Five compounding problems caused hundreds of "Console ApiError:
Unauthorized" entries on every load of /dashboard (and friends) while
unauthenticated or while the auth cookie was stale:
1. QueryClient had `throwOnError: true` as a blanket default, so every
401 from any react-query hook propagated to the nearest error
boundary instead of staying in the query's `error` state. That
also invited React to re-render and re-fire the boundary multiple
times per failing query.
2. React Query retried all failures 3 times with exponential backoff,
so a single 401 became four requests. 401 isn't fixable by retry,
so this is just noise.
3. Dashboard layout rendered `<NotificationBell />` unconditionally,
which polled /notifications/unread-count on mount even when no user
was signed in → 401 on every mount.
4. Dashboard + Admin layouts had no redirect-to-login guard, so
protected queries (market-report, heatmap, admin/dashboard, …) all
mounted and fired against the API before the user ever saw the
login screen.
5. Admin layout waited on `user` but had no way to distinguish "store
still initialising" from "user genuinely absent" — so an expired
cookie left the page stuck on a spinner while the same 401 storm
played out in the background.
Fixes
- query-client.ts: `throwOnError` and `retry` are now predicates. Only
5xx / network errors bubble to boundaries and are retried; 4xx
(auth, validation, not-found) stay in query error state so the
component can render an empty/auth placeholder.
- auth-store.ts: new `isInitialized` flag set in a finally block at
the end of `initialize()`. Downstream guards use it to distinguish
"still booting" from "definitely logged out".
- (dashboard)/layout.tsx: redirects to /login?next=<path> once
initialised and unauthenticated, and renders a lightweight loading
screen in the meantime so child queries never mount.
- (admin)/layout.tsx: same guard. Non-ADMIN logged-in users still
bounce to /dashboard.
- notification-bell.tsx: short-circuits `fetchUnreadCount` when
`isAuthenticated` is false.
Verified in dev: visiting /vi/dashboard unauthenticated now redirects
to /login?redirect=/dashboard with zero console errors and no
/analytics/… calls to the backend.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Backend:
- Auth controller sets httpOnly secure cookies (access_token, refresh_token, goodgo_authenticated) on login/register/refresh
- JWT strategy reads token from cookie first, falls back to Authorization header
- Added POST /auth/logout to clear auth cookies
- Added POST /auth/exchange-token for OAuth callback token-to-cookie exchange
- Refresh endpoint reads refresh_token from cookie (body fallback for backwards compat)
- CSRF middleware excludes auth endpoints (login, register, refresh, exchange-token, logout)
Frontend:
- Removed all localStorage token storage (goodgo_tokens key)
- Removed authGet/authPost/authPatch helpers from api-client (tokens sent via cookies)
- All API calls use credentials:'include' for cookie-based auth
- Updated auth-store: no more token state, uses isAuthenticated flag from cookie
- Updated admin-api, listings-api to remove explicit token parameters
- Updated all pages (admin dashboard, users, KYC, moderation, listings) to remove token passing
- OAuth callbacks use exchange-token endpoint to convert URL tokens to cookies
- Auth provider simplified (no client-side cookie management needed)
Security improvements:
- JWT no longer accessible via JavaScript (XSS-safe)
- Refresh token scoped to /auth path only
- Server-side goodgo_authenticated cookie with SameSite=Lax
- Access token cookie with SameSite=Strict
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add /auth/callback/google and /auth/callback/zalo pages that extract
tokens from query params and persist them via the auth store
- Add handleOAuthCallback method to Zustand auth store
- Update middleware to allow /auth/callback/* as public routes
- Show OAuth error messages on login page when redirected back
Co-Authored-By: Paperclip <noreply@paperclip.ing>
