fix(web): recover session when tokenMeta expires before refresh token

[Rowee13]

checkAuth() bailed whenever the 24h tokenMeta cookie was absent, even though the 30d refresh cookie (path=/api/auth) was still valid. Users who closed the tab for more than 24 hours saw a login screen despite having a good refresh token.

Now tries /api/auth/refresh first when tokenMeta is missing, and again on a 401 from /me, before concluding the user is logged out.

Description

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional changes)
• Performance improvement
• Test coverage improvement

Related Issues

Closes #

Changes Made

Screenshots (if applicable)

Testing

• All existing tests pass
• Added new tests for the changes
• Tested locally

Checklist

• My code follows the project's code style
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published

Additional Notes