From 12289bdce33e02216ac60f48076646632730f924 Mon Sep 17 00:00:00 2001
From: BOHA <boha@boha.cz>
Date: Tue, 28 Apr 2026 12:16:26 +0200
Subject: [PATCH] fix: only show session-expired alert when user had a valid
 session

Added hadValidSessionRef to track whether the user was ever
authenticated during this page load. setSessionExpired() in
silentRefresh now only fires when the ref is true, preventing
the alert on direct visits by unauthenticated users.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 src/admin/context/AuthContext.tsx | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/admin/context/AuthContext.tsx b/src/admin/context/AuthContext.tsx
index 39c38c2..d9ee407 100644
--- a/src/admin/context/AuthContext.tsx
+++ b/src/admin/context/AuthContext.tsx
@@ -90,6 +90,7 @@ export function AuthProvider({ children }: { children: ReactNode }) {
   const cachedUserRef = useRef<User | null>(null);
   const sessionFetchedRef = useRef(false);
   const silentRefreshInFlightRef = useRef<Promise<boolean> | null>(null);
+  const hadValidSessionRef = useRef(false);
   const [user, setUser] = useState<User | null>(cachedUserRef.current);
   const [loading, setLoading] = useState(!sessionFetchedRef.current);
   const [error, setError] = useState<string | null>(null);
@@ -138,13 +139,14 @@ export function AuthProvider({ children }: { children: ReactNode }) {
         if (data.success && data.data?.access_token) {
           setAccessTokenFn(data.data.access_token, data.data.expires_in);
           setUser(mapUser(data.data.user));
+          hadValidSessionRef.current = true;
           return true;
         }
         accessTokenRef.current = null;
         tokenExpiresAtRef.current = null;
         setUser(null);
         cachedUserRef.current = null;
-        setSessionExpired();
+        if (hadValidSessionRef.current) setSessionExpired();
         return false;
       } catch {
         // Network error — don't kick the user out, just return false
@@ -178,6 +180,7 @@ export function AuthProvider({ children }: { children: ReactNode }) {
           if (data.data.access_token) setAccessTokenFn(data.data.access_token);
           setUser(mapUser(data.data.user));
           cachedUserRef.current = mapUser(data.data.user);
+          hadValidSessionRef.current = true;
           return true;
         }
       }
@@ -233,6 +236,7 @@ export function AuthProvider({ children }: { children: ReactNode }) {
           setUser(mapUser(data.data.user));
           cachedUserRef.current = mapUser(data.data.user);
           sessionFetchedRef.current = true;
+          hadValidSessionRef.current = true;
           return { success: true };
         }
         setError(data.error);
@@ -273,6 +277,7 @@ export function AuthProvider({ children }: { children: ReactNode }) {
           setUser(mapUser(data.data.user));
           cachedUserRef.current = mapUser(data.data.user);
           sessionFetchedRef.current = true;
+          hadValidSessionRef.current = true;
           return { success: true };
         }
         setError(data.error);
@@ -302,6 +307,7 @@ export function AuthProvider({ children }: { children: ReactNode }) {
       setUser(null);
       cachedUserRef.current = null;
       sessionFetchedRef.current = false;
+      hadValidSessionRef.current = false;
       if (refreshTimeoutRef.current) {
         clearTimeout(refreshTimeoutRef.current);
         refreshTimeoutRef.current = null;