fix: handle server auth token expiry gracefully

- Store admin password in setup file for re-authentication
- Add /api/auth/save-server-credentials endpoint
- Save credentials on login for server-side auth recovery
- Redirect to login on server_auth_expired error

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: elemdos

src/lib/server/pb.ts

@@ -34,7 +34,7 @@ function getAuthConfig(): { token: string } | { email: string; password: string
 				return { token: setup.auth_token }
 			}
 
-			// Fall back to password (legacy format) - will migrate to token on success
+			// Fall back to password
 			if (setup.admin_email && setup.admin_password) {
 				return { email: setup.admin_email, password: setup.admin_password }
 			}
@@ -53,6 +53,31 @@ function getAuthConfig(): { token: string } | { email: string; password: string
 	return null
 }
 
+// Get password credentials for re-auth when token expires
+function getPasswordCredentials(): { email: string; password: string } | null {
+	// Try setup file first
+	try {
+		if (fs.existsSync(SETUP_FILE)) {
+			const data = fs.readFileSync(SETUP_FILE, 'utf-8')
+			const setup = JSON.parse(data)
+			if (setup.admin_email && setup.admin_password) {
+				return { email: setup.admin_email, password: setup.admin_password }
+			}
+		}
+	} catch {
+		// Fall through
+	}
+
+	// Try env vars
+	const email = env.POCKETBASE_ADMIN_EMAIL
+	const password = env.POCKETBASE_ADMIN_PASSWORD
+	if (email && password) {
+		return { email, password }
+	}
+
+	return null
+}
+
 export async function ensureAuth(): Promise<boolean> {
 	// If already authenticated with valid token, return true
 	if (isAuthenticated && pb.authStore.isValid) {
@@ -93,9 +118,25 @@ export async function ensureAuth(): Promise<boolean> {
 				saveRefreshedToken(pb.authStore.token)
 				return true
 			} catch {
-				// Token invalid/expired, can't refresh without password
-				console.warn('[PB] Saved token invalid, need fresh setup or env vars')
+				// Token invalid/expired - try password fallback from setup file or env vars
+				console.warn('[PB] Saved token expired, trying password fallback...')
 				pb.authStore.clear()
+
+				// Try setup file password first, then env vars
+				const creds = getPasswordCredentials()
+				if (creds) {
+					try {
+						await pb.collection('_superusers').authWithPassword(creds.email, creds.password)
+						isAuthenticated = true
+						console.log('[PB] Server re-authenticated via password (token was expired)')
+						saveRefreshedToken(pb.authStore.token)
+						return true
+					} catch (e: any) {
+						console.error('[PB] Password auth failed:', e.message || e)
+					}
+				}
+
+				console.error('[PB] Auth token expired and no password available. Re-run /setup')
 				return false
 			}
 		} else {
@@ -115,23 +156,17 @@ export async function ensureAuth(): Promise<boolean> {
 	}
 }
 
-// Save refreshed token back to setup file (and remove password if present)
+// Save refreshed token back to setup file (keeps password for re-auth fallback)
 function saveRefreshedToken(token: string): void {
 	try {
 		if (!fs.existsSync(SETUP_FILE)) return
 
 		const data = fs.readFileSync(SETUP_FILE, 'utf-8')
 		const setup = JSON.parse(data)
 
-		// Update token
+		// Update token (password stays for re-auth if token expires)
 		setup.auth_token = token
 
-		// Remove password if present (migration from legacy format)
-		if (setup.admin_password) {
-			delete setup.admin_password
-			console.log('[PB] Migrated from password to token-based auth')
-		}
-
 		fs.writeFileSync(SETUP_FILE, JSON.stringify(setup), { mode: 0o600 })
 	} catch {
 		// Silently fail - not critical

