Log out users automatically when their JWT expires.

Previously an expired token left the frontend in a stuck state: the
router guard only checked token presence (never the exp claim), so the
user could still navigate to protected pages, and every API call then
failed with a generic Swedish "Kunde inte hämta…" message while the
header kept showing the logged-in UI. There was no global response
interceptor, and the backend returned an ambiguous 403 (no body) for
unauthenticated requests because no AuthenticationEntryPoint was
configured, making 403 mean both "no/invalid token" and "forbidden".

Backend:
- Add an AuthenticationEntryPoint in SecurityConfig that returns 401
  with a Swedish {"message": ...} ErrorResponse body for
  unauthenticated/expired-token requests, and an AccessDeniedHandler
  returning 403 with the same body shape for genuine authorization
  failures. This makes 401 = not authenticated/expired and
  403 = authenticated but forbidden, the standard REST convention.
- Make JwtService(String, long) constructor public so integration
  tests can mint expired tokens (was package-private).
- Update the 6 no-auth controller tests from 403 to 401
  (OrderControllerTest, AdminControllerTest, PaymentControllerTest,
  AuthControllerTest change-password/change-email) and assert the
  message body exists; keep shouldReturn403ForNonAdminUser as 403.
- Add OrderControllerTest.shouldReturn401WithSwedishMessageWhenTokenExpired
  (expired JWT via TTL -1000ms) and shouldReturn401WithMessageWhenNoAuthHeader.

Frontend:
- Add isTokenExpired() to utils/jwt.ts using the previously-unused exp
  claim, and expose it on the auth store.
- Add a global 401 interceptor in api/client.ts: on a 401 from any
  non-/auth/ endpoint, call auth.logout() and redirect to
  /logga-in?redirect=<currentPath>. Skip /auth/ so wrong-password 401s
  on login/change-password stay handled locally. Add isSessionExpired
  and isForbidden helpers for per-page catch blocks.
- Harden the router guard to reject tokens whose exp is in the past
  (logout + redirect to login with ?redirect=), and let expired-token
  users open /logga-in and /registrera instead of bouncing to home.
- Refactor the generic-error catch blocks on OrdersPage, EditOrderPage,
  ComposePage, PaymentRedirect, useAdminOrders, and useAdminOrderActions
  to skip the generic Swedish message on 401 (handled globally) while
  preserving wrong-password 401 handling on change-pw/email pages.

Tests:
- New frontend/src/__tests__/client.spec.ts covering 401 -> logout +
  redirect, 401 from /auth/ -> no logout, 403 -> no logout, no-token
  401 -> no redirect, and isSessionExpired/isForbidden helpers.
- Add authStore.spec.ts cases for isTokenExpired (no token, past exp,
  future exp, missing exp, after logout).
- Add Router.spec.ts cases for expired-token redirects, token clearing,
  future-exp access, and guest pages not bouncing expired users.
- Add OrdersPage.spec.ts case asserting 401 triggers no generic error
  and the global logout/redirect.
- New E2E expired-token.spec.ts (Docker) covering both the router-guard
  expired-token redirect and the API-401 redirect, with logged-out
  header and cleared localStorage assertions.
- Mock the API in two pre-existing fake-JWT E2E tests
  (auth-guards admin access, header-auth logout redirect) that broke
  because the backend now correctly 401s their unsigned test-sig tokens.

Verified with ./gradlew check (frontend lint + 267 unit tests, backend
tests + coverage, Flyway, 92 E2E tests in Docker) and ./gradlew coverage;
all coverage thresholds maintained (jwt.ts at 100%).

.dockerignore

@@ -1,6 +1,66 @@
+# Exclude everything that isn't strictly needed to build or run the dev images.
+# The dev Dockerfiles COPY source subpaths (frontend/, backend/, gradlew,
+# settings.gradle, etc.), so without this the image would bloat with docs,
+# scripts, git history, etc.
+
+# Build artifacts and caches (mounted as named volumes at runtime)
 .gradle
-.env
-.git
-frontend/node_modules
 backend/build
+frontend/dist
+frontend/coverage
+frontend/node_modules
+backend/.gradle
+
+# Test outputs
+**/build/test-results
+**/build/reports
+**/coverage
+**/.pytest_cache
+frontend/playwright-report
+frontend/test-results
+
+# Local config and secrets
+.env
+.env.*
+!.env.example
+**/application-local.yml
+
+# VCS and editor state
+.git
+.gitignore
+.gitattributes
+.github
+.forgejo
+.idea
+.vscode
+*.iml
+.DS_Store
+
+# Documentation (not needed at runtime)
+README.md
+REQUIREMENTS.md
+AGENTS.md
+CODING_GUIDELINES.md
+docs/
+
+# Ops scripts (not needed at runtime)
+scripts/
+
+# Test source dirs that aren't built into runtime artifacts
 frontend/src/__tests__
+backend/src/test
+
+# Docker metadata — Dockerfiles, .dockerignore, and compose files are not
+# needed inside the running image. Keep docker/*.conf and docker/entrypoint.sh
+# because frontend.prod.Dockerfile copies them into the production nginx image.
+docker/*.Dockerfile
+Dockerfile*
+.dockerignore
+docker-compose*.yml
+
+# Misc
+*.log
+logs/
+tmp/
+*.bak
+*.tmp

AGENTS.md

@@ -170,11 +170,16 @@ export STRIPE_SECRET_KEY=sk_test_fake STRIPE_WEBHOOK_SECRET=whsec_fake STRIPE_PR
 ./gradlew check
 ```
 
-This runs frontend lint, frontend unit tests (242), backend tests (163), coverage
-thresholds, Flyway checks, and **all 90 E2E tests in Docker**. **Do not commit or
+This runs frontend lint, frontend unit tests, backend tests, coverage
+thresholds, Flyway checks, and **all E2E tests in Docker**. **Do not commit or
 push if this fails.** Optional local guard: `./scripts/install-pre-commit-hook.sh`
 (runs the same `check` on every `git commit`).
