The server-side revoke was always working — it deletes user_sessions rows, and middleware correctly returned 401 on the revoked device's next /api/* request. The bug was entirely client-side: individual fetch handlers swallowed the 401 (rendering "no sessions found" or empty data) and nothing redirected to the login screen. So the revoked device looked like it stayed signed in. Added public/js/authFetch.js: a global fetch interceptor that watches every /api/* response. On 401 from a non-auth endpoint (i.e. not /login, /register, /logout, /me, etc.), it clears any cached token/user state and reloads the page. The reload's boot flow lands on /api/auth/me → 401 → login screen as usual. Guarded against false positives: only triggers when the app believes the user is currently logged in (AUTH_TOKEN set or main-app visible) so a pre-login 401 doesn't accidentally flash the screen. Loaded before auth.js in index.html. |
||
|---|---|---|
| .. | ||
| .well-known | ||
| components | ||
| css | ||
| icons | ||
| js | ||
| vendor | ||
| 404.html | ||
| favicon.ico | ||
| index.html | ||
| manifest.json | ||
| sw.js | ||