fix: suppress expired-token log noise and redirect expired sessions to login (#241)

## Summary

- **Server**: `authMiddleware` no longer calls `logger.error` for expired tokens — expiry is expected behaviour, not an error. Only tampered signatures and malformed tokens (genuinely suspicious) still log.
- **Client**: `fetchJson` now handles 401 responses by clearing `elysium_token` and `elysium_save_signature` from localStorage and redirecting to `/`. Players whose 30-day token has expired will see the login page instead of a stuck "Invalid or expired token" error screen with no recovery path.

Closes #241

✨ This PR was created with help from Hikari~ 🌸

Reviewed-on: #241
Co-authored-by: Hikari <hikari@nhcarrigan.com>
Co-committed-by: Hikari <hikari@nhcarrigan.com>

apps/api/src/middleware/auth.ts

@@ -35,12 +35,16 @@ export const authMiddleware: MiddlewareHandler<HonoEnvironment> = async(
     const payload = verifyToken(token);
     context.set("discordId", payload.discordId);
   } catch (error) {
+    const isExpiredToken
+      = error instanceof Error && error.message === "Token has expired";
+    if (!isExpiredToken) {
       void logger.error(
         "auth_middleware",
         error instanceof Error
           ? error
           : new Error(String(error)),
       );
+    }
     return context.json({ error: "Invalid or expired token" }, 401);
   }
 

apps/api/test/middleware/auth.spec.ts

@@ -6,18 +6,26 @@ vi.mock("../../src/services/jwt.js", () => ({
   verifyToken: vi.fn(),
 }));
 
+vi.mock("../../src/services/logger.js", () => ({
+  logger: {
+    error: vi.fn().mockResolvedValue(undefined),
+  },
+}));
+
 describe("authMiddleware", () => {
   beforeEach(() => {
     vi.resetModules();
+    vi.clearAllMocks();
   });
 
   const makeApp = async () => {
     const { authMiddleware } = await import("../../src/middleware/auth.js");
     const { verifyToken } = await import("../../src/services/jwt.js");
+    const { logger } = await import("../../src/services/logger.js");
     const app = new Hono<{ Variables: { discordId: string } }>();
     app.use("*", authMiddleware);
     app.get("/test", (c) => c.json({ discordId: c.get("discordId") }));
-    return { app, verifyToken };
+    return { app, logger, verifyToken };
   };
 
   it("returns 401 when Authorization header is missing", async () => {
@@ -45,8 +53,8 @@ describe("authMiddleware", () => {
     expect(body.discordId).toBe("user_123");
   });
 
-  it("returns 401 when verifyToken throws", async () => {
-    const { app, verifyToken } = await makeApp();
+  it("returns 401 and logs when verifyToken throws a non-expiry error", async () => {
+    const { app, logger, verifyToken } = await makeApp();
     vi.mocked(verifyToken).mockImplementationOnce(() => {
       throw new Error("Invalid token");
     });
@@ -54,10 +62,15 @@ describe("authMiddleware", () => {
       headers: { Authorization: "Bearer bad_token" },
     }));
     expect(res.status).toBe(401);
+    /* eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- logger mock requires cast */
+    expect((logger.error as ReturnType<typeof vi.fn>)).toHaveBeenCalledWith(
+      "auth_middleware",
+      expect.any(Error),
+    );
   });
 
-  it("returns 401 when verifyToken throws a non-Error value", async () => {
-    const { app, verifyToken } = await makeApp();
+  it("returns 401 and logs when verifyToken throws a non-Error value", async () => {
+    const { app, logger, verifyToken } = await makeApp();
     vi.mocked(verifyToken).mockImplementationOnce(() => {
       throw "raw string error";
     });
@@ -65,5 +78,23 @@ describe("authMiddleware", () => {
       headers: { Authorization: "Bearer bad_token" },
     }));
     expect(res.status).toBe(401);
+    /* eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- logger mock requires cast */
+    expect((logger.error as ReturnType<typeof vi.fn>)).toHaveBeenCalledWith(
+      "auth_middleware",
+      expect.any(Error),
+    );
+  });
+
+  it("returns 401 without logging when token has expired", async () => {
+    const { app, logger, verifyToken } = await makeApp();
+    vi.mocked(verifyToken).mockImplementationOnce(() => {
+      throw new Error("Token has expired");
+    });
+    const res = await app.fetch(new Request("http://localhost/test", {
+      headers: { Authorization: "Bearer expired_token" },
+    }));
+    expect(res.status).toBe(401);
+    /* eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- logger mock requires cast */
+    expect((logger.error as ReturnType<typeof vi.fn>)).not.toHaveBeenCalled();
   });
 });

apps/web/src/api/client.ts

@@ -92,6 +92,11 @@ const fetchJson = async <T>(
       = typeof errorBody.error === "string"
         ? errorBody.error
         : "Unknown error";
+    if (response.status === 401) {
+      globalThis.localStorage.removeItem("elysium_token");
+      globalThis.localStorage.removeItem("elysium_save_signature");
+      globalThis.location.href = "/";
+    }
     if (response.status >= 400 && response.status < 500) {
       throw new ValidationError(message, response.status);
     }