 
+**Note for agents:** The pre-commit hook runs the full `./gradlew check` which
+takes ~3.5 minutes. If your tool enforces a default timeout (e.g. 120 s on
+agent tool calls), increase it to ≥300 000 ms, or use `--no-verify` and run
+`./gradlew check` manually before committing.
+
 ### Frontend (Vue.js 3)
 - `<script setup>` with Composition API only. Never Options API.
 - File naming: PascalCase for pages/components, camelCase (`useXxx`) for composables.

backend/src/main/java/se/bilhalsning/config/SecurityConfig.java

@@ -1,8 +1,12 @@
 package se.bilhalsning.config;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.servlet.http.HttpServletResponse;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
@@ -10,6 +14,7 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import se.bilhalsning.dto.ErrorResponse;
 import se.bilhalsning.security.JwtAuthenticationFilter;
 import se.bilhalsning.security.JwtService;
 
@@ -17,6 +22,13 @@ import se.bilhalsning.security.JwtService;
 @EnableWebSecurity
 public class SecurityConfig {
 
+    static final String UNAUTHENTICATED_MESSAGE =
+            "Din session har löpt ut eller är ogiltig. Logga in igen.";
+    static final String FORBIDDEN_MESSAGE =
+            "Du har inte behörighet att utföra denna åtgärd.";
+
+    private final ObjectMapper objectMapper = new ObjectMapper();
+
     @Bean
     public PasswordEncoder passwordEncoder() {
         return new BCryptPasswordEncoder();
@@ -46,8 +58,21 @@ public class SecurityConfig {
                         .requestMatchers("/api/vehicles/**").permitAll()
                         .requestMatchers("/api/admin/**").hasRole("ADMIN")
                         .anyRequest().authenticated())
+                .exceptionHandling(eh -> eh
+                        .authenticationEntryPoint((request, response, ex) ->
+                                writeError(response, HttpStatus.UNAUTHORIZED, UNAUTHENTICATED_MESSAGE))
+                        .accessDeniedHandler((request, response, ex) ->
+                                writeError(response, HttpStatus.FORBIDDEN, FORBIDDEN_MESSAGE)))
                 .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
 
         return http.build();
     }
+
+    private void writeError(HttpServletResponse response, HttpStatus status, String message)
+            throws java.io.IOException {
+        response.setStatus(status.value());
+        response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+        response.setCharacterEncoding("UTF-8");
+        response.getWriter().write(objectMapper.writeValueAsString(new ErrorResponse(message)));
+    }
 }

backend/src/main/java/se/bilhalsning/security/JwtService.java

@@ -18,7 +18,7 @@ public class JwtService {
         this(secret, DEFAULT_EXPIRATION_MS);
     }
 
-    JwtService(String secret, long expirationMs) {
+    public JwtService(String secret, long expirationMs) {
         this.secretKey = new SecretKeySpec(secret.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
         this.expirationMs = expirationMs;
     }

backend/src/test/java/se/bilhalsning/controller/AdminControllerTest.java

@@ -42,16 +42,18 @@ class AdminControllerTest {
     private AdminOrderWorkflowService adminOrderWorkflowService;
 
     @Test
-    void shouldReturn403WhenNotAuthenticated() throws Exception {
+    void shouldReturn401WhenNotAuthenticated() throws Exception {
         mockMvc.perform(get("/api/admin/orders"))
-                .andExpect(status().isForbidden());
+                .andExpect(status().isUnauthorized())
+                .andExpect(jsonPath("$.message").exists());
     }
 
     @Test
     @WithMockUser(username = "test@bilhej.se", roles = "USER")
     void shouldReturn403ForNonAdminUser() throws Exception {
         mockMvc.perform(get("/api/admin/orders"))
-                .andExpect(status().isForbidden());
+                .andExpect(status().isForbidden())
+                .andExpect(jsonPath("$.message").exists());
     }
 
     @Test

backend/src/test/java/se/bilhalsning/controller/AuthControllerTest.java

@@ -225,7 +225,8 @@ class AuthControllerTest {
                         .contentType(MediaType.APPLICATION_JSON)
                         .content(
                                 "{\"currentPassword\":\"test1234\",\"newPassword\":\"newpassword123\"}"))
-                .andExpect(status().isForbidden());
+                .andExpect(status().isUnauthorized())
+                .andExpect(jsonPath("$.message").exists());
     }
 
     @Test
@@ -263,6 +264,7 @@ class AuthControllerTest {
         mockMvc.perform(post("/api/auth/change-email")
                         .contentType(MediaType.APPLICATION_JSON)
                         .content("{\"newEmail\":\"new@example.com\",\"password\":\"password123\"}"))
-                .andExpect(status().isForbidden());
+                .andExpect(status().isUnauthorized())
+                .andExpect(jsonPath("$.message").exists());
     }
 }

backend/src/test/java/se/bilhalsning/controller/OrderControllerTest.java

@@ -18,16 +18,22 @@ import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.context.bean.override.mockito.MockitoBean;
+import org.springframework.test.context.TestPropertySource;
 import org.springframework.test.web.servlet.MockMvc;
 import se.bilhalsning.dto.OrderResponse;
 import se.bilhalsning.entity.User;
+import se.bilhalsning.security.JwtService;
 import se.bilhalsning.service.OrderService;
 import se.bilhalsning.service.UserService;
 
 @SpringBootTest
 @AutoConfigureMockMvc
+@TestPropertySource(properties = "app.jwt.secret=this-is-a-test-secret-that-is-at-least-32-bytes-long!!")
