🐛 Bug fix: logout problem and failed to get session

🐛 Bug fix: model healthcheck failed
🐛 Bug fix: sessionListeners unexpectedly request the guest to re-login
🐛 Security bug fix: user can somehow close the re-login modal

Author: Jasonxia007

backend/apps/me_model_managment_app.py

@@ -33,22 +33,13 @@ async def get_me_models(
         )
     except TimeoutException as e:
         logging.error(f"Request me model timeout: {str(e)}")
-        return JSONResponse(status_code=HTTPStatus.REQUEST_TIMEOUT, content={
-            "message": f"Request me model timeout: {str(e)}",
-            "data": []
-        })
+        raise HTTPException(status_code=HTTPStatus.REQUEST_TIMEOUT, detail="Failed to get ModelEngine model list: timeout")
     except NotFoundException as e:
         logging.error(f"Request me model not found: {str(e)}")
-        return JSONResponse(status_code=HTTPStatus.NOT_FOUND, content={
-            "message": f"Request me model not found: {str(e)}",
-            "data": []
-        })
+        raise HTTPException(status_code=HTTPStatus.NOT_FOUND, detail="ModelEngine model not found")
     except Exception as e:
         logging.error(f"Failed to get me model list: {str(e)}")
-        return JSONResponse(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, content={
-            "message": f"Failed to get me model list: {str(e)}",
-            "data": []
-        })
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail="Failed to get ModelEngine model list")
 
 
 @router.get("/healthcheck")

backend/apps/user_management_app.py

@@ -12,6 +12,7 @@
 from services.user_management_service import get_authorized_client, validate_token, \
     check_auth_service_health, signup_user, signin_user, refresh_user_token, \
     get_session_by_authorization
+from consts.exceptions import UnauthorizedError
 from utils.auth_utils import get_current_user_id
 
 
@@ -123,12 +124,16 @@ async def user_refresh_token(request: Request):
 async def logout(request: Request):
     """User logout"""
     authorization = request.headers.get("Authorization")
-    if not authorization:
-        raise HTTPException(status_code=HTTPStatus.UNAUTHORIZED,
-                            detail="User not logged in")
     try:
-        client = get_authorized_client(authorization)
-        client.auth.sign_out()
+        # Make logout idempotent: if no token or token expired, still return success
+        if authorization:
+            client = get_authorized_client(authorization)
+            try:
+                client.auth.sign_out()
+            except Exception as signout_err:
+                # Ignore sign out errors to keep logout idempotent
+                logging.warning(
+                    f"Sign out encountered an error but will be ignored: {str(signout_err)}")
         return JSONResponse(status_code=HTTPStatus.OK,
                             content={"message":"Logout successful"})
 
@@ -143,17 +148,19 @@ async def get_session(request: Request):
     """Get current user session"""
     authorization = request.headers.get("Authorization")
     if not authorization:
-        raise HTTPException(status_code=HTTPStatus.UNAUTHORIZED,
-                            detail="User not logged in")
+        # Treat as not logged in when missing token
+        return JSONResponse(status_code=HTTPStatus.OK,
+                            content={"message": "User not logged in",
+                                     "data": None})
     try:
         data = await get_session_by_authorization(authorization)
         return JSONResponse(status_code=HTTPStatus.OK,
                      content={"message": "Session is valid",
                               "data": data})
-    except ValueError as e:
-        logging.error(f"Get user session failed: {str(e)}")
-        raise HTTPException(status_code=HTTPStatus.UNPROCESSABLE_ENTITY,
-                            detail="Session is invalid")
+    except UnauthorizedError as e:
+        logging.error(f"Get user session unauthorized: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.UNAUTHORIZED,
+                            detail="User not logged in or session invalid")
     except Exception as e:
         logging.error(f"error in get user session, {str(e)}")
         raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
@@ -165,8 +172,10 @@ async def get_user_id(request: Request):
     """Get current user ID, return None if not logged in"""
     authorization = request.headers.get("Authorization")
     if not authorization:
-        raise HTTPException(status_code=HTTPStatus.UNAUTHORIZED,
-                            detail="User not logged in")
+        # Treat as not logged in when missing token, return 200 with null user_id
+        return JSONResponse(status_code=HTTPStatus.OK,
+                            content={"message": "User not logged in",
+                                     "data": {"user_id": None}})
     try:
         # Use the unified token validation function
         is_valid, user = validate_token(authorization)

