librelad c69449bec8 fix(deploy): rsync --delete was wiping .auth.json; preserve it (+ siblings)
Symptom: after any commit / deploy on this box, the WebUI would log
users out ~60 seconds after they logged back in. Looked like a
short session timeout; was actually the auth file being deleted.

Cause: my recent update.sh change added --delete to the frontend
rsync so source-tree file removals propagate to the live install.
Excludes only protected data/. .auth.json sits at the top of
frontend/ (never in the source repo — it's the persisted credentials
+ JWT secret), so --delete nuked it on every deploy. The next
container start regenerated it with a fresh secret; all existing
cookies (signed with the old secret) became invalid. The dashboard's
60-second auto-refresh hits /data/system/*.json which is auth-gated,
gets 401, and the global 401 interceptor in auth-manager.js shows
the re-login overlay. Hence 'logged out after 60 seconds'.

Fix: extend the rsync exclude list with:
  --exclude '.*'       (any top-level dotfile — covers .auth.json
                        and future runtime state of the same shape)
  --exclude '*.lock'   (lockfiles like setup.lock if any ever land
                        outside data/)
  --exclude '*.bak'    (backup files from manual edits)

data/ exclude kept. JWT lifetime stays at 30 days as designed.

Also: feat(webui): icon on the 'Open Locations' button in the
backup → Migrate tab's empty state. Matches the location-pin icon
used by the sidebar's Locations entry so the visual carries over
when the user clicks through.

Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-27 00:09:35 +01:00
..