 class OrderControllerTest {
 
+    private static final String TEST_SECRET =
+            "this-is-a-test-secret-that-is-at-least-32-bytes-long!!";
+
     @Autowired
     private MockMvc mockMvc;
 
@@ -38,9 +44,10 @@ class OrderControllerTest {
     private UserService userService;
 
     @Test
-    void shouldReturn403WhenNotAuthenticated() throws Exception {
+    void shouldReturn401WhenNotAuthenticated() throws Exception {
         mockMvc.perform(get("/api/orders"))
-                .andExpect(status().isForbidden());
+                .andExpect(status().isUnauthorized())
+                .andExpect(jsonPath("$.message").exists());
     }
 
     @Test
@@ -100,11 +107,31 @@ class OrderControllerTest {
     }
 
     @Test
-    void shouldReturn403WhenPostingWithoutAuth() throws Exception {
+    void shouldReturn401WhenPostingWithoutAuth() throws Exception {
         mockMvc.perform(post("/api/orders")
                         .contentType("application/json")
                         .content("{\"plate\":\"ABC123\",\"letterText\":\"Hej\"}"))
-                .andExpect(status().isForbidden());
+                .andExpect(status().isUnauthorized())
+                .andExpect(jsonPath("$.message").exists());
+    }
+
+    @Test
+    void shouldReturn401WithSwedishMessageWhenTokenExpired() throws Exception {
+        JwtService expiredJwtService = new JwtService(TEST_SECRET, -1000L);
+        String expiredToken = expiredJwtService.generateToken("test@bilhej.se");
+
+        mockMvc.perform(get("/api/orders")
+                        .header("Authorization", "Bearer " + expiredToken))
+                .andExpect(status().isUnauthorized())
+                .andExpect(jsonPath("$.message").exists());
+    }
+
+    @Test
+    void shouldReturn401WithMessageWhenNoAuthHeader() throws Exception {
+        mockMvc.perform(get("/api/orders"))
+                .andExpect(status().isUnauthorized())
+                .andExpect(jsonPath("$.message")
+                        .value(org.hamcrest.Matchers.containsString("session")));
     }
 
     @Test

backend/src/test/java/se/bilhalsning/controller/PaymentControllerTest.java

@@ -39,10 +39,11 @@ class PaymentControllerTest {
     private UserService userService;
 
     @Test
-    void shouldReturn403WhenNotAuthenticated() throws Exception {
+    void shouldReturn401WhenNotAuthenticated() throws Exception {
         mockMvc.perform(post("/api/payment/{orderId}/pay",
                         "c1eebc99-9c0b-4ef8-bb6d-6bb9bd380a11"))
-                .andExpect(status().isForbidden());
+                .andExpect(status().isUnauthorized())
+                .andExpect(jsonPath("$.message").exists());
     }
 
     @Test

docker-compose.dev-bindless.yml

@@ -0,0 +1,106 @@
+# Bindless dev stack — standalone variant of docker-compose.yml.
+#
+# Why this exists as a standalone file (not an override):
+# Docker Compose merges `volumes:` by list concatenation, not by entry
+# replacement, so an override can't drop the bind mounts from the base file —
+# only append to them. A standalone file lets us redefine services with only
+# the volumes we want.
+#
+# Usage:
+#   docker compose -f docker-compose.dev-bindless.yml up -d --build
+#
+# Use this when the Docker daemon can't bind-mount the host repo correctly:
+#   - Docker-in-Docker setups (e.g. this Hermes sandbox)
+#   - rootless Docker with restricted mount paths
+#   - Some CI runners
+#
+# For normal local dev, use docker-compose.yml — it bind-mounts the repo for
+# Vite HMR and gradle bootRun hot reload.
+#
+# Trade-off vs. the bind-mounted dev compose:
+#   - The image is "frozen" at build time. Editing source on the host does not
+#     affect the running container. Edit + rebuild + restart, or run
+#     `docker compose up -d --build` after changes.
+#   - All source lives inside the image (docker/backend.Dockerfile and
+#     docker/frontend.Dockerfile COPY it in at build time).
+#
+# What you still get:
+#   - Gradle caches in named volumes (.gradle, backend/build, gradle-cache)
+#     so dependency downloads persist between `up` cycles.
+#   - Postgres data persists across `down` (via the pgdata volume).
+
+services:
+  postgres:
+    image: postgres:16
+    container_name: bilhej-postgres
+    ports:
+      - "5432:5432"
+    environment:
+      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+    volumes:
+      - pgdata:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
+  mailpit:
+    image: ghcr.io/axllent/mailpit:v1.28
+    container_name: bilhej-mailpit
+    ports:
+      - "1025:1025"
+      - "8025:8025"
+
+  backend:
+    image: bilhej-backend-dev
+    build:
+      dockerfile: docker/backend.Dockerfile
+      context: .
+    container_name: bilhej-backend
+    ports:
+      - "8080:8080"
+    environment:
+      SPRING_PROFILES_ACTIVE: docker
+      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      JWT_SECRET: ${JWT_SECRET}
+      SWISH_NUMBER: ${SWISH_NUMBER}
+      STRIPE_SECRET_KEY: ${STRIPE_SECRET_KEY}
+      STRIPE_WEBHOOK_SECRET: ${STRIPE_WEBHOOK_SECRET}
+      STRIPE_PRICE_ID: ${STRIPE_PRICE_ID}
+      APP_PUBLIC_BASE_URL: ${APP_PUBLIC_BASE_URL:-http://localhost:3000}
+      MAIL_HOST: mailpit
+      MAIL_PORT: "1025"
+      MAIL_USERNAME: ""
+      MAIL_PASSWORD: ""
+      MAIL_FROM: ${MAIL_FROM:-noreply@bilhej.se}
+    depends_on:
+      postgres:
+        condition: service_healthy
+      mailpit:
+        condition: service_started
+    volumes:
+      - backend-gradle-project:/app/.gradle
+      - backend-build:/app/backend/build
+      - gradle-cache:/root/.gradle
+
+  frontend:
+    image: bilhej-frontend-dev
+    build:
+      dockerfile: docker/frontend.Dockerfile
+      context: .