backend/services/model_health_service.py

@@ -57,7 +57,6 @@ async def _perform_connectivity_check(
     model_type: str,
     model_base_url: str,
     model_api_key: str,
-    embedding_dim: int
 ) -> bool:
     """
     Perform specific model connectivity check
@@ -66,7 +65,6 @@ async def _perform_connectivity_check(
         model_type: Model type
         model_base_url: Model base URL
         model_api_key: API key
-        embedding_dim: Embedding dimension (only for embedding models)
     Returns:
         bool: Connectivity check result
     """
@@ -82,14 +80,14 @@ async def _perform_connectivity_check(
             model_name=model_name,
             base_url=model_base_url,
             api_key=model_api_key,
-            embedding_dim=embedding_dim
+            embedding_dim=0
         ).dimension_check()) > 0
     elif model_type == "multi_embedding":
         connectivity = len(await JinaEmbedding(
             model_name=model_name,
             base_url=model_base_url,
             api_key=model_api_key,
-            embedding_dim=embedding_dim
+            embedding_dim=0
         ).dimension_check()) > 0
     elif model_type == "llm":
         observer = MessageObserver()
@@ -155,7 +153,10 @@ async def check_model_connectivity(display_name: str, tenant_id: str) -> dict:
         connect_status = ModelConnectStatusEnum.AVAILABLE.value if connectivity else ModelConnectStatusEnum.UNAVAILABLE.value
         update_data = {"connect_status": connect_status}
         update_model_record(model["model_id"], update_data)
-        return {"connectivity": connectivity, "connect_status": connect_status}
+        return {
+            "connectivity": connectivity,
+            "model_name": model_name,
+        }
     except Exception as e:
         logger.error(f"Error checking model connectivity: {str(e)}")
         if 'model' in locals() and model:
@@ -206,13 +207,11 @@ async def verify_model_config_connectivity(model_config: dict):
         model_type = model_config["model_type"]
         model_base_url = model_config["base_url"]
         model_api_key = model_config["api_key"]
-        embedding_dim = model_config.get(
-            "embedding_dim", model_config.get("max_tokens", 1024))
 
         try:
             # Use the common connectivity check function
             connectivity = await _perform_connectivity_check(
-                model_name, model_type, model_base_url, model_api_key, embedding_dim
+                model_name, model_type, model_base_url, model_api_key
             )
         except ValueError as e:
             logger.warning(f"UNCONNECTED: {model_name}; Base URL: {model_base_url}; API Key: {model_api_key}; Error: {str(e)}")

backend/services/user_management_service.py

@@ -8,7 +8,7 @@
 
 from utils.auth_utils import get_supabase_client, calculate_expires_at, get_jwt_expiry_seconds
 from consts.const import INVITE_CODE, SUPABASE_URL, SUPABASE_KEY
-from consts.exceptions import NoInviteCodeException, IncorrectInviteCodeException, UserRegistrationException
+from consts.exceptions import NoInviteCodeException, IncorrectInviteCodeException, UserRegistrationException, UnauthorizedError
 
 from database.model_management_db import create_model_record
 from database.user_tenant_db import insert_user_tenant
@@ -36,11 +36,18 @@ def get_authorized_client(authorization: Optional[str] = Header(None)) -> Client
     return client
 
 
-def get_current_user_from_client(client: Client) -> Optional[Any]:
-    """Get current user from client, return user object or None"""
+def get_current_user_from_client(client: Client, token: Optional[str] = None) -> Optional[Any]:
+    """Get current user from client using provided JWT, return user object or None"""
     try:
-        user_response = client.auth.get_user()
-        if user_response and user_response.user:
+        # Prefer explicitly passing the JWT to avoid relying on client-side session state
+        if token:
+            jwt_token = token.replace(
+                "Bearer ", "") if token.startswith("Bearer ") else token
+            user_response = client.auth.get_user(jwt_token)
+        else:
+            user_response = client.auth.get_user()
+
+        if user_response and getattr(user_response, "user", None):
             return user_response.user
         return None
     except Exception as e:
@@ -53,7 +60,7 @@ def validate_token(token: str) -> Tuple[bool, Optional[Any]]:
     client = get_supabase_client()
     set_auth_token_to_client(client, token)
     try:
-        user = get_current_user_from_client(client)
+        user = get_current_user_from_client(client, token)
         if user:
             return True, user
         return False, None
@@ -286,4 +293,5 @@ async def get_session_by_authorization(authorization):
             }
         }
     else:
-        raise ValueError("Session is invalid")
+        # Use domain-specific exception for invalid/expired token
+        raise UnauthorizedError("Session is invalid or expired")

frontend/components/auth/loginModal.tsx

@@ -228,15 +228,17 @@ export function LoginModal() {
           </Button>
         </Form.Item>
 
