perf: reuse locals.session from hook in all remaining routes

Extends the previous loader-only sweep across the full tree: every
remaining `await locals.auth()` now falls back through
`locals.session ?? await locals.auth()`, so the hook's cached result
is reused.

68 files, 107 sites touched — loaders, form actions, and API
endpoints across cospend / tasks / fitness / faith / recipe / admin.
hooks.server.ts is intentionally left alone since it's the originating
call that populates locals.session in the first place.

TODO.md

@@ -8,7 +8,7 @@ Order = impact. Font items + app.html preload intentionally skipped.
 - [x] 2. Chart.js dynamic import in `FitnessChart.svelte` (drop 244 KB from non-stats fitness routes)
 - [x] 3. Recipe API endpoints — drop `JSON.parse(JSON.stringify(...))` double-serialize (9 endpoints). Client-side shuffle / cache headers deferred (would require rethinking hero preload + hydration)
 - [x] 4. Favorites page — drop unnecessary `all_brief` fetch (verified Search uses `favoritesOnly` so `allRecipes` was redundant)
-- [x] 5. Replace redundant `locals.auth()` with `locals.session` across recipe/calendar/fitness loaders (loaders only; actions + admin/edit/add pages skipped)
+- [x] 5. Replace redundant `locals.auth()` with `locals.session` across all routes (68 files, 107 sites — loaders, actions, API endpoints)
 - [ ] 6. Stream fitness stats loader — return promises for slow panels
 - [ ] 7. Overview endpoint — add `.select(...)` projection, cap timeseries window
 - [ ] 8. Calendar payload trim — drop `name` from `yearDays`, pre-filter `feastDots` server-side
@@ -27,6 +27,7 @@ Order = impact. Font items + app.html preload intentionally skipped.
 [ ] Make the Period ended button a lot more prominent
 [ ] swap heart emoji on recipe favorites to lucide icon
 [ ] coop and migros cards on shopping list for scanning
+[ ] login icon from lucide in header
 
 ## Refactor Recipe Search Component
 

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "homepage",
-	"version": "1.46.17",
+	"version": "1.46.18",
 	"private": true,
 	"type": "module",
 	"scripts": {

src/lib/server/middleware/auth.ts

@@ -31,7 +31,7 @@ export interface AuthenticatedUser {
 export async function requireAuth(
 	locals: RequestEvent['locals']
 ): Promise<AuthenticatedUser> {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 
 	if (!session || !session.user?.nickname) {
 		throw json({ error: 'Unauthorized' }, { status: 401 });
@@ -53,7 +53,7 @@ export async function requireGroup(
 	locals: RequestEvent['locals'],
 	group: string
 ): Promise<AuthenticatedUser> {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 
 	if (!session || !session.user?.nickname) {
 		throw json({ error: 'Unauthorized' }, { status: 401 });
@@ -92,7 +92,7 @@ export async function requireGroup(
 export async function optionalAuth(
 	locals: RequestEvent['locals']
 ): Promise<AuthenticatedUser | null> {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 
 	if (!session || !session.user?.nickname) {
 		return null;

src/lib/server/shoppingAuth.ts

@@ -12,7 +12,7 @@ export async function getShoppingUser(
   url: URL
 ): Promise<string | null> {
   // Check session first
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (auth?.user?.nickname) return auth.user.nickname;
 
   // Check share token

src/routes/(main)/settings/+page.server.ts

@@ -3,7 +3,7 @@ import type { Actions, PageServerLoad } from "./$types"
 import { error } from "@sveltejs/kit"
 
 export const load: PageServerLoad = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   const user = session?.user ?? null;
 	return {user}
 }

src/routes/[cospendRoot=cospendRoot]/dash/+page.server.ts

@@ -3,7 +3,7 @@ import { redirect } from '@sveltejs/kit';
 import { errorWithVerse } from '$lib/server/errorQuote';
 
 export const load: PageServerLoad = async ({ locals, fetch, url }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
 
   if (!session) {
     throw redirect(302, '/login');

src/routes/[cospendRoot=cospendRoot]/list/+page.server.ts

@@ -13,7 +13,7 @@ function serializeItems(items: IShoppingItem[]): ShoppingItem[] {
 }
 
 export const load: PageServerLoad = async ({ locals, url }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   const token = url.searchParams.get('token');
 
