From 4253751ef13d4c428daf57be27230c1dd5cbe838 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Fri, 13 Mar 2026 17:39:29 +0100
Subject: [PATCH] Redirect to login on expired/invalid auth

Backend now returns 401 instead of 403 for unauthenticated requests
via HttpStatusEntryPoint. UI middleware handles both 401 and 403,
triggering token refresh and redirecting to /login on failure.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../com/cameleer3/server/app/security/SecurityConfig.java   | 6 ++++++
 ui/src/api/client.ts                                        | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/SecurityConfig.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/SecurityConfig.java
index 4a05c19d..f3e1711b 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/SecurityConfig.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/SecurityConfig.java
@@ -9,11 +9,14 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
+import org.springframework.http.HttpStatus;
+
 import java.util.List;
 
 /**
@@ -57,6 +60,9 @@ public class SecurityConfig {
                         ).permitAll()
                         .anyRequest().authenticated()
                 )
+                .exceptionHandling(ex -> ex
+                        .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
+                )
                 .addFilterBefore(
                         new JwtAuthenticationFilter(jwtService, registryService),
                         UsernamePasswordAuthenticationFilter.class
diff --git a/ui/src/api/client.ts b/ui/src/api/client.ts
index bc4f3698..3e9d003c 100644
--- a/ui/src/api/client.ts
+++ b/ui/src/api/client.ts
@@ -23,7 +23,7 @@ const authMiddleware: Middleware = {
     return request;
   },
   async onResponse({ response }) {
-    if (response.status === 401) {
+    if (response.status === 401 || response.status === 403) {
       onUnauthorized();
     }
     return response;