend audit 2026-06-20, rank 1.

Also clears the localStorage Session in onUnauthorized (root.tsx) so a 401
fully logs out instead of leaving a dead session behind getToken.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin fix/audit-jwt-expiry-main:fix/audit-jwt-expiry-main
git checkout fix/audit-jwt-expiry-main
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: CremaUIStudio/arcadia-admin#2
No description provided.