   // Allow access with valid share token even without session

src/routes/[cospendRoot=cospendRoot]/payments/+page.server.ts

@@ -3,7 +3,7 @@ import { redirect } from '@sveltejs/kit';
 import { errorWithVerse } from '$lib/server/errorQuote';
 
 export const load: PageServerLoad = async ({ locals, fetch, url }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   
   if (!session) {
     throw redirect(302, '/login');

src/routes/[cospendRoot=cospendRoot]/payments/add/+page.server.ts

@@ -3,7 +3,7 @@ import { redirect, fail } from '@sveltejs/kit';
 import { PREDEFINED_USERS, isPredefinedUsersMode } from '$lib/config/users';
 
 export const load: PageServerLoad = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   
   if (!session) {
     throw redirect(302, '/login');
@@ -18,7 +18,7 @@ export const load: PageServerLoad = async ({ locals }) => {
 
 export const actions: Actions = {
   default: async ({ request, locals, fetch, params }) => {
-    const session = await locals.auth();
+    const session = locals.session ?? await locals.auth();
     
     if (!session || !session.user?.nickname) {
       throw redirect(302, '/login');

src/routes/[cospendRoot=cospendRoot]/payments/edit/[id]/+page.server.ts

@@ -2,7 +2,7 @@ import type { PageServerLoad } from './$types';
 import { redirect } from '@sveltejs/kit';
 
 export const load: PageServerLoad = async ({ locals, params }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   
   if (!session) {
     throw redirect(302, '/login');

src/routes/[cospendRoot=cospendRoot]/payments/view/[id]/+page.server.ts

@@ -3,7 +3,7 @@ import { redirect } from '@sveltejs/kit';
 import { errorWithVerse } from '$lib/server/errorQuote';
 
 export const load: PageServerLoad = async ({ locals, params, fetch, url }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   
   if (!session) {
     throw redirect(302, '/login');

src/routes/[cospendRoot=cospendRoot]/recurring/+page.server.ts

@@ -2,7 +2,7 @@ import type { PageServerLoad } from './$types';
 import { redirect } from '@sveltejs/kit';
 
 export const load: PageServerLoad = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   
   if (!session) {
     throw redirect(302, '/login');

src/routes/[cospendRoot=cospendRoot]/recurring/edit/[id]/+page.server.ts

@@ -2,7 +2,7 @@ import type { PageServerLoad } from './$types';
 import { redirect } from '@sveltejs/kit';
 
 export const load: PageServerLoad = async ({ locals, params }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   
   if (!session) {
     throw redirect(302, '/login');

src/routes/[cospendRoot=cospendRoot]/settle/+page.server.ts

@@ -3,7 +3,7 @@ import type { PageServerLoad, Actions } from './$types';
 import { detectCospendLang, cospendRoot } from '$lib/js/cospendI18n';
 
 export const load: PageServerLoad = async ({ fetch, locals, request, url }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   
   if (!session) {
     throw redirect(302, '/login');

src/routes/[faithLang=faithLang]/[calendar=calendarLang]/[rite=calendarRite]/[[yyyy=calendarYear]]/[[mm=calendarMonth]]/[[dd=calendarDay]]/+page.server.ts

@@ -291,6 +291,6 @@ export const load: PageServerLoad = async ({ params, url, locals, fetch }) => {
 		todayIso,
 		selected: selectedEntry,
 		selectedIso,
-		session: locals.session ?? (await locals.auth())
+		session: locals.session ?? (locals.session ?? await locals.auth())
 	};
 };

src/routes/[faithLang=faithLang]/[calendar=calendarLang]/[rite=calendarRite]/detail/[yyyy=calendarYear]/[mm=calendarMonth]/[dd=calendarDay]/+page.server.ts

@@ -96,6 +96,6 @@ export const load: PageServerLoad = async ({ params, url, locals, fetch }) => {
 		iso,
 		todayIso,
 		day1: entry,
-		session: locals.session ?? (await locals.auth())
+		session: locals.session ?? (locals.session ?? await locals.auth())
 	};
 };

src/routes/[faithLang=faithLang]/[prayers=prayersLang]/[prayer]/+page.server.ts

@@ -54,7 +54,7 @@ export const load: PageServerLoad = async ({ params, url, locals, fetch }) => {
 
 export const actions: Actions = {
 	'pray-angelus': async ({ request, locals, fetch }) => {
-		const session = await locals.auth();
+		const session = locals.session ?? await locals.auth();
 		if (!session?.user?.nickname) {
 			throw error(401, 'Authentication required');
 		}