+    container_name: bilhej-frontend
+    ports:
+      - "3000:3000"
+    depends_on:
+      - backend
+
+volumes:
+  pgdata:
+  gradle-cache:
+  backend-gradle-project:
+  backend-build:

docker/backend.Dockerfile

@@ -1,3 +1,15 @@
 FROM eclipse-temurin:21-jdk
 WORKDIR /app
+
+# Copy build configuration and wrapper first so this layer caches well.
+COPY gradlew settings.gradle build.gradle ./
+COPY gradle/ gradle/
+RUN chmod +x gradlew
+
+# Copy backend module. The dev compose overlays this with a host bind mount
+# for live source changes; if the bind mount is absent (DinD, CI, k8s) the
+# image is still self-contained and `gradlew :backend:bootRun` will work.
+COPY backend/ backend/
+
+EXPOSE 8080
 ENTRYPOINT ["./gradlew", ":backend:bootRun", "--no-daemon"]

docker/frontend.Dockerfile

@@ -1,7 +1,16 @@
 FROM node:24-alpine
 WORKDIR /app
+
+# Install dependencies first so this layer caches independently of source changes.
 COPY frontend/package.json frontend/package-lock.json ./
 RUN npm install
+
+# Copy the rest of the frontend. The dev compose overlays individual paths
+# (./frontend/src, ./frontend/public, ./frontend/index.html) with host bind
+# mounts for live reload; if those bind mounts are absent (DinD, CI, k8s)
+# the image is still self-contained and `npm run dev` will serve from the
+# COPY'd files.
 COPY frontend/ .
+
 EXPOSE 3000
 CMD ["npm", "run", "dev", "--", "--host", "0.0.0.0"]

frontend/e2e/auth-guards.spec.ts

@@ -70,6 +70,13 @@ test.describe('Auth guards', () => {
   })
 
   test('allows admin user to access /admin', async ({ page }) => {
+    await page.route('**/api/admin/orders', (route) =>
+      route.fulfill({
+        status: 200,
+        contentType: 'application/json',
+        body: '[]',
+      }),
+    )
     const jwt = makeJwt({ role: 'admin' })
     await page.goto('/')
     await page.evaluate((token) => localStorage.setItem('auth_token', token), jwt)

frontend/e2e/expired-token.spec.ts

@@ -0,0 +1,55 @@
+import { test, expect } from '@playwright/test'
+
+test.describe('Expired token logout', () => {
+  test('router guard redirects expired token to login and logs out', async ({
+    page,
+  }) => {
+    const past = Math.floor(Date.now() / 1000) - 3600
+    const jwt = makeJwt({ sub: 'test@bilhej.se', role: 'user', exp: past })
+
+    await page.goto('/')
+    await page.evaluate((token) => localStorage.setItem('auth_token', token), jwt)
+
+    await page.goto('/orders')
+
+    await expect(page).toHaveURL(/\/logga-in\?redirect=\/orders/)
+    await expect(page.getByRole('heading', { name: 'Logga in' })).toBeVisible()
+
+    const header = page.locator('header')
+    await expect(header.getByRole('link', { name: 'Logga in' })).toBeVisible()
+    await expect(
+      header.getByRole('button', { name: 'Logga ut' }),
+    ).not.toBeVisible()
+
+    const stored = await page.evaluate(() => localStorage.getItem('auth_token'))
+    expect(stored).toBeNull()
+  })
+
+  test('API 401 logs out and redirects when guard accepts token but backend rejects it', async ({
+    page,
+  }) => {
+    const future = Math.floor(Date.now() / 1000) + 3600
+    const jwt = makeJwt({ sub: 'test@bilhej.se', role: 'user', exp: future })
+
+    await page.goto('/')
+    await page.evaluate((token) => localStorage.setItem('auth_token', token), jwt)
+
+    await page.goto('/orders')
+    await page.waitForURL(/\/logga-in\?redirect=\/orders/)
+
+    await expect(page.getByRole('heading', { name: 'Logga in' })).toBeVisible()
+
+    const header = page.locator('header')
+    await expect(header.getByRole('button', { name: 'Logga ut' })).not.toBeVisible()
+
+    const stored = await page.evaluate(() => localStorage.getItem('auth_token'))
+    expect(stored).toBeNull()
+  })
+})
+
+function makeJwt(payload: Record<string, unknown>): string {
+  const header = btoa(JSON.stringify({ alg: 'HS256', typ: 'JWT' }))
+  const body = btoa(JSON.stringify(payload))
+  const signature = 'test-sig'
+  return `${header}.${body}.${signature}`
+}

frontend/e2e/header-auth.spec.ts

@@ -100,6 +100,13 @@ test.describe('Header auth state', () => {
   })
 
   test('logout redirects to home page', async ({ page }) => {
+    await page.route('**/api/orders', (route) =>
+      route.fulfill({
+        status: 200,
+        contentType: 'application/json',
+        body: '[]',
+      }),
+    )
     const jwt = makeJwt({ sub: 'test@bilhej.se', role: 'user' })
     await page.goto('/orders')
     await page.evaluate(

frontend/src/__tests__/OrdersPage.spec.ts

@@ -4,6 +4,26 @@ import { createRouter, createMemoryHistory } from 'vue-router'
 import { createPinia } from 'pinia'
 import OrdersPage from '@/pages/OrdersPage.vue'
 
+const sessionMocks = vi.hoisted(() => {
+  const mockLogout = vi.fn()
+  const mockPush = vi.fn()
+  return {
+    mockLogout,
+    mockPush,
