add refresh token

admin/src/app/app.ts

@@ -17,12 +17,20 @@ export class App {
   constructor(private authService: AuthService, private router: Router) {}
 
   logout(): void {
-    // Make a best-effort to log out on the server, but always
-    // clean up the client-side session in the `finalize` block.
-    this.authService.serverSideLogout().pipe(
-      finalize(() => {
+    // Make a best-effort to log out on the server.
+    // The client-side logout will run regardless of whether this call
+    // succeeds or fails.
+    this.authService.serverSideLogout().subscribe({
+      // The server call can succeed or fail, we don't care about the result,
+      // we just want to ensure the client is logged out.
+      next: () => {
+        console.info("server logged out")
         this.authService.clientSideLogout();
-      })
-    ).subscribe();
+      },
+      error: () => {
+        console.error("server failed to log out")
+        this.authService.clientSideLogout();
+      },
+    });
   }
 }

admin/src/app/auth/auth.service.ts

@@ -32,6 +32,7 @@ export class AuthService {
    * This is the definitive logout action from the user's perspective.
    */
   clientSideLogout(): void {
+    console.info("clientSideLogout")
     this.removeTokens();
     this.router.navigate(['/login']);
   }

admin/src/app/auth/jwt.interceptor.ts

@@ -53,10 +53,9 @@ export class JwtInterceptor implements HttpInterceptor {
           this.isRefreshing = false;
           this.refreshTokenSubject.error(err);
 
-          // In a refresh failure, the user MUST be logged out.
-          // Call the synchronous client-side logout to avoid re-intercepting.
-          this.authService.clientSideLogout();
-
+          // The interceptor's job is done. It failed to refresh.
+          // It should NOT handle logout. It should just propagate the error.
+          // The calling service/component will be responsible for the user-facing action.
           return throwError(() => err);
         })
       );