feat: auth refresh + group flow fix

Author: AshvikMishra

leaderboard_app/lib/chatpage-components/chat_view.dart

@@ -95,8 +95,8 @@ class _ChatViewState extends State<ChatView> {
                   builder: (_) => GroupInfoPage(groupId: widget.groupId, initialName: widget.groupName),
                 ),
               ).then((result) {
-                if (result is Map && result['leftGroup'] == true) {
-                  if (mounted) Navigator.of(context).pop();
+                if (result is Map && (result['leftGroup'] == true || result['deletedGroup'] == true)) {
+                  if (mounted) Navigator.of(context).pop(result);
                 }
               });
             },

leaderboard_app/lib/models/auth_models.dart

@@ -2,23 +2,27 @@ class AuthResponse {
   final bool success;
   final String message;
   final String token;
+  final String? refreshToken;
   final User user;
 
   AuthResponse({
     required this.success,
     required this.message,
     required this.token,
+    this.refreshToken,
     required this.user,
   });
 
   factory AuthResponse.fromJson(Map<String, dynamic> json) {
     final data = (json['data'] ?? {}) as Map<String, dynamic>;
     final userJson = (data['user'] ?? json['user'] ?? {}) as Map<String, dynamic>;
     final token = (data['token'] ?? json['token'] ?? '') as String;
+    final refresh = (data['refreshToken'] ?? data['refresh_token'] ?? json['refreshToken'] ?? json['refresh_token'] ?? '') as String;
     return AuthResponse(
       success: json['success'] == true || json['ok'] == true,
       message: (json['message'] ?? json['msg'] ?? '') as String,
       token: token,
+      refreshToken: refresh.isEmpty ? null : refresh,
       user: User.fromJson(userJson),
     );
   }

leaderboard_app/lib/pages/chatlists_page.dart

@@ -203,6 +203,11 @@ class _ChatlistsPageState extends State<ChatlistsPage> {
                                 ScaffoldMessenger.of(context).showSnackBar(
                                   const SnackBar(content: Text('Group created')),
                                 );
+                                // Refresh lists to reflect membership and server-derived fields
+                                // (e.g., lastMessage, counts, privacy flags, etc.)
+                                // Uses current search filter.
+                                // Fire-and-forget; UI already shows snackbar feedback.
+                                unawaited(_refresh());
                               }
                             },
                       icon: provider.isCreating
@@ -433,19 +438,26 @@ class _ChatlistsPageState extends State<ChatlistsPage> {
                                   }
                                   if (!mounted) return;
                                   if (isMember) {
-                                    Navigator.push(
+                                    final result = await Navigator.push(
                                       context,
                                       MaterialPageRoute(
                                         builder: (context) => ChatPage(groupId: groupId, groupName: groupName),
                                       ),
                                     );
+                                    if (result is Map && (result['deletedGroup'] == true || result['leftGroup'] == true || result['updated'] == true)) {
+                                      await _refresh();
+                                    }
                                   } else {
-                                    Navigator.push(
+                                    final result = await Navigator.push(
                                       context,
                                       MaterialPageRoute(
                                         builder: (context) => GroupInfoPage(groupId: groupId, initialName: groupName),
                                       ),
                                     );
+                                    // If group was deleted or membership changed, refresh list on return
+                                    if (result is Map && (result['deletedGroup'] == true || result['leftGroup'] == true || result['updated'] == true)) {
+                                      await _refresh();
+                                    }
                                   }
                                 },
                                 child: Container(

leaderboard_app/lib/pages/groupinfo_page.dart

@@ -627,8 +627,9 @@ class _GroupInfoPageState extends State<GroupInfoPage> {
         final chatListProv = context.read<ChatListProvider?>();
         chatListProv?.removeGroup(_group!.id);
       }
-      if (!mounted) return;
-      Navigator.of(context).pop();
+  if (!mounted) return;
+  // Return a signal so the previous page can refresh its data.
+  Navigator.of(context).pop({'deletedGroup': true, 'groupId': _group!.id});
     } catch (_) {
       setState(() => _error = 'Failed to delete group');
     } finally {