src/routes/api/auth/save-server-credentials/+server.ts

@@ -0,0 +1,60 @@
+import { json } from '@sveltejs/kit'
+import type { RequestHandler } from './$types'
+import PocketBase from 'pocketbase'
+import * as fs from 'fs/promises'
+
+const PB_URL = process.env.POCKETBASE_URL || 'http://127.0.0.1:8091'
+const SETUP_FILE = './pocketbase/pb_data/.setup_complete'
+
+/**
+ * Save server credentials after user login
+ * This allows the server to re-authenticate when tokens expire
+ */
+export const POST: RequestHandler = async ({ request }) => {
+	try {
+		const { email, password } = await request.json()
+
+		if (!email || !password) {
+			return json({ error: 'Email and password required' }, { status: 400 })
+		}
+
+		// Verify credentials work with PocketBase superusers
+		const pb = new PocketBase(PB_URL)
+		try {
+			await pb.collection('_superusers').authWithPassword(email, password)
+		} catch (e: any) {
+			// Not a superuser or wrong password - that's fine, they might just be a regular user
+			// Only superusers can save server credentials
+			return json({ ok: true, saved: false })
+		}
+
+		// Credentials are valid for superuser - save them
+		try {
+			let setup: any = {}
+
+			// Try to read existing setup file
+			try {
+				const data = await fs.readFile(SETUP_FILE, 'utf-8')
+				setup = JSON.parse(data)
+			} catch {
+				// File doesn't exist or invalid - start fresh
+			}
+
+			// Update with new credentials
+			setup.admin_email = email
+			setup.admin_password = password
+			setup.auth_token = pb.authStore.token
+			setup.timestamp = new Date().toISOString()
+
+			await fs.writeFile(SETUP_FILE, JSON.stringify(setup), { mode: 0o600 })
+
+			return json({ ok: true, saved: true })
+		} catch (e: any) {
+			console.error('[Auth] Failed to save server credentials:', e.message)
+			return json({ ok: true, saved: false })
+		}
+	} catch (e: any) {
+		console.error('[Auth] Error:', e.message)
+		return json({ error: 'Failed to process request' }, { status: 500 })
+	}
+}

src/routes/api/settings/+server.ts

@@ -59,7 +59,7 @@ export const GET: RequestHandler = async ({ url, request }) => {
 
 	// Ensure server pb client is authenticated
 	if (!await ensureAuth()) {
-		return json({ error: 'Server not configured' }, { status: 500 })
+		return json({ error: 'server_auth_expired', message: 'Server authentication expired. Please log in again.' }, { status: 503 })
 	}
 
 	try {
@@ -94,7 +94,7 @@ export const POST: RequestHandler = async ({ request }) => {
 
 	// Ensure server pb client is authenticated
 	if (!await ensureAuth()) {
-		return json({ error: 'Server not configured' }, { status: 500 })
+		return json({ error: 'server_auth_expired', message: 'Server authentication expired. Please log in again.' }, { status: 503 })
 	}
 
 	try {

src/routes/api/setup/+server.ts

@@ -156,19 +156,21 @@ export const POST: RequestHandler = async ({ request }) => {
 			}
 		}
 
-		// 7. Save auth token for server-side operations
-		// We save the token (not password) - it can be refreshed by the server
+		// 7. Save auth credentials for server-side operations
+		// We save both token (for fast auth) and password (for re-auth if token expires)
+		// File is protected with 0o600 permissions and lives in pb_data which contains the DB anyway
 		try {
 			const fs = await import("fs/promises")
 			const setup_data = JSON.stringify({
 				timestamp: new Date().toISOString(),
 				admin_email: email,
+				admin_password: password,
 				auth_token: pb.authStore.token
 			})
 			await fs.writeFile("./pocketbase/pb_data/.setup_complete", setup_data, { mode: 0o600 })
-			console.log("[Setup] Auth token saved")
+			console.log("[Setup] Auth credentials saved")
 		} catch (err: any) {
-			console.error("[Setup] Failed to save auth token:", err.message)
+			console.error("[Setup] Failed to save auth credentials:", err.message)
 			// Non-fatal
 		}
 

src/routes/login/+page.svelte

@@ -33,6 +33,15 @@
 
 		try {
 			await auth.login(email, password)
+
+			// Also save credentials for server-side auth (handles token expiry)
+			// This is fire-and-forget - don't block login on it
+			fetch("/api/auth/save-server-credentials", {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({ email, password })
+			}).catch(() => {})
+
 			goto("/tinykit")
 		} catch (err: any) {
 			error = err.message || "Login failed. Please check your credentials."

src/routes/tinykit/settings/+page.svelte

@@ -1,5 +1,6 @@
 <script lang="ts">
 	import { onMount } from "svelte";
+	import { goto } from "$app/navigation";
 	import {
 		ArrowLeft,
 		Loader2,
@@ -14,6 +15,15 @@
 	import { get_saved_theme, apply_builder_theme } from "$lib/builder_themes";
 	import { pb } from "$lib/pocketbase.svelte";
 
+	// Handle server auth expiry - redirect to login
+	function handle_api_error(data: any, status: number): boolean {
+		if (status === 503 && data.error === "server_auth_expired") {
+			goto("/login")
+			return true
+		}
+		return false
+	}
+
 	interface LLMConfig {
 		provider: string;
 		api_key: string;
@@ -106,6 +116,7 @@
 				},
 			});
 			const data = await res.json();
+			if (handle_api_error(data, res.status)) return;
 			if (data.value) {
 				// Store masked key separately, clear the input field
 				masked_api_key = data.value.api_key || "";
@@ -150,6 +161,7 @@
 			});
 
 			const data = await res.json();
+			if (handle_api_error(data, res.status)) return;
 			if (!res.ok) {
 				throw new Error(data.error || "Failed to save settings");
 			}