fix: refresh session on auth check to prevent premature expiration

[zhangzhenghao]

Problem

After #166 moved auth check to frontend for CDN-friendly caching, the session.permanent = True was removed from the index route. This caused sessions to expire based on default timeout without being refreshed.

Users reported that login state expires very quickly, requiring frequent re-authentication.

Solution

Add session.permanent = True to the /api/me endpoint. This ensures the session is refreshed each time the frontend checks authentication status, matching the previous behavior where session was refreshed on every page load.

Changes

• Added session.permanent = True in /api/me when user is authenticated

[Copilot]

Pull request overview

Refreshes authenticated user sessions during the frontend auth check flow (/api/me) to prevent premature logout after auth checks were moved client-side for CDN-friendly caching.

Changes:

• Marks the session as permanent when /api/me is called by an authenticated user (intended to refresh/extend session lifetime during periodic auth checks).

Comments suppressed due to low confidence (1)

app.py:284

• /api/me returns user-specific auth state (and login) but doesn’t set any anti-caching headers or Vary: Cookie. If a CDN/proxy caches this GET response, it can leak one user’s auth/login to another. Please set Cache-Control to a private/no-store value (consistent with other auth-sensitive endpoints) and add Vary: Cookie on both the authenticated and unauthenticated responses.

    if current_user.is_authenticated:
        session.permanent = True  # Refresh session on auth check
        return Response(
            json.dumps({"is_authenticated": True, "login": current_user.login}),
            mimetype="application/json"
        )

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.