leaderboard_app/lib/services/auth/auth_service.dart

@@ -4,6 +4,7 @@ import 'package:leaderboard_app/services/core/api_client.dart';
 import 'package:shared_preferences/shared_preferences.dart';
 import 'package:leaderboard_app/services/core/dio_provider.dart';
 import 'package:leaderboard_app/services/chat/chat_service.dart';
+import 'package:leaderboard_app/services/core/token_manager.dart';
 
 class AuthService {
   final Dio _dio;
@@ -26,7 +27,7 @@ class AuthService {
       final login = await signIn(email: email, password: password);
       return login;
     } else {
-      await _saveAuth(response.token);
+      await _saveAuth(response.token, refreshToken: response.refreshToken);
       // Initialize a fresh socket connection with the new token.
       try { await ChatService.instance.connectWithToken(response.token); } catch (_) {}
       return response;
@@ -42,20 +43,21 @@ class AuthService {
     if (response.token.isEmpty) {
       throw DioException(requestOptions: res.requestOptions, response: res, message: 'Token missing in response');
     }
-    await _saveAuth(response.token);
+    await _saveAuth(response.token, refreshToken: response.refreshToken);
     // After storing token, connect socket with new identity.
     try { await ChatService.instance.connectWithToken(response.token); } catch (_) {}
     return response;
   }
 
   Future<void> logout() async {
-    final prefs = await SharedPreferences.getInstance();
+  final prefs = await SharedPreferences.getInstance();
     // Clear all persisted user-specific data on logout to avoid leaking
     // authentication state or cached profile details between accounts.
     // If in the future some keys should persist across logins (e.g. theme),
     // fetch their values first and re-set them after clear().
     await prefs.clear();
-  DioProvider.reset();
+    await TokenManager.clearTokens();
+    DioProvider.reset();
     // Proactively disconnect socket (in case ChatProvider not yet instantiated to reset it)
     try { ChatService.instance.disconnect(); } catch (_) {}
     // Also reset any cached singletons that embed auth headers (e.g. Dio).
@@ -79,8 +81,7 @@ class AuthService {
     return User.fromJson(userJson);
   }
 
-  Future<void> _saveAuth(String token) async {
-    final prefs = await SharedPreferences.getInstance();
-    await prefs.setString('authToken', token);
+  Future<void> _saveAuth(String token, {String? refreshToken}) async {
+    await TokenManager.saveTokens(accessToken: token, refreshToken: refreshToken);
   }
 }

leaderboard_app/lib/services/core/api_client.dart

@@ -1,6 +1,6 @@
 import 'package:dio/dio.dart';
-import 'package:shared_preferences/shared_preferences.dart';
 import 'package:leaderboard_app/config/api_config.dart';
+import 'package:leaderboard_app/services/core/dio_provider.dart';
 
 class ApiClient {
   static final String kBaseUrl = ApiConfig.baseUrl;
@@ -9,34 +9,7 @@ class ApiClient {
   ApiClient._internal(this.dio);
 
   static Future<ApiClient> create({String? baseUrl}) async {
-    final prefs = await SharedPreferences.getInstance();
-    final dio = Dio(
-      BaseOptions(
-        baseUrl: baseUrl ?? kBaseUrl,
-        connectTimeout: const Duration(seconds: 10),
-        receiveTimeout: const Duration(seconds: 20),
-        headers: {
-          'Content-Type': 'application/json',
-        },
-      ),
-    );
-
-    dio.interceptors.add(
-      InterceptorsWrapper(
-        onRequest: (options, handler) async {
-          final token = prefs.getString('authToken');
-          if (token != null && token.isNotEmpty) {
-            options.headers['Authorization'] = 'Bearer $token';
-          }
-          handler.next(options);
-        },
-        onError: (e, handler) {
-          // You can add logging or global error handling here
-          handler.next(e);
-        },
-      ),
-    );
-
+    final dio = await DioProvider.getInstance(baseUrl: baseUrl ?? kBaseUrl);
     return ApiClient._internal(dio);
   }
 }

