vikingowl
c6cdc11693
D5 — backend cleanup: - Migration 000029 drops legacy token_hash column from sessions - JWT_SECRET renamed to APP_SECRET (fallback + deprecation warning) W3 — web session UX: - AuthData type: session_token→refresh_token, remove expires_in - cookies.ts: refresh_token cookie, non-HttpOnly access_expires_at - client.server.ts: sends X-Refresh-Token header (not JSON body) - hooks.server.ts: simplified two-path SSR refresh logic - refresh.ts: single-flight client-side refresh - client.ts: proactive refresh + 401 retry on non-auth paths - /api/auth/refresh: SvelteKit proxy for HttpOnly cookie refresh - OAuth callback, Datenschutz page updated to new cookie names