src/routes/[faithLang=faithLang]/[rosary=rosaryLang]/+page.server.ts

@@ -105,7 +105,7 @@ export const load: PageServerLoad = async ({ url, fetch, locals, params }) => {
 
 export const actions: Actions = {
   pray: async ({ locals, fetch }) => {
-    const session = await locals.auth();
+    const session = locals.session ?? await locals.auth();
     if (!session?.user?.nickname) {
       return { success: false };
     }

src/routes/[recipeLang=recipeLang]/[name]/+page.server.ts

@@ -33,7 +33,7 @@ export const load: PageServerLoad = async ({ fetch, params, locals, url }) => {
 
 export const actions: Actions = {
     toggleFavorite: async ({ request, locals, url, fetch }) => {
-        const session = await locals.auth();
+        const session = locals.session ?? await locals.auth();
         
         if (!session?.user?.nickname) {
             throw error(401, 'Authentication required');

src/routes/[recipeLang=recipeLang]/add/+page.server.ts

@@ -16,7 +16,7 @@ export const load: PageServerLoad = async ({locals, params}) => {
         throw redirect(301, '/rezepte/add');
     }
 
-    const session = await locals.auth();
+    const session = locals.session ?? await locals.auth();
     return {
 		user: session?.user
     };
@@ -25,7 +25,7 @@ export const load: PageServerLoad = async ({locals, params}) => {
 export const actions = {
 	default: async ({ request, locals, params }) => {
 		// Check authentication
-		const auth = await locals.auth();
+		const auth = locals.session ?? await locals.auth();
 		if (!auth) {
 			return fail(401, {
 				error: 'You must be logged in to add recipes',

src/routes/[recipeLang=recipeLang]/admin/alt-text-generator/+page.server.ts

@@ -3,7 +3,7 @@ import { redirect } from '@sveltejs/kit';
 import { errorWithVerse } from '$lib/server/errorQuote';
 
 export const load: PageServerLoad = async ({ locals, url, fetch }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 
 	// Redirect to login if not authenticated
 	if (!session?.user?.nickname) {

src/routes/[recipeLang=recipeLang]/admin/image-colors/+page.server.ts

@@ -3,7 +3,7 @@ import { redirect } from '@sveltejs/kit';
 import { errorWithVerse } from '$lib/server/errorQuote';
 
 export const load: PageServerLoad = async ({ locals, url, fetch }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 
 	if (!session?.user?.nickname) {
 		const callbackUrl = encodeURIComponent(url.pathname);

src/routes/[recipeLang=recipeLang]/admin/untranslated/+page.server.ts

@@ -3,7 +3,7 @@ import { redirect } from '@sveltejs/kit';
 import { errorWithVerse } from '$lib/server/errorQuote';
 
 export const load: PageServerLoad = async ({ fetch, locals, url, params }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 
 	// Redirect to login if not authenticated
 	if (!session?.user?.nickname) {

src/routes/[recipeLang=recipeLang]/administration/+page.server.ts

@@ -3,7 +3,7 @@ import { redirect } from '@sveltejs/kit';
 import { errorWithVerse } from '$lib/server/errorQuote';
 
 export const load: PageServerLoad = async ({ locals, params, url, fetch }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 
 	// Redirect to login if not authenticated
 	if (!session?.user?.nickname) {

src/routes/[recipeLang=recipeLang]/edit/[name]/+page.server.ts

@@ -68,7 +68,7 @@ export const load: PageServerLoad = async ({ fetch, params, locals}) => {
 
     const apiRes = await fetch(`/api/rezepte/items/${params.name}`);
     const recipe = await apiRes.json();
-    const session = await locals.auth();
+    const session = locals.session ?? await locals.auth();
     return {
 		recipe: recipe,
 		user: session?.user
@@ -78,7 +78,7 @@ export const load: PageServerLoad = async ({ fetch, params, locals}) => {
 export const actions = {
 	default: async ({ request, locals, params }) => {
 		// Check authentication
-		const auth = await locals.auth();
+		const auth = locals.session ?? await locals.auth();
 		if (!auth) {
 			return fail(401, {
 				error: 'You must be logged in to edit recipes',

src/routes/api/[recipeLang=recipeLang]/favorites/+server.ts

@@ -6,7 +6,7 @@ import { error } from '@sveltejs/kit';
 import mongoose from 'mongoose';
 
 export const GET: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   
   if (!session?.user?.nickname) {
     throw error(401, 'Authentication required');
@@ -29,7 +29,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 };
 