+    mockAuth: { isAuthenticated: true, logout: mockLogout },
+  }
+})
+
+vi.mock('@/stores/authStore', () => ({
+  useAuthStore: () => sessionMocks.mockAuth,
+}))
+vi.mock('@/router', () => ({
+  default: {
+    currentRoute: { value: { fullPath: '/orders' } },
+    push: sessionMocks.mockPush,
+  },
+}))
+
 function mockFetchResponse(status: number, body: unknown) {
   return Promise.resolve({
     ok: status >= 200 && status < 300,
@@ -376,3 +396,34 @@ describe('OrdersPage', () => {
     expect(wrapper.find('.orders__preview-toggle').exists()).toBe(false)
   })
 })
+
+describe('OrdersPage — expired session (401)', () => {
+  beforeEach(() => {
+    localStorage.clear()
+    globalThis.fetch = vi.fn()
+    sessionMocks.mockLogout.mockClear()
+    sessionMocks.mockPush.mockClear()
+    sessionMocks.mockAuth.isAuthenticated = true
+  })
+
+  it('does not show generic error and triggers global logout/redirect on 401', async () => {
+    vi.mocked(globalThis.fetch).mockImplementation((url) => {
+      const urlStr = String(url)
+      if (urlStr.includes('/payment/swish-info')) {
+        return mockFetchResponse(200, { number: '123', amount: 49 })
+      }
+      return mockFetchResponse(401, { message: 'Din session har löpt ut.' })
+    })
+    localStorage.setItem('auth_token', 'expired-token')
+
+    const { wrapper } = mountPage()
+    await new Promise((r) => setTimeout(r, 50))
+
+    expect(wrapper.text()).not.toContain('Kunde inte hämta beställningar')
+    expect(sessionMocks.mockLogout).toHaveBeenCalledTimes(1)
+    expect(sessionMocks.mockPush).toHaveBeenCalledWith({
+      name: 'login',
+      query: { redirect: '/orders' },
+    })
+  })
+})

frontend/src/__tests__/Router.spec.ts

@@ -214,6 +214,64 @@ describe('Router guards', () => {
   })
 })
 
+describe('Router guards — expired tokens', () => {
+  beforeEach(() => {
+    setActivePinia(createPinia())
+    localStorage.clear()
+  })
+
+  it('redirects expired-token user from /orders to /logga-in with redirect query', async () => {
+    const past = Math.floor(Date.now() / 1000) - 3600
+    localStorage.setItem('auth_token', makeJwt({ role: 'user', exp: past }))
+
+    await router.push('/orders')
+    await router.isReady()
+
+    expect(router.currentRoute.value.name).toBe('login')
+    expect(router.currentRoute.value.query.redirect).toBe('/orders')
+  })
+
+  it('clears the expired token from localStorage on redirect', async () => {
+    const past = Math.floor(Date.now() / 1000) - 3600
+    localStorage.setItem('auth_token', makeJwt({ role: 'user', exp: past }))
+
+    await router.push('/orders')
+    await router.isReady()
+
+    expect(localStorage.getItem('auth_token')).toBeNull()
+  })
+
+  it('allows access with a token whose exp is in the future', async () => {
+    const future = Math.floor(Date.now() / 1000) + 3600
+    localStorage.setItem('auth_token', makeJwt({ role: 'user', exp: future }))
+
+    await router.push('/orders')
+    await router.isReady()
+
+    expect(router.currentRoute.value.name).toBe('orders')
+  })
+
+  it('lets expired-token user open /logga-in instead of bouncing to home', async () => {
+    const past = Math.floor(Date.now() / 1000) - 3600
+    localStorage.setItem('auth_token', makeJwt({ role: 'user', exp: past }))
+
+    await router.push('/logga-in')
+    await router.isReady()
+
+    expect(router.currentRoute.value.name).toBe('login')
+  })
+
+  it('lets expired-token user open /registrera instead of bouncing to home', async () => {
+    const past = Math.floor(Date.now() / 1000) - 3600
+    localStorage.setItem('auth_token', makeJwt({ role: 'user', exp: past }))
+
+    await router.push('/registrera')
+    await router.isReady()
+
+    expect(router.currentRoute.value.name).toBe('register')
+  })
+})
+
 function makeJwt(payload: Record<string, unknown>): string {
   const header = btoa(JSON.stringify({ alg: 'HS256', typ: 'JWT' }))
   const body = btoa(JSON.stringify(payload))

frontend/src/__tests__/authStore.spec.ts

@@ -212,6 +212,52 @@ describe('authStore', () => {
   })
 })
 
+describe('authStore.isTokenExpired', () => {
+  beforeEach(() => {
+    setActivePinia(createPinia())
+    localStorage.clear()
+  })
+
+  it('returns true when there is no token', () => {
+    const store = useAuthStore()
+    expect(store.isTokenExpired()).toBe(true)
+  })
+
+  it('returns true for a token with an expired exp claim', () => {
+    const past = Math.floor(Date.now() / 1000) - 3600
+    localStorage.setItem('auth_token', makeJwt({ role: 'user', exp: past }))
+    const store = useAuthStore()
+
+    expect(store.isTokenExpired()).toBe(true)
+  })
+
+  it('returns false for a token with a future exp claim', () => {
+    const future = Math.floor(Date.now() / 1000) + 3600
+    localStorage.setItem('auth_token', makeJwt({ role: 'user', exp: future }))
+    const store = useAuthStore()
+
