From 65c8bf332f4c608f89f26369ba4dee16590a319b Mon Sep 17 00:00:00 2001
From: enzo <enzo@geronzi.fr>
Date: Sat, 21 Mar 2026 16:50:52 +0100
Subject: [PATCH] =?UTF-8?q?fix:=20access=5Ftoken=20(pas=20token)=20dans=20?=
 =?UTF-8?q?la=20r=C3=A9ponse=20login/refresh?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Le backend retourne { access_token: "...", user: {...} } pas { token: "..." }.
Le store Alpine lisait data.token → undefined → stockait "undefined" en localStorage
→ toutes les requêtes API échouaient avec 401.

Corrigé dans login() et tryRefresh().
Ajout d'un guard synchrone immédiat (pas de token → redirect login sans attendre fetchMe).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/js/app.js | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/frontend/js/app.js b/frontend/js/app.js
index 7d20138..408bc3c 100644
--- a/frontend/js/app.js
+++ b/frontend/js/app.js
@@ -53,8 +53,9 @@ document.addEventListener('alpine:init', () => {
       const res = await fetch('/api/auth/refresh', { method: 'POST', credentials: 'include' })
       if (res.ok) {
         const data = await res.json()
-        this.token = data.token
-        localStorage.setItem('pxp_token', data.token)
+        // Le backend retourne "access_token" (pas "token")
+        this.token = data.access_token
+        localStorage.setItem('pxp_token', data.access_token)
         await this.fetchMe()
       } else {
         this.clear()
@@ -73,9 +74,10 @@ document.addEventListener('alpine:init', () => {
         throw new Error(err.error || 'Identifiants invalides')
       }
       const data = await res.json()
-      this.token = data.token
+      // Le backend retourne "access_token" (pas "token")
+      this.token = data.access_token
       this.user = data.user
-      localStorage.setItem('pxp_token', data.token)
+      localStorage.setItem('pxp_token', data.access_token)
     },
 
     async logout() {
@@ -640,15 +642,13 @@ document.addEventListener('DOMContentLoaded', async () => {
   await Alpine.store('auth').init()
   Alpine.store('ui').init()
 
-  // Guard auth : redirect si non authentifié
   const publicPages = ['login', 'install', 'index', '']
   const currentPage = window.location.pathname.replace(/^\/|\.html$/g, '') || 'index'
 
-  if (!publicPages.includes(currentPage)) {
-    if (!Alpine.store('auth').isAuthenticated) {
-      window.location.href = '/login.html'
-      return
-    }
+  // Guard rapide (synchrone) : si pas de token du tout, redirect immédiat
+  if (!publicPages.includes(currentPage) && !localStorage.getItem('pxp_token')) {
+    window.location.href = '/login.html'
+    return
   }
 
   // Redirect depuis index