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   
   if (!session?.user?.nickname) {
     throw error(401, 'Authentication required');
@@ -67,7 +67,7 @@ export const POST: RequestHandler = async ({ request, locals }) => {
 };
 
 export const DELETE: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   
   if (!session?.user?.nickname) {
     throw error(401, 'Authentication required');

src/routes/api/[recipeLang=recipeLang]/favorites/check/[shortName]/+server.ts

@@ -5,7 +5,7 @@ import { dbConnect } from '$utils/db';
 import { error } from '@sveltejs/kit';
 
 export const GET: RequestHandler = async ({ locals, params }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   
   if (!session?.user?.nickname) {
     return json({ isFavorite: false });

src/routes/api/[recipeLang=recipeLang]/favorites/recipes/+server.ts

@@ -7,7 +7,7 @@ import { error } from '@sveltejs/kit';
 import { isEnglish, briefQueryConfig } from '$lib/server/recipeHelpers';
 
 export const GET: RequestHandler = async ({ params, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
 
   if (!session?.user?.nickname) {
     throw error(401, 'Authentication required');

src/routes/api/[recipeLang=recipeLang]/nutrition/[name]/+server.ts

@@ -9,7 +9,7 @@ import type { NutritionMapping } from '$types/types';
 
 /** PATCH: Update individual nutrition mappings (manual edit UI) */
 export const PATCH: RequestHandler = async ({ params, request, locals }) => {
-	await locals.auth();
+	locals.session ?? await locals.auth();
 	await dbConnect();
 
 	const en = isEnglish(params.recipeLang!);

src/routes/api/[recipeLang=recipeLang]/nutrition/generate/[name]/+server.ts

@@ -5,7 +5,7 @@ import { isEnglish } from '$lib/server/recipeHelpers';
 import { generateNutritionMappings } from '$lib/server/nutritionMatcher';
 
 export const POST: RequestHandler = async ({ params, locals, url }) => {
-	await locals.auth();
+	locals.session ?? await locals.auth();
 	await dbConnect();
 
 	const en = isEnglish(params.recipeLang!);

src/routes/api/[recipeLang=recipeLang]/search/+server.ts

@@ -49,7 +49,7 @@ export const GET: RequestHandler = async ({ url, params, locals }) => {
     let recipes: BriefRecipeType[] = dbRecipes.map(r => toBrief(r, params.recipeLang!));
 
     // Handle favorites filter
-    const session = await locals.auth();
+    const session = locals.session ?? await locals.auth();
     if (favoritesOnly && session?.user) {
       const { UserFavorites } = await import('$models/UserFavorites');
       const userFavorites = await UserFavorites.findOne({ username: session.user.nickname });

src/routes/api/[recipeLang=recipeLang]/to-try/+server.ts

@@ -3,7 +3,7 @@ import { ToTryRecipe } from '$models/ToTryRecipe';
 import { dbConnect } from '$utils/db';
 
 export const GET: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
 
   if (!session?.user?.groups?.includes('rezepte_users')) {
     throw error(403, 'Forbidden');
@@ -20,7 +20,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 };
 
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
 
   if (!session?.user?.groups?.includes('rezepte_users')) {
     throw error(403, 'Forbidden');
@@ -51,7 +51,7 @@ export const POST: RequestHandler = async ({ request, locals }) => {
 };
 
 export const PATCH: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
 
   if (!session?.user?.groups?.includes('rezepte_users')) {
     throw error(403, 'Forbidden');
@@ -96,7 +96,7 @@ export const PATCH: RequestHandler = async ({ request, locals }) => {
 };
 
 export const DELETE: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
 
   if (!session?.user?.groups?.includes('rezepte_users')) {
     throw error(403, 'Forbidden');

src/routes/api/[recipeLang=recipeLang]/translate/untranslated/+server.ts

@@ -3,7 +3,7 @@ import { Recipe } from '$models/Recipe';
 import { dbConnect } from '$utils/db';
 
 export const GET: RequestHandler = async ({ locals }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 
 	if (!session?.user?.nickname) {
 		throw error(401, 'Anmeldung erforderlich');