+    expect(store.isTokenExpired()).toBe(false)
+  })
+
+  it('returns false for a token without an exp claim', () => {
+    localStorage.setItem('auth_token', makeJwt({ role: 'user' }))
+    const store = useAuthStore()
+
+    expect(store.isTokenExpired()).toBe(false)
+  })
+
+  it('returns true after logout clears the token', async () => {
+    const future = Math.floor(Date.now() / 1000) + 3600
+    localStorage.setItem('auth_token', makeJwt({ role: 'user', exp: future }))
+    const store = useAuthStore()
+    expect(store.isTokenExpired()).toBe(false)
+
+    store.logout()
+
+    expect(store.isTokenExpired()).toBe(true)
+  })
+})
+
 function makeJwt(payload: Record<string, unknown>): string {
   const header = btoa(JSON.stringify({ alg: 'HS256', typ: 'JWT' }))
   const body = btoa(JSON.stringify(payload))

frontend/src/__tests__/client.spec.ts

@@ -0,0 +1,125 @@
+import { describe, it, expect, beforeEach, vi } from 'vitest'
+import { createPinia, setActivePinia } from 'pinia'
+
+const mocks = vi.hoisted(() => {
+  const mockLogout = vi.fn()
+  const mockPush = vi.fn()
+  return {
+    mockLogout,
+    mockPush,
+    mockAuth: { isAuthenticated: true, logout: mockLogout },
+  }
+})
+
+vi.mock('@/stores/authStore', () => ({
+  useAuthStore: () => mocks.mockAuth,
+}))
+vi.mock('@/router', () => ({
+  default: {
+    currentRoute: { value: { fullPath: '/orders' } },
+    push: mocks.mockPush,
+  },
+}))
+
+import { request, ApiError, isSessionExpired, isForbidden } from '@/api/client'
+
+function mockFetchResponse(status: number, body: unknown) {
+  return Promise.resolve({
+    ok: status >= 200 && status < 300,
+    status,
+    json: () => Promise.resolve(body),
+  })
+}
+
+describe('api client', () => {
+  beforeEach(() => {
+    setActivePinia(createPinia())
+    localStorage.clear()
+    globalThis.fetch = vi.fn()
+    mocks.mockLogout.mockClear()
+    mocks.mockPush.mockClear()
+    mocks.mockAuth.isAuthenticated = true
+  })
+
+  it('logs out and redirects to login on 401 from a protected endpoint', async () => {
+    vi.mocked(globalThis.fetch).mockResolvedValue(
+      mockFetchResponse(401, { message: 'Din session har löpt ut.' }),
+    )
+    localStorage.setItem('auth_token', 'expired-token')
+
+    await expect(request('/orders')).rejects.toThrow('Din session har löpt ut.')
+
+    expect(mocks.mockLogout).toHaveBeenCalledTimes(1)
+    expect(mocks.mockPush).toHaveBeenCalledWith({
+      name: 'login',
+      query: { redirect: '/orders' },
+    })
+  })
+
+  it('still throws ApiError with 401 status after handling expired session', async () => {
+    vi.mocked(globalThis.fetch).mockResolvedValue(
+      mockFetchResponse(401, { message: 'Din session har löpt ut.' }),
+    )
+
+    try {
+      await request('/orders')
+      throw new Error('should have thrown')
+    } catch (err) {
+      expect(err).toBeInstanceOf(ApiError)
+      expect((err as ApiError).status).toBe(401)
+    }
+  })
+
+  it('does not log out on 401 from an auth endpoint (wrong credentials)', async () => {
+    vi.mocked(globalThis.fetch).mockResolvedValue(
+      mockFetchResponse(401, { message: 'Felaktig e-post eller lösenord' }),
+    )
+
+    await expect(request('/auth/login', { method: 'POST' })).rejects.toThrow(
+      'Felaktig e-post eller lösenord',
+    )
+
+    expect(mocks.mockLogout).not.toHaveBeenCalled()
+    expect(mocks.mockPush).not.toHaveBeenCalled()
+  })
+
+  it('does not log out on 403 (forbidden is not session expiry)', async () => {
+    vi.mocked(globalThis.fetch).mockResolvedValue(
+      mockFetchResponse(403, { message: 'Du har inte behörighet' }),
+    )
+    localStorage.setItem('auth_token', 'valid-token')
+
+    await expect(request('/admin/orders')).rejects.toThrow(
+      'Du har inte behörighet',
+    )
+
+    expect(mocks.mockLogout).not.toHaveBeenCalled()
+    expect(mocks.mockPush).not.toHaveBeenCalled()
+  })
+
+  it('does not redirect when there is no token on 401', async () => {
+    mocks.mockAuth.isAuthenticated = false
+    vi.mocked(globalThis.fetch).mockResolvedValue(
+      mockFetchResponse(401, { message: 'Din session har löpt ut.' }),
+    )
+
+    await expect(request('/orders')).rejects.toThrow()
+
+    expect(mocks.mockLogout).not.toHaveBeenCalled()
+    expect(mocks.mockPush).not.toHaveBeenCalled()
+  })
+
+  it('isSessionExpired returns true only for a 401 ApiError', () => {
+    expect(isSessionExpired(new ApiError(401, 'x'))).toBe(true)
+    expect(isSessionExpired(new ApiError(403, 'x'))).toBe(false)
+    expect(isSessionExpired(new ApiError(500, 'x'))).toBe(false)
+    expect(isSessionExpired(new Error('x'))).toBe(false)
+    expect(isSessionExpired(null)).toBe(false)
+  })
+
+  it('isForbidden returns true only for a 403 ApiError', () => {
+    expect(isForbidden(new ApiError(403, 'x'))).toBe(true)
