← All tasks

v0.2 Slice B — Auth-expiry bug PROD · GATE 2

Two related v0.2 bugs, one shared root cause — an expired/stale session handled badly across the Cafe ↔ Commerce boundary. Spans both repos: nix-cafe (the 405) and nix-commerce (the lost redirect).

7/7 prod checks green · 51/51 regression green — no regressions. 5 files changed + 1 new shared module, 2 repos, no migration. Commits: nix-cafe 4057483 · nix-commerce 12d87bf.

The two bugs

H5.4"Pay failed (405): cannot validate Cash Payment"

The POS pay button POSTs to /api/cafe/orders. When the session has expired, middleware.ts answered with a 307 redirect — and a 307 preserves the method, so the browser re-POSTs to /auth/login (a GET-only page) → 405.

before: POST /api/cafe/orders → 307 → POST /auth/login → 405 → "Pay failed (405)"
after: POST /api/cafe/orders → 401 JSON → handler shows "Your session expired. Re-unlock the register…"

H5.8After idle, always lands on the product picker

When Cafe bounces to /auth/login?redirect=/cafe/pos, Commerce's guest-route guard did { path: '/' } whenever isAuthenticated was truthy — and a stale, never-revalidated Bearer token keeps it truthy — so the guard discarded ?redirect= and dumped the user on the launchpad.

before: /auth/login?redirect=/cafe/pos + stale token → guard → { path: '/' } (launchpad)
after: redirect targets a product app → guard falls through → login form renders → onSubmit → /cafe/pos

Screenshots

H5.8 — stale token + ?redirect=/cafe/pos → login form renders (was: launchpad)

H5.8 regression — stale token + NO redirect → still bounces to launchpad (the original "already logged in, go home" behavior preserved)

Checks — 7/7

✓ H5.4 — POST /cafe/api/cafe/orders (no session) → 401 JSON, not 307→405
✓ H5.4 — GET /cafe/api/cafe/orders (no session) → 401
✓ H5.4 regression — GET /cafe/pos (page route, no session) → still 307 to /auth/login
✓ H5.8 — stale token + ?redirect=/cafe/pos → login FORM renders (not launchpad)
✓ H5.8 — the ?redirect= survives in the URL for onSubmit to honor
✓ H5.8 regression — stale token + NO ?redirect= → still bounces to the launchpad
✓ H5.8 sanity — logged out + ?redirect=/cafe/pos → login form renders

Regression — 51/51, no regressions from this push

All prod suites green.

test-phase1-prod.mjs	11/11
test-phase2-sso-outdoor-prod.mjs	6/6
test-phase2-cafe-multishop-prod.mjs	6/6
test-m1-prod.mjs	10/10
test-r7-prod.mjs	14/14
test-r8-prod.mjs	4/4
+ test-v0-2-slice-b-prod.mjs	7/7
Total	58/58

Files changed (5 + 1 new, 2 repos, no migration)

nix-cafe: middleware.ts · app/(authed)/pos/_adapters/pro-handlers.ts · app/(authed)/pos/_adapters/starter-handlers.ts
nix-commerce: src/router/index.js · src/views/LoginView.vue · src/productApps.js (new — shared)