src/routes/api/cospend/balance/+server.ts

@@ -5,7 +5,7 @@ import { dbConnect } from '$utils/db';
 import { error, json } from '@sveltejs/kit';
 
 export const GET: RequestHandler = async ({ locals, url }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth || !auth.user?.nickname) {
     throw error(401, 'Not logged in');
   }

src/routes/api/cospend/debts/+server.ts

@@ -19,7 +19,7 @@ interface DebtSummary {
 }
 
 export const GET: RequestHandler = async ({ locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth || !auth.user?.nickname) {
     throw error(401, 'Not logged in');
   }

src/routes/api/cospend/exchange-rates/+server.ts

@@ -4,7 +4,7 @@ import { dbConnect } from '$utils/db';
 import { error, json } from '@sveltejs/kit';
 
 export const GET: RequestHandler = async ({ locals, url }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth || !auth.user?.nickname) {
     throw error(401, 'Not logged in');
   }

src/routes/api/cospend/list/share/+server.ts

@@ -6,7 +6,7 @@ import { dbConnect } from '$utils/db';
 
 // GET /api/cospend/list/share — list all active share tokens
 export const GET: RequestHandler = async ({ locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth?.user?.nickname) throw error(401, 'Not logged in');
 
   await dbConnect();
@@ -25,7 +25,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 
 // POST /api/cospend/list/share — create a new share token
 export const POST: RequestHandler = async ({ locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth?.user?.nickname) throw error(401, 'Not logged in');
 
   const { token, expiresAt } = await createShareToken(auth.user.nickname);
@@ -34,7 +34,7 @@ export const POST: RequestHandler = async ({ locals }) => {
 
 // PATCH /api/cospend/list/share — update a token's expiry
 export const PATCH: RequestHandler = async ({ request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth?.user?.nickname) throw error(401, 'Not logged in');
 
   const { id, expiresAt } = await request.json();
@@ -53,7 +53,7 @@ export const PATCH: RequestHandler = async ({ request, locals }) => {
 
 // DELETE /api/cospend/list/share — revoke a token
 export const DELETE: RequestHandler = async ({ request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth?.user?.nickname) throw error(401, 'Not logged in');
 
   const { id } = await request.json();

src/routes/api/cospend/monthly-expenses/+server.ts

@@ -4,7 +4,7 @@ import { Payment } from '$models/Payment';
 import { dbConnect } from '$utils/db';
 
 export const GET: RequestHandler = async ({ url, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
 
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });

src/routes/api/cospend/payments/+server.ts

@@ -13,7 +13,7 @@ interface SplitInput {
 }
 
 export const GET: RequestHandler = async ({ locals, url }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth || !auth.user?.nickname) {
     throw error(401, 'Not logged in');
   }
@@ -38,7 +38,7 @@ export const GET: RequestHandler = async ({ locals, url }) => {
 };
 
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth || !auth.user?.nickname) {
     throw error(401, 'Not logged in');
   }

src/routes/api/cospend/payments/[id]/+server.ts

@@ -5,7 +5,7 @@ import { dbConnect } from '$utils/db';
 import { error, json } from '@sveltejs/kit';
 
 export const GET: RequestHandler = async ({ params, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth || !auth.user?.nickname) {
     throw error(401, 'Not logged in');
   }
@@ -29,7 +29,7 @@ export const GET: RequestHandler = async ({ params, locals }) => {
 };
 
 export const PUT: RequestHandler = async ({ params, request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth || !auth.user?.nickname) {
     throw error(401, 'Not logged in');
   }
@@ -89,7 +89,7 @@ export const PUT: RequestHandler = async ({ params, request, locals }) => {
 };
 
 export const DELETE: RequestHandler = async ({ params, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth || !auth.user?.nickname) {
     throw error(401, 'Not logged in');
   }

src/routes/api/cospend/recurring-payments/+server.ts

@@ -5,7 +5,7 @@ import { error, json } from '@sveltejs/kit';
 import { calculateNextExecutionDate, validateCronExpression } from '$lib/utils/recurring';
 
 export const GET: RequestHandler = async ({ locals, url }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth || !auth.user?.nickname) {
     throw error(401, 'Not logged in');
   }
@@ -38,7 +38,7 @@ export const GET: RequestHandler = async ({ locals, url }) => {
 };
 
