From 991fe9668be59a27340e49ebf7cc0d5716c9ebfc Mon Sep 17 00:00:00 2001
From: Dan Bruce <dan@ddbruce.com>
Date: Fri, 9 Jan 2026 08:59:42 -0500
Subject: [PATCH 1/2] change api session info to use cookie

---
 server.js | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/server.js b/server.js
index 9fd7a1d..706e4dc 100644
--- a/server.js
+++ b/server.js
@@ -168,8 +168,11 @@ authRouter.get("/api/user/:user", async ({ params: { user: user } }, res) => {
 });
 
 authRouter.get("/api/session/info", async (req, res) => {
-  if (req.body.sessionInfo) {
-    const sessionInfo = req.body.sessionInfo;
+  // Prefer server-side session data (populated by express-session via the
+  // connect.sid cookie). GET requests generally don't have a body, so rely
+  // on `req.session` rather than `req.body`.
+  const sessionInfo = req.session && (req.session.claims || (req.session.tokenSet && req.session.tokenSet.claims && req.session.tokenSet.claims()));
+  if (sessionInfo) {
     // Expose the configured admin role name to the client so browser-side checks
     // don't need to rely on Node-only process.env variables.
     sessionInfo.adminRole = process.env.KEYCLOAK_ADMIN_ROLE || 'admin';
@@ -185,9 +188,9 @@ authRouter.get("/api/session/info", async (req, res) => {
     } catch (e) {
       console.error('local user lookup failed', e && e.message);
     }
-  // If we have a localUser stored in session (created during callback), prefer that
-  const sessionLocalUser = req.session && req.session.localUser ? req.session.localUser : localUser;
-  res.send({ success: true, data: { sessionInfo, localUser: sessionLocalUser } });
+    // If we have a localUser stored in session (created during callback), prefer that
+    const sessionLocalUser = req.session && req.session.localUser ? req.session.localUser : localUser;
+    res.send({ success: true, data: { sessionInfo, localUser: sessionLocalUser } });
   } else {
     res.status(404).send({ success: false, error: "No session info" });
   }

From a5502451669f9758c3de0f51123602e067b7b2f5 Mon Sep 17 00:00:00 2001
From: Dan Bruce <dan@ddbruce.com>
Date: Fri, 9 Jan 2026 09:00:29 -0500
Subject: [PATCH 2/2] 1.8.3

---
 package-lock.json | 4 ++--
 package.json      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 8e85d5e..4055e86 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "fullsend",
-  "version": "1.8.2",
+  "version": "1.8.3",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "fullsend",
-      "version": "1.8.2",
+      "version": "1.8.3",
       "license": "MIT",
       "dependencies": {
         "bcryptjs": "^2.4.3",
diff --git a/package.json b/package.json
index e2d13f3..fe6e414 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "fullsend",
-  "version": "1.8.2",
+  "version": "1.8.3",
   "description": "Fullsend allows allowed users to send bulk text messages to groups of recipients",
   "main": "server.js",
   "scripts": {