leaderboard_app/lib/services/core/dio_provider.dart

@@ -1,38 +1,85 @@
 import 'dart:async';
 import 'package:dio/dio.dart';
 import 'package:flutter/foundation.dart' show kIsWeb; // narrow imports
-import 'package:shared_preferences/shared_preferences.dart';
 import 'package:leaderboard_app/config/api_config.dart';
+import 'package:leaderboard_app/services/core/token_manager.dart';
 
 /// Provides a configured singleton Dio instance with auth header + logging.
 class DioProvider {
   static Dio? _dio;
+  static Future<String?>? _refreshingFuture;
 
   static Future<Dio> getInstance({String? baseUrl}) async {
     if (_dio != null) return _dio!;
-    final prefs = await SharedPreferences.getInstance();
+  // Note: Token values are retrieved on-demand via TokenManager.
     final dio = Dio(
       BaseOptions(
         baseUrl: baseUrl ?? ApiConfig.baseUrl,
-        connectTimeout: const Duration(seconds: 10),
-        receiveTimeout: const Duration(seconds: 20),
+        connectTimeout: const Duration(seconds: 15),
+        receiveTimeout: const Duration(seconds: 60),
         headers: {'Content-Type': 'application/json'},
       ),
     );
 
     dio.interceptors.add(InterceptorsWrapper(onRequest: (options, handler) async {
-      final token = prefs.getString('authToken');
+      // Skip auth header for explicit opt-out
+      if (options.extra['skipAuth'] == true) {
+        handler.next(options);
+        return;
+      }
+      final token = await TokenManager.getAccessToken();
       if (token != null && token.isNotEmpty) {
         options.headers['Authorization'] = 'Bearer $token';
       }
       handler.next(options);
-    }, onError: (e, handler) {
+    }, onError: (e, handler) async {
       // Simple retry for idempotent GETs on network issues
       if (_shouldRetry(e)) {
         _retry(dio, e.requestOptions).then(handler.resolve).catchError((_) => handler.next(e));
-      } else {
-        handler.next(e);
+        return;
       }
+
+      // Refresh on 401 Unauthorized, excluding auth endpoints to avoid loops
+      final status = e.response?.statusCode;
+      final path = e.requestOptions.path;
+      final isAuthPath = path.contains('/auth/login') || path.contains('/auth/signup') || path.contains('/auth/refresh');
+      final alreadyRetried = e.requestOptions.extra['retried'] == true;
+
+      if (status == 401 && !isAuthPath && !alreadyRetried) {
+        try {
+          final newToken = await _refreshTokenIfNeeded(dio);
+          if (newToken != null && newToken.isNotEmpty) {
+            // Clone and retry original request with new token
+            final opts = Options(
+              method: e.requestOptions.method,
+              headers: {
+                ...e.requestOptions.headers,
+                'Authorization': 'Bearer $newToken',
+              },
+              responseType: e.requestOptions.responseType,
+              contentType: e.requestOptions.contentType,
+              sendTimeout: e.requestOptions.sendTimeout,
+              receiveTimeout: e.requestOptions.receiveTimeout,
+              extra: {
+                ...e.requestOptions.extra,
+                'retried': true,
+              },
+            );
+            final rerun = await dio.request<dynamic>(
+              e.requestOptions.path,
+              data: e.requestOptions.data,
+              queryParameters: e.requestOptions.queryParameters,
+              options: opts,
+            );
+            handler.resolve(rerun);
+            return;
+          }
+        } catch (_) {
+          // fall through to next
+        }
+      }
+
+      handler.next(e);
     }));
 
