Problem
A support admin loaded the Support Admin page, used it successfully, then returned to it later and attempted a user lookup. Instead of being redirected to the login page, the UI displayed the raw API error:
Missing authentication - expected UCAN Bearer token or keycast_session cookie
The page still showed the "Support Admin" badge and search form, giving no indication the session had expired.
Root cause
The onMount check in +page.svelte correctly redirects to /login when GET /admin/status fails. But this only runs on initial page load. Once the page is rendered, there is no 401 interceptor in the KeycastApi client. Subsequent API calls (search, claim token generation) handle errors independently and surface raw server messages instead of redirecting.
The keycast_session cookie has Max-Age=86400 (24 hours). If the cookie expires while the tab is open, the user sees a confusing auth error rather than a login redirect.
Suggested fix
Add a global 401 handler in KeycastApi.request() (web/src/lib/keycast_api.svelte.ts). Before the generic error path, check response.status === 401 and redirect to /login?redirect=<current_path>. This covers session expiry on any page that uses the API client, not just support-admin.
Problem
A support admin loaded the Support Admin page, used it successfully, then returned to it later and attempted a user lookup. Instead of being redirected to the login page, the UI displayed the raw API error:
The page still showed the "Support Admin" badge and search form, giving no indication the session had expired.
Root cause
The
onMountcheck in+page.sveltecorrectly redirects to/loginwhenGET /admin/statusfails. But this only runs on initial page load. Once the page is rendered, there is no 401 interceptor in theKeycastApiclient. Subsequent API calls (search, claim token generation) handle errors independently and surface raw server messages instead of redirecting.The
keycast_sessioncookie hasMax-Age=86400(24 hours). If the cookie expires while the tab is open, the user sees a confusing auth error rather than a login redirect.Suggested fix
Add a global 401 handler in
KeycastApi.request()(web/src/lib/keycast_api.svelte.ts). Before the generic error path, checkresponse.status === 401and redirect to/login?redirect=<current_path>. This covers session expiry on any page that uses the API client, not just support-admin.