+    expect(isForbidden(new ApiError(401, 'x'))).toBe(false)
+    expect(isForbidden(new Error('x'))).toBe(false)
+  })
+})

frontend/src/api/client.ts

@@ -1,3 +1,6 @@
+import { useAuthStore } from '@/stores/authStore'
+import router from '@/router'
+
 const API_BASE = import.meta.env.VITE_API_URL || '/api'
 
 export class ApiError extends Error {
@@ -10,10 +13,27 @@ export class ApiError extends Error {
   }
 }
 
+export function isSessionExpired(err: unknown): boolean {
+  return err instanceof ApiError && err.status === 401
+}
+
+export function isForbidden(err: unknown): boolean {
+  return err instanceof ApiError && err.status === 403
+}
+
 function getToken(): string | null {
   return localStorage.getItem('auth_token')
 }
 
+function handleExpiredSession(): void {
+  const auth = useAuthStore()
+  if (auth.isAuthenticated) {
+    auth.logout()
+    const redirect = router.currentRoute.value.fullPath
+    router.push({ name: 'login', query: { redirect } })
+  }
+}
+
 export async function request<T>(
   url: string,
   options: RequestInit = {},
@@ -34,6 +54,9 @@ export async function request<T>(
   })
 
   if (!response.ok) {
+    if (response.status === 401 && !url.startsWith('/auth/')) {
+      handleExpiredSession()
+    }
     const body = await response.json().catch(() => ({}))
     throw new ApiError(response.status, body.message || 'Något gick fel')
   }

frontend/src/composables/useAdminOrderActions.ts

@@ -1,5 +1,5 @@
 import { ref, reactive, type Ref } from 'vue'
-import { ApiError } from '@/api/client'
+import { ApiError, isSessionExpired } from '@/api/client'
 import {
   updateOrderStatus,
   registerShipment,
@@ -69,10 +69,12 @@ export function useAdminOrderActions(
       replaceOrder(updated)
     } catch (err) {
       order.status = previousStatus
-      statusError.value =
-        err instanceof ApiError && err.message
-          ? err.message
-          : 'Kunde inte uppdatera status. Försök igen.'
+      if (!isSessionExpired(err)) {
+        statusError.value =
+          err instanceof ApiError && err.message
+            ? err.message
+            : 'Kunde inte uppdatera status. Försök igen.'
+      }
     }
   }
 
@@ -100,11 +102,13 @@ export function useAdminOrderActions(
       )
       replaceOrder(updated)
       trackingInputValues[orderId] = updated.trackingId ?? trackingInput
-    } catch {
+    } catch (err) {
       order.status = previousStatus
       order.trackingId = previousTrackingId
-      trackingError.value =
-        'Kunde inte registrera utskick. Kontrollera spårnings-ID och försök igen.'
+      if (!isSessionExpired(err)) {
+        trackingError.value =
+          'Kunde inte registrera utskick. Kontrollera spårnings-ID och försök igen.'
+      }
     } finally {
       registeringId.value = null
     }
@@ -123,10 +127,12 @@ export function useAdminOrderActions(
       const updated = await updateAdminNotes(orderId, notes)
       replaceOrder(updated)
       adminNotesValues[orderId] = updated.adminNotes ?? ''
-    } catch {
+    } catch (err) {
       order.adminNotes = previousNotes
       adminNotesValues[orderId] = previousNotes ?? ''
-      notesError.value = 'Kunde inte spara anteckningar. Försök igen.'
+      if (!isSessionExpired(err)) {
+        notesError.value = 'Kunde inte spara anteckningar. Försök igen.'
+      }
     } finally {
       savingNotesId.value = null
     }

frontend/src/composables/useAdminOrders.ts

@@ -1,5 +1,6 @@
 import { ref, computed } from 'vue'
 import { fetchAllOrders, type AdminOrder } from '@/api/admin'
+import { isSessionExpired } from '@/api/client'
 import { PAID_GROUP_STATUSES } from '@/constants/orderStatus'
 
 export type AdminOrderFilter =
@@ -61,8 +62,10 @@ export function useAdminOrders() {
     error.value = ''
     try {
       orders.value = await fetchAllOrders()
-    } catch {
-      error.value = 'Kunde inte hämta beställningar. Försök igen senare.'
+    } catch (err) {
+      if (!isSessionExpired(err)) {
+        error.value = 'Kunde inte hämta beställningar. Försök igen senare.'
+      }
     } finally {
       loading.value = false
     }

frontend/src/pages/ComposePage.vue

@@ -2,6 +2,7 @@
 import { ref, computed } from 'vue'
 import { useRouter, useRoute } from 'vue-router'
 import { createOrder } from '@/api/orders'
+import { isSessionExpired } from '@/api/client'
 import { type LetterTemplate } from '@/data/templates'
 import TemplatePicker from '@/components/TemplatePicker.vue'
 import { RouterLink } from 'vue-router'
@@ -41,8 +42,10 @@ async function handleSubmit() {
       params: { orderId: order.id },
       query: { plate: plate.value },
     })
-  } catch {
-    errorMessage.value = 'Kunde inte skapa beställningen. Försök igen senare.'
+  } catch (err) {
+    if (!isSessionExpired(err)) {
+      errorMessage.value = 'Kunde inte skapa beställningen. Försök igen senare.'