     // Basic log interceptor (custom to avoid extra dependency)
@@ -43,17 +90,28 @@ class DioProvider {
   }
 
   static bool _shouldRetry(DioException e) {
-    return e.type == DioExceptionType.connectionError && e.requestOptions.method == 'GET';
+    final isGet = e.requestOptions.method == 'GET';
+    final isNet = e.type == DioExceptionType.connectionError || e.type == DioExceptionType.receiveTimeout;
+    if (!(isGet && isNet)) return false;
+    final attempts = (e.requestOptions.extra['retryCount'] as int?) ?? 0;
+    return attempts < 1; // retry at most once
   }
 
   static Future<Response<dynamic>> _retry(Dio dio, RequestOptions requestOptions) async {
+    final attempts = (requestOptions.extra['retryCount'] as int?) ?? 0;
+    // brief backoff before retrying
+    await Future<void>.delayed(Duration(milliseconds: 500 * (attempts + 1)));
     final opts = Options(
       method: requestOptions.method,
       headers: requestOptions.headers,
       responseType: requestOptions.responseType,
       contentType: requestOptions.contentType,
       sendTimeout: requestOptions.sendTimeout,
       receiveTimeout: requestOptions.receiveTimeout,
+      extra: {
+        ...requestOptions.extra,
+        'retryCount': attempts + 1,
+      },
     );
     return dio.request<dynamic>(
       requestOptions.path,
@@ -68,6 +126,72 @@ class DioProvider {
   static void reset() {
     _dio = null;
   }
+
+  /// Ensure only one refresh happens at a time. Returns new access token or null.
+  static Future<String?> _refreshTokenIfNeeded(Dio baseDio) async {
+    // If a refresh is already ongoing, await the same future
+    final ongoing = _refreshingFuture;
+    if (ongoing != null) {
+      return ongoing;
+    }
+
+    final completer = Completer<String?>();
+    _refreshingFuture = completer.future;
+
+    try {
+      final newToken = await _callRefreshEndpoint(baseDio);
+      completer.complete(newToken);
+      return newToken;
+    } catch (err) {
+      completer.complete(null);
+      return null;
+    } finally {
+      _refreshingFuture = null;
+    }
+  }
+
+  /// Call the refresh endpoint using a bare Dio to avoid interceptor loops.
+  static Future<String?> _callRefreshEndpoint(Dio baseDio) async {
+    final refreshToken = await TokenManager.getRefreshToken();
+    final refreshDio = Dio(
+      BaseOptions(
+        baseUrl: baseDio.options.baseUrl,
+        connectTimeout: baseDio.options.connectTimeout,
+        receiveTimeout: baseDio.options.receiveTimeout,
+        headers: {'Content-Type': 'application/json'},
+      ),
+    );
+
+    Response res;
+    try {
+      if (refreshToken != null && refreshToken.isNotEmpty) {
+        res = await refreshDio.post('/auth/refresh', data: {'refreshToken': refreshToken});
+      } else {
+        // Some backends use HttpOnly cookie refresh; attempt without body
+        res = await refreshDio.post('/auth/refresh');
+      }
+    } on DioException {
+      // Refresh failed
+      await TokenManager.clearTokens();
+      return null;
+    }
+
+    final data = res.data is Map<String, dynamic>
+        ? res.data as Map<String, dynamic>
+        : <String, dynamic>{};
+    final payload = (data['data'] ?? data) as Map<String, dynamic>;
+    final newAccess = (payload['token'] ?? payload['accessToken'] ?? '') as String;
+    final newRefresh = (payload['refreshToken'] ?? payload['refresh_token'] ?? '') as String;
+
+    if (newAccess.isEmpty) {
+      await TokenManager.clearTokens();
+      return null;
+    }
+
+    // Persist the new tokens
+    await TokenManager.saveTokens(accessToken: newAccess, refreshToken: newRefresh.isEmpty ? null : newRefresh);
+    return newAccess;
+  }
 }
 
 class _LogInterceptor extends Interceptor {