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth || !auth.user?.nickname) {
     throw error(401, 'Not logged in');
   }

src/routes/api/cospend/recurring-payments/[id]/+server.ts

@@ -6,7 +6,7 @@ import { calculateNextExecutionDate, validateCronExpression } from '$lib/utils/r
 import mongoose from 'mongoose';
 
 export const GET: RequestHandler = async ({ params, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth || !auth.user?.nickname) {
     throw error(401, 'Not logged in');
   }
@@ -35,7 +35,7 @@ export const GET: RequestHandler = async ({ params, locals }) => {
 };
 
 export const PUT: RequestHandler = async ({ params, request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth || !auth.user?.nickname) {
     throw error(401, 'Not logged in');
   }
@@ -154,7 +154,7 @@ export const PUT: RequestHandler = async ({ params, request, locals }) => {
 };
 
 export const DELETE: RequestHandler = async ({ params, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth || !auth.user?.nickname) {
     throw error(401, 'Not logged in');
   }

src/routes/api/cospend/recurring-payments/execute/+server.ts

@@ -8,7 +8,7 @@ import { calculateNextExecutionDate } from '$lib/utils/recurring';
 import { convertToCHF } from '$lib/utils/currency';
 
 export const POST: RequestHandler = async ({ locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth || !auth.user?.nickname) {
     throw error(401, 'Not logged in');
   }

src/routes/api/cospend/recurring-payments/scheduler/+server.ts

@@ -3,7 +3,7 @@ import { error, json } from '@sveltejs/kit';
 import { recurringPaymentScheduler } from '$lib/server/scheduler';
 
 export const GET: RequestHandler = async ({ locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth || !auth.user?.nickname) {
     throw error(401, 'Not logged in');
   }
@@ -22,7 +22,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 };
 
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth || !auth.user?.nickname) {
     throw error(401, 'Not logged in');
   }

src/routes/api/cospend/upload/+server.ts

@@ -6,7 +6,7 @@ import { randomUUID } from 'crypto';
 import { IMAGE_DIR } from '$env/static/private';
 
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth || !auth.user?.nickname) {
     throw error(401, 'Not logged in');
   }

src/routes/api/fitness/exercises/+server.ts

@@ -5,7 +5,7 @@ import { Exercise } from '$models/Exercise';
 
 // GET /api/fitness/exercises - Search and filter exercises
 export const GET: RequestHandler = async ({ url, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }
@@ -61,7 +61,7 @@ export const GET: RequestHandler = async ({ url, locals }) => {
 
 // GET /api/fitness/exercises/filters - Get available filter options
 export const POST: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }

src/routes/api/fitness/exercises/[id]/+server.ts

@@ -4,7 +4,7 @@ import { getEnrichedExerciseById, findSimilarExercises } from '$lib/data/exercis
 
 // GET /api/fitness/exercises/[id] - Get enriched exercise with EDB data + similar exercises
 export const GET: RequestHandler = async ({ params, locals, url }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	if (!session || !session.user?.nickname) {
 		return json({ error: 'Unauthorized' }, { status: 401 });
 	}

src/routes/api/fitness/exercises/filters/+server.ts

@@ -5,7 +5,7 @@ import { Exercise } from '$models/Exercise';
 
 // GET /api/fitness/exercises/filters - Get available filter options
 export const GET: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }

src/routes/api/fitness/intervals/+server.ts

@@ -4,7 +4,7 @@ import { dbConnect } from '$utils/db';
 import { IntervalTemplate, validateIntervalEntries } from '$models/IntervalTemplate';
 
 export const GET: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }
@@ -20,7 +20,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 };
 
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }

src/routes/api/fitness/intervals/[id]/+server.ts

@@ -5,7 +5,7 @@ import { IntervalTemplate, validateIntervalEntries } from '$models/IntervalTempl
 import mongoose from 'mongoose';
 
 export const GET: RequestHandler = async ({ params, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }
@@ -33,7 +33,7 @@ export const GET: RequestHandler = async ({ params, locals }) => {
 };
 
 export const PUT: RequestHandler = async ({ params, request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }
@@ -72,7 +72,7 @@ export const PUT: RequestHandler = async ({ params, request, locals }) => {
 };
 
 export const DELETE: RequestHandler = async ({ params, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }

src/routes/api/fitness/seed-example/+server.ts

@@ -5,7 +5,7 @@ import { WorkoutTemplate } from '$models/WorkoutTemplate';
 
