From c9ffcedceb31eb78cd53fbc18e8aafaa098f92c7 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Sat, 3 Jan 2026 06:47:20 -0300
Subject: [PATCH] fix(auth): refresh token before API calls

---
 .gitignore           | 4 ++++
 frontend/src/auth.js | 8 ++++++++
 2 files changed, 12 insertions(+)

diff --git a/.gitignore b/.gitignore
index 84d64a6..68886d5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,7 @@ frontend/dist/
 .coverage
 docs/*.md
 AGENTS.md
+
+# Local-only wallpapers (do not commit)
+media/atlas_bg.jpg
+media/titan-iac-bg.png
diff --git a/frontend/src/auth.js b/frontend/src/auth.js
index ec4b204..27bcd76 100644
--- a/frontend/src/auth.js
+++ b/frontend/src/auth.js
@@ -105,6 +105,14 @@ export async function logout() {
 
 export async function authFetch(url, options = {}) {
   const headers = new Headers(options.headers || {});
+  if (keycloak?.authenticated) {
+    try {
+      await keycloak.updateToken(30);
+      updateFromToken();
+    } catch {
+      // ignore refresh failures; the API will return 401 and the UI can prompt for login
+    }
+  }
   if (auth.token) headers.set("Authorization", `Bearer ${auth.token}`);
   return fetch(url, { ...options, headers });
 }