--- issue: 059 title: "Frontend auth provider clears tokens on any non-403 error including network failures" severity: high domain: Authentication labels: [bug, frontend, session] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Frontend auth provider clears tokens on any non-403 error including network failures **Severity:** high **Domain:** Authentication **Labels:** bug, frontend, session ## Description `src/auth/context/jwt/auth-provider.tsx:85` clears tokens and logs out the user on any error from the session-check call, including transient network failures and 5xx server errors. A momentary connectivity issue or backend restart silently logs out all active users. ## Options 1. Clear only on 401/403; treat 5xx and network errors as transient (keep tokens, retry). 2. Clear on 401/403 plus explicit invalid-token responses; keep tokens for everything else. 3. Add retry/backoff before deciding to clear. ## Recommendation Clear tokens only on 401/403; on network/5xx errors keep the session and retry. Confirm acceptable retry behavior and UX with owner. ## Affected Files - `frontend/src/auth/context/jwt/auth-provider.tsx:85` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-12