 // POST /api/fitness/seed-example - Create the example workout template
 export const POST: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }

src/routes/api/fitness/sessions/+server.ts

@@ -17,7 +17,7 @@ function estimatedOneRepMax(weight: number, reps: number): number {
 
 // GET /api/fitness/sessions - Get all workout sessions for the user
 export const GET: RequestHandler = async ({ url, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }
@@ -52,7 +52,7 @@ export const GET: RequestHandler = async ({ url, locals }) => {
 
 // POST /api/fitness/sessions - Create a new workout session
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }

src/routes/api/fitness/sessions/[id]/+server.ts

@@ -7,7 +7,7 @@ import mongoose from 'mongoose';
 
 // GET /api/fitness/sessions/[id] - Get a specific workout session
 export const GET: RequestHandler = async ({ params, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }
@@ -37,7 +37,7 @@ export const GET: RequestHandler = async ({ params, locals }) => {
 
 // PUT /api/fitness/sessions/[id] - Update a workout session
 export const PUT: RequestHandler = async ({ params, request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }
@@ -135,7 +135,7 @@ export const PUT: RequestHandler = async ({ params, request, locals }) => {
 
 // DELETE /api/fitness/sessions/[id] - Delete a workout session
 export const DELETE: RequestHandler = async ({ params, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }

src/routes/api/fitness/sessions/[id]/gpx/+server.ts

@@ -59,7 +59,7 @@ function parseGpx(xml: string): IGpsPoint[] {
 
 // GET /api/fitness/sessions/[id]/gpx?exerciseIdx=N — download GPX export of the track
 export const GET: RequestHandler = async ({ params, url, locals }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	if (!session || !session.user?.nickname) {
 		return json({ error: 'Unauthorized' }, { status: 401 });
 	}
@@ -115,7 +115,7 @@ export const GET: RequestHandler = async ({ params, url, locals }) => {
 
 // POST /api/fitness/sessions/[id]/gpx — upload GPX file for an exercise
 export const POST: RequestHandler = async ({ params, request, locals }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	if (!session || !session.user?.nickname) {
 		return json({ error: 'Unauthorized' }, { status: 401 });
 	}
@@ -193,7 +193,7 @@ export const POST: RequestHandler = async ({ params, request, locals }) => {
 
 // DELETE /api/fitness/sessions/[id]/gpx — remove GPS track from an exercise
 export const DELETE: RequestHandler = async ({ params, request, locals }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	if (!session || !session.user?.nickname) {
 		return json({ error: 'Unauthorized' }, { status: 401 });
 	}

src/routes/api/fitness/sessions/[id]/recalculate/+server.ts

@@ -17,7 +17,7 @@ function estimatedOneRepMax(weight: number, reps: number): number {
 
 // POST /api/fitness/sessions/[id]/recalculate — recompute derived fields
 export const POST: RequestHandler = async ({ params, locals }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	if (!session || !session.user?.nickname) {
 		return json({ error: 'Unauthorized' }, { status: 401 });
 	}

src/routes/api/fitness/templates/+server.ts

@@ -5,7 +5,7 @@ import { WorkoutTemplate } from '$models/WorkoutTemplate';
 
 // GET /api/fitness/templates - Get all workout templates for the user
 export const GET: RequestHandler = async ({ url, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }
@@ -36,7 +36,7 @@ export const GET: RequestHandler = async ({ url, locals }) => {
 
 // POST /api/fitness/templates - Create a new workout template
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }

src/routes/api/fitness/templates/[id]/+server.ts

@@ -6,7 +6,7 @@ import mongoose from 'mongoose';
 
 // GET /api/fitness/templates/[id] - Get a specific workout template
 export const GET: RequestHandler = async ({ params, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }
@@ -39,7 +39,7 @@ export const GET: RequestHandler = async ({ params, locals }) => {
 
 // PUT /api/fitness/templates/[id] - Update a workout template
 export const PUT: RequestHandler = async ({ params, request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }
@@ -103,7 +103,7 @@ export const PUT: RequestHandler = async ({ params, request, locals }) => {
 
 // DELETE /api/fitness/templates/[id] - Delete a workout template
 export const DELETE: RequestHandler = async ({ params, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session || !session.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }

src/routes/api/fitness/workout/active/+server.ts

@@ -6,7 +6,7 @@ import { broadcast } from '$lib/server/sseManager';
 
