Fix Phase 3 UAT blockers: MinIO presigned URL hostname, CORS, admin flush→commit, auth refresh race

Bugs fixed: - minio_backend.py: generate_presigned_put_url and presigned_get_url used internal _client (minio:9000) instead of _public_client (localhost:9000). Browser received ERR_NAME_NOT_RESOLVED. Fixed by using _public_client with region='us-east-1' to skip region-discovery HTTP request from inside the container. - docker-compose.yml: MINIO_API_CORS_ALLOW_ORIGIN was set from CORS_ORIGINS which uses pydantic JSON list format '["http://localhost:5173"]'. MinIO expected a plain string and never matched the origin. Fixed to use FRONTEND_URL instead. - admin.py: All write handlers (create_user, update_user_status, update_user_quota, update_ai_config) used session.flush() without session.commit(). Changes appeared to succeed (response reflected in-memory state) but rolled back on session close. Fixed by replacing flush() with commit() in all four write handlers. - auth.js: Concurrent refresh() calls from QuotaBar and App.vue on page reload caused a token rotation race — first call rotated the cookie, second arrived with stale cookie and cleared accessToken. Fixed by deduplicating with a shared in-flight promise (_refreshInFlight). Phase 3 UAT: 9/10 pass. UAT-3 (QuotaBar visual) pending browser confirmation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 11:30:41 +02:00
parent b5dde2aad9
commit a5f202b069
5 changed files with 53 additions and 33 deletions
@@ -24,6 +24,10 @@ export const useAuthStore = defineStore('auth', () => {
  const error = ref(null)
  const quota = ref({ used_bytes: 0, limit_bytes: 0 })

+  // Deduplicates concurrent refresh() calls so a single cookie rotation handles
+  // multiple simultaneous 401s (e.g. QuotaBar + App.vue firing on page reload).
+  let _refreshInFlight = null
+
  /**
   * Register a new account.
   * Does NOT auto-login — caller should redirect to /login after success.
@@ -87,11 +91,21 @@ export const useAuthStore = defineStore('auth', () => {
   * Refresh the access token using the httpOnly refresh cookie.
   * Called automatically by api/client.js on 401.
   * Throws on failure (session expired — caller should redirect to /login).
+   *
+   * Concurrent calls share one in-flight promise so the refresh cookie is
+   * rotated exactly once even when multiple 401s fire simultaneously.
   */
-  async function refresh() {
-    const data = await api.refreshToken()
-    accessToken.value = data.access_token
-    user.value = data.user
+  function refresh() {
+    if (_refreshInFlight) return _refreshInFlight
+    _refreshInFlight = api.refreshToken()
+      .then(data => {
+        accessToken.value = data.access_token
+        user.value = data.user
+      })
+      .finally(() => {
+        _refreshInFlight = null
+      })
+    return _refreshInFlight
  }

  /**