Ole-Morten Duesund
03ac99e555
App.svelte's onMount used to call api.logout() whenever it detected an existing server session at boot, on the theory that "we can't decrypt without the DEK so the session is half-broken anyway." That destroyed the user's session on every full-page load — including clicking the plain <a href="/a/<id>"> permalink in ActivityRow, which navigates the browser instead of routing client-side. Symptom reported by the user: clicking a permalink for a private activity returned "fant ikke aktiviteten" (because the now-anonymous caller can't read private rows), and the back button left them logged out (because session.user was never re-hydrated). Fix: keep the server session on reload and re-hydrate session.user from /me. The DEK is still intentionally absent (it never persists), so private rows that the SPA can't decrypt now show a clear "logg inn på nytt med passordet ditt for å vise det" message instead of a stuck "Dekrypterer …" spinner. Public / semi / friends content keeps working without re-authentication. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| public | ||
| src | ||
| index.html | ||
| svelte.config.js | ||
| tsconfig.json | ||
| vite.config.ts | ||