-        {/* Registration link section */}
-        <div className="text-center">
-          <Space>
-            <Text type="secondary">{t("auth.noAccount")}</Text>
-            <Button type="link" onClick={handleRegisterClick} className="p-0">
-              {t("auth.registerNow")}
-            </Button>
-          </Space>
-        </div>
+        {/* Registration link section (hidden when opened from session expired flow) */}
+        {!isFromSessionExpired && (
+          <div className="text-center">
+            <Space>
+              <Text type="secondary">{t("auth.noAccount")}</Text>
+              <Button type="link" onClick={handleRegisterClick} className="p-0">
+                {t("auth.registerNow")}
+              </Button>
+            </Space>
+          </div>
+        )}
       </Form>
     </Modal>
   );

frontend/components/auth/sessionListeners.tsx

@@ -41,7 +41,8 @@ export function SessionListeners() {
       closable: false,
       async onOk() {
         try {
-          await logout(); // Log out first
+          // Silently logout
+          await logout({ silent: true });
         } finally {
           // Mark the source as session expired
           setIsFromSessionExpired(true);
@@ -103,13 +104,6 @@ export function SessionListeners() {
   useEffect(() => {
     // Skip in speed mode
     if (isSpeedMode) return;
-    if (typeof window !== "undefined") {
-      const localSession = localStorage.getItem("session");
-      if (!localSession) {
-        showSessionExpiredModal();
-      }
-    }
-    // Only run once on mount
   }, []);
 
   // Session status check
@@ -119,12 +113,18 @@ export function SessionListeners() {
     // Check session status on first load
     const checkSession = async () => {
       try {
+        // Capture whether there was a local session before validation
+        const hadLocalSession =
+          typeof window !== "undefined" && !!localStorage.getItem("session");
+
         // Try to get current session
         const session = await authService.getSession();
-        if (!session) {
+
+        // Only show session expired modal if a prior session existed and is now invalid
+        if (!session && hadLocalSession) {
           window.dispatchEvent(
             new CustomEvent(EVENTS.SESSION_EXPIRED, {
-              detail: { message: "登录已过期，请重新登录" },
+              detail: { message: "Session expired, please sign in again" },
             })
           );
         }

frontend/hooks/useAuth.ts

@@ -302,13 +302,17 @@ export function AuthProvider({ children }: { children: (value: AuthContextType)
     }
   }
 
-  const logout = async () => {
+  const logout = async (options?: { silent?: boolean }) => {
     try {
       setIsLoading(true)
       await authService.signOut()
       setUser(null)
-      setShouldCheckSession(false) // When logging out, disable session check
-      message.success(t('auth.logoutSuccess'))
+      // When logging out, disable session check
+      setShouldCheckSession(false)
+      // Only show message when user actively logout
+      if (!options?.silent) {
+        message.success(t("auth.logoutSuccess"))
+      }
       // Manually trigger storage event
       window.dispatchEvent(new StorageEvent("storage", { key: "session", newValue: null }))
     } catch (error: any) {

frontend/services/modelService.ts

@@ -362,7 +362,6 @@ export const modelService = {
         }
       );
       const result = await response.json();
-        await response.json();
       if (response.status === 200 && result.data) {
         return result.data.connectivity;
       }
@@ -392,6 +391,7 @@ export const modelService = {
     try {
       const response = await fetch(API_ENDPOINTS.model.verifyModelConfig, {
         method: "POST",
+        headers: getAuthHeaders(),
         body: JSON.stringify({
           model_name: config.modelName,
           model_type: config.modelType,
@@ -404,7 +404,6 @@ export const modelService = {
       });
 
       const result = await response.json();
-        await response.json();
 
       if (response.status === 200 && result.data) {
         return {

frontend/types/auth.ts

@@ -46,8 +46,13 @@ export interface AuthContextType {
   closeRegisterModal: () => void;
   setIsFromSessionExpired: (value: boolean) => void;
   login: (email: string, password: string) => Promise<void>;
-  register: (email: string, password: string, isAdmin?: boolean, inviteCode?: string) => Promise<void>;
-  logout: () => Promise<void>;
+  register: (
+    email: string,
+    password: string,
+    isAdmin?: boolean,
+    inviteCode?: string
+  ) => Promise<void>;
+  logout: (options?: { silent?: boolean }) => Promise<void>;
 }
 
 // Session response type