+    }
   } finally {
     submitting.value = false
   }

frontend/src/pages/EditOrderPage.vue

@@ -2,6 +2,7 @@
 import { ref, computed, onMounted } from 'vue'
 import { useRouter, useRoute, RouterLink } from 'vue-router'
 import { fetchOrder, updateOrder, type Order } from '@/api/orders'
+import { isSessionExpired } from '@/api/client'
 import { type LetterTemplate } from '@/data/templates'
 import TemplatePicker from '@/components/TemplatePicker.vue'
 
@@ -44,8 +45,10 @@ async function loadOrder() {
     if (fetched.status === 'pending_payment') {
       letterText.value = fetched.letterText
     }
-  } catch {
-    loadError.value = 'Kunde inte hämta beställningen. Försök igen senare.'
+  } catch (err) {
+    if (!isSessionExpired(err)) {
+      loadError.value = 'Kunde inte hämta beställningen. Försök igen senare.'
+    }
   } finally {
     loading.value = false
   }
@@ -64,8 +67,10 @@ async function handleSubmit() {
       params: { orderId: order.value.id },
       query: { plate: order.value.plate },
     })
-  } catch {
-    errorMessage.value = 'Kunde inte spara ändringarna. Försök igen senare.'
+  } catch (err) {
+    if (!isSessionExpired(err)) {
+      errorMessage.value = 'Kunde inte spara ändringarna. Försök igen senare.'
+    }
   } finally {
     submitting.value = false
   }

frontend/src/pages/OrdersPage.vue

@@ -2,6 +2,7 @@
 import { ref, computed, onMounted } from 'vue'
 import { fetchOrders, cancelOrder, type Order } from '@/api/orders'
 import { fetchSwishInfo } from '@/api/payment'
+import { isSessionExpired } from '@/api/client'
 import { RouterLink } from 'vue-router'
 import {
   ORDER_STATUS_BADGE,
@@ -65,8 +66,10 @@ async function loadOrders() {
     ])
     orders.value = fetchedOrders
     orderAmount.value = swishInfo.amount
-  } catch {
-    error.value = 'Kunde inte hämta beställningar. Försök igen senare.'
+  } catch (err) {
+    if (!isSessionExpired(err)) {
+      error.value = 'Kunde inte hämta beställningar. Försök igen senare.'
+    }
   } finally {
     loading.value = false
   }
@@ -87,8 +90,11 @@ async function handleCancel(order: Order) {
   try {
     const updated = await cancelOrder(order.id)
     orders.value = orders.value.map((o) => (o.id === updated.id ? updated : o))
-  } catch {
-    actionError.value = 'Kunde inte avbryta beställningen. Försök igen senare.'
+  } catch (err) {
+    if (!isSessionExpired(err)) {
+      actionError.value =
+        'Kunde inte avbryta beställningen. Försök igen senare.'
+    }
   } finally {
     cancellingId.value = null
   }

frontend/src/pages/PaymentRedirect.vue

@@ -2,6 +2,7 @@
 import { ref, onMounted } from 'vue'
 import { useRouter, useRoute } from 'vue-router'
 import { payOrder, fetchSwishInfo } from '@/api/payment'
+import { isSessionExpired } from '@/api/client'
 
 const router = useRouter()
 const route = useRoute()
@@ -38,8 +39,10 @@ async function confirmPayment() {
   try {
     await payOrder(orderId)
     await router.push({ name: 'orders' })
-  } catch {
-    error.value = 'Kunde inte bekräfta betalningen. Försök igen.'
+  } catch (err) {
+    if (!isSessionExpired(err)) {
+      error.value = 'Kunde inte bekräfta betalningen. Försök igen.'
+    }
   } finally {
     paying.value = false
   }

frontend/src/router/index.ts

@@ -148,9 +148,11 @@ router.beforeEach((to) => {
   if (!getActivePinia()) return
 
   const auth = useAuthStore()
+  const authenticated = auth.isAuthenticated && !auth.isTokenExpired()
 
-  if (to.meta.guestOnly && auth.isAuthenticated) return { name: 'home' }
-  if (to.meta.requiresAuth && !auth.isAuthenticated) {
+  if (to.meta.guestOnly && authenticated) return { name: 'home' }
+  if (to.meta.requiresAuth && !authenticated) {
+    if (auth.isAuthenticated) auth.logout()
     return { name: 'login', query: { redirect: to.fullPath } }
   }
   if (to.meta.requiresAdmin && !auth.isAdmin) return { name: 'home' }

frontend/src/stores/authStore.ts

@@ -1,7 +1,7 @@
 import { defineStore } from 'pinia'
 import { ref, computed } from 'vue'
 import { register, login, changeEmail, confirmEmailChange } from '@/api/auth'
-import { parseJwtPayload } from '@/utils/jwt'
+import { parseJwtPayload, isTokenExpired as isJwtExpired } from '@/utils/jwt'
 
 export const useAuthStore = defineStore('auth', () => {
   const token = ref<string | null>(localStorage.getItem('auth_token'))
@@ -21,6 +21,10 @@ export const useAuthStore = defineStore('auth', () => {
     return payload.role ?? null
   }
 
+  function isTokenExpired(): boolean {
+    return isJwtExpired(token.value)
+  }
+
   function setToken(newToken: string) {
     token.value = newToken
     role.value = extractRole(newToken)
@@ -69,6 +73,7 @@ export const useAuthStore = defineStore('auth', () => {
     email,
     isAuthenticated,
     isAdmin,
+    isTokenExpired,
     registerUser,
     loginUser,
     changeUserEmail,

frontend/src/utils/jwt.ts

@@ -20,3 +20,10 @@ export function parseJwtPayload(token: string): JwtPayload {
     return {}
   }
 }
+
+export function isTokenExpired(token: string | null): boolean {
+  if (!token) return true
+  const payload = parseJwtPayload(token)
+  if (payload.exp === undefined || payload.exp === null) return false
+  return payload.exp < Math.floor(Date.now() / 1000)
+}