Need to delete cookie to logon (3.4.1)

[ReneHezser]

After token expiration, I need to delete the access_token from the cookie to be able to logon again.

The logs:

2025-07-28T06:24:44.263243115Z         jwt,
2025-07-28T06:24:44.263258919Z     ...<8 lines>...
2025-07-28T06:24:44.263275032Z         leeway=leeway,
2025-07-28T06:24:44.263291010Z     )
2025-07-28T06:24:44.263306733Z   File "/root/.cache/pypoetry/virtualenvs/auth-server-rpqNukfp-py3.13/lib/python3.13/site-packages/jwt/api_jwt.py", line 167, in decode_complete
2025-07-28T06:24:44.263323450Z     self._validate_claims(
2025-07-28T06:24:44.263339311Z     ~~~~~~~~~~~~~~~~~~~~~^
2025-07-28T06:24:44.263354998Z         payload,
2025-07-28T06:24:44.263370396Z         ^^^^^^^^
2025-07-28T06:24:44.263385535Z     ...<4 lines>...
2025-07-28T06:24:44.263401143Z         subject=subject,
2025-07-28T06:24:44.263417092Z         ^^^^^^^^^^^^^^^^
2025-07-28T06:24:44.263432899Z     )
2025-07-28T06:24:44.263448292Z     ^
2025-07-28T06:24:44.263463790Z   File "/root/.cache/pypoetry/virtualenvs/auth-server-rpqNukfp-py3.13/lib/python3.13/site-packages/jwt/api_jwt.py", line 262, in _validate_claims
2025-07-28T06:24:44.263480240Z     self._validate_exp(payload, now, leeway)
2025-07-28T06:24:44.263495928Z     ~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^
2025-07-28T06:24:44.263524227Z   File "/root/.cache/pypoetry/virtualenvs/auth-server-rpqNukfp-py3.13/lib/python3.13/site-packages/jwt/api_jwt.py", line 363, in _validate_exp
2025-07-28T06:24:44.263541399Z     raise ExpiredSignatureError("Signature has expired")
2025-07-28T06:24:44.263557690Z jwt.exceptions.ExpiredSignatureError: Signature has expired
2025-07-28T06:24:44.264507232Z INFO:     192.168.0.171:0 - "GET /verify HTTP/1.0" 500 Internal Server Error
2025-07-28T06:24:44.265175247Z 172.18.0.1 - - [28/Jul/2025:06:24:44 +0000] "GET /api/nodes/b868119c...8046e30a1e19?page_number=1&page_size=10&order_by=updated_at HTTP/1.1" 500 579 "https://.../home/b868119c...8046e30a1e19" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0"
2025-07-28T06:24:44.265270134Z 2025/07/28 06:24:44 [error] 44#44: *1294 auth request unexpected status: 500 while sending to client, client: 172.18.0.1, server: _, request: "GET /api/nodes/b868119c-...-8046e30a1e19?page_number=1&page_size=10&order_by=updated_at HTTP/1.1", host: "...", referrer: "https://.../home/b868119c-...-8046e30a1e19"
2025-07-28T06:24:44.278340415Z 172.18.0.1 - - [28/Jul/2025:06:24:44 +0000] "GET /api/folders/b868119c-...-8046e30a1e19 HTTP/1.1" 500 579 "https://p.../home/b868119c-...-8046e30a1e19" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0"
2025-07-28T06:24:44.278420178Z ERROR:    Exception in ASGI application

The access_token contains:

{
  "sub": "9a6b...e514",
  "preferred_username": "admin",
  "email": "admin@example.com",
  "scopes": [
    "node.create",
    "node.view",
    "node.update",
    "node.delete",
    "node.move",
    "document.upload",
    "document.download",
    "task.ocr",
    "tag.create",
    "tag.view",
    "tag.update",
    "tag.delete",
    "user.me",
    "user.create",
    "user.view",
    "user.update",
    "user.delete",
    "group.create",
    "group.view",
    "group.update",
    "group.delete",
    "ocrlang.view",
    "page.view",
    "page.update",
    "page.move",
    "page.extract"
  ],
  "exp": 1753662199
}

[ciur]

Thanks for opening this issue. This issue is more tricky. First of all, it is not "papermerge-core" problem at all, as the core does not feature authentication at all: core only receives user ID and operates as if authentication does not exist at all. The problem you are reporting is in https://github.com/papermerge/auth-server which is a very minimalistic authentication server. Production deployment is supposed to use auth servers like keycloak, authelia, authentik and firends via OIDC protocol.

Anyway, i will fix the token refresh problem. Thanks again for reporting it.

[ReneHezser]

I'd use OIDC in combination with Azure/Entra ID, but can't get it working. I wanted to try later and then with the latest version. First things first ;-)