 // GET /api/fitness/workout/active — fetch current active workout
 export const GET: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session?.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }
@@ -26,7 +26,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 
 // PUT /api/fitness/workout/active — create or update active workout state
 export const PUT: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session?.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }
@@ -92,7 +92,7 @@ export const PUT: RequestHandler = async ({ request, locals }) => {
 
 // DELETE /api/fitness/workout/active — clear active workout (finish/cancel)
 export const DELETE: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session?.user?.nickname) {
     return json({ error: 'Unauthorized' }, { status: 401 });
   }

src/routes/api/fitness/workout/active/stream/+server.ts

@@ -3,7 +3,7 @@ import { addConnection, removeConnection } from '$lib/server/sseManager';
 
 // GET /api/fitness/workout/active/stream — SSE endpoint
 export const GET: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session?.user?.nickname) {
     return new Response('Unauthorized', { status: 401 });
   }

src/routes/api/generate-alt-text-bulk/+server.ts

@@ -147,7 +147,7 @@ export const POST: RequestHandler = async ({ request, locals }) => {
  */
 export const GET: RequestHandler = async ({ locals }) => {
 	// Check authentication
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	if (!session?.user) {
 		throw error(401, 'Unauthorized');
 	}

src/routes/api/glaube/angelus-streak/+server.ts

@@ -3,7 +3,7 @@ import { AngelusStreak } from '$models/AngelusStreak';
 import { dbConnect } from '$utils/db';
 
 export const GET: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
 
   if (!session?.user?.nickname) {
     throw error(401, 'Authentication required');
@@ -29,7 +29,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 };
 
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
 
   if (!session?.user?.nickname) {
     throw error(401, 'Authentication required');

src/routes/api/glaube/rosary-streak/+server.ts

@@ -3,7 +3,7 @@ import { RosaryStreak } from '$models/RosaryStreak';
 import { dbConnect } from '$utils/db';
 
 export const GET: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
 
   if (!session?.user?.nickname) {
     throw error(401, 'Authentication required');
@@ -27,7 +27,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 };
 
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
 
   if (!session?.user?.nickname) {
     throw error(401, 'Authentication required');

src/routes/api/recalculate-image-colors/+server.ts

@@ -126,7 +126,7 @@ export const POST: RequestHandler = async ({ request, locals }) => {
 };
 
 export const GET: RequestHandler = async ({ locals }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	if (!session?.user) {
 		throw error(401, 'Unauthorized');
 	}

src/routes/api/tasks/+server.ts

@@ -4,7 +4,7 @@ import { dbConnect } from '$utils/db';
 import { error, json } from '@sveltejs/kit';
 
 export const GET: RequestHandler = async ({ locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth?.user?.nickname) throw error(401, 'Not logged in');
 
   await dbConnect();
@@ -17,7 +17,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 };
 
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth?.user?.nickname) throw error(401, 'Not logged in');
 
   const data = await request.json();

src/routes/api/tasks/[id]/+server.ts

@@ -4,7 +4,7 @@ import { dbConnect } from '$utils/db';
 import { error, json } from '@sveltejs/kit';
 
 export const PUT: RequestHandler = async ({ params, request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth?.user?.nickname) throw error(401, 'Not logged in');
 
   const data = await request.json();
@@ -33,7 +33,7 @@ export const PUT: RequestHandler = async ({ params, request, locals }) => {
 };
 
 export const DELETE: RequestHandler = async ({ params, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth?.user?.nickname) throw error(401, 'Not logged in');
 
   await dbConnect();

src/routes/api/tasks/[id]/complete/+server.ts

@@ -22,7 +22,7 @@ function getNextDueDate(completedAt: Date, frequencyType: string, customDays?: n
 }
 
 export const POST: RequestHandler = async ({ params, request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth?.user?.nickname) throw error(401, 'Not logged in');
 
   await dbConnect();

src/routes/api/tasks/completions/[id]/+server.ts

@@ -4,7 +4,7 @@ import { dbConnect } from '$utils/db';
 import { error, json } from '@sveltejs/kit';
 
 export const DELETE: RequestHandler = async ({ params, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth?.user?.nickname) throw error(401, 'Not logged in');
 
   await dbConnect();

src/routes/api/tasks/stats/+server.ts

@@ -4,7 +4,7 @@ import { dbConnect } from '$utils/db';
 import