26.6.9
Highlights
- Hardened session handling for expired or invalid authentication tokens.
- Improved auth UX so protected views immediately recover to sign-in when session auth fails.
- Updated backlog and changelog documentation to reflect current auth-security delivery.
Session Reliability
- Frontend now centralizes
401handling for authenticated API requests. - Expired, invalid, signed-out, or unauthorized session responses now clear local session state immediately.
- Protected routes now redirect to sign-in with a clear session-expired message.
Token Storage and Auth Flow
- Session continues to rely on HttpOnly cookie transport for API authentication.
- Frontend request layer uses credentialed requests and no longer depends on browser-stored bearer tokens.
Docs and Backlog
- Backlog item
Expired token session-state handlingmarked completed. - Security backlog item
Token storage securitymarked completed. - 26.6.8 changelog wording cleaned to remove completed-item bullets.