Samir Boulahtit
a0ae638821
Some checks failed
When the customer's JWT (30-min TTL via JWT_EXPIRE_MINUTES) expires in localStorage, subsequent API calls from a customer-area page returned 401 → callers showed an unrelated error UI (loyalty dashboard rendered the "join now" CTA because card came back null on the catch path). Three changes in static/shared/js/api-client.js: 1. Path detection in getToken() + clearTokens() now recognises /account/* and /api/v1/storefront/* as customer-area routes (the only existing checks were for /shop/* which was never used in this codebase). Also clears customer_user alongside customer_token. 2. New redirectIfCustomerAreaUnauthorized() helper: on a /account/* page, sends the browser to /account/login?next=<current path> (with a guard to skip the redirect when already on the login page, avoiding loops). Called from all three 401 paths (request, requestFormData, getBlob). 3. login.html now honours the ?next= query param (in addition to the legacy ?return=), so the redirect lands the user back where their session expired. Other personas (admin/store/merchant) are unaffected — the helper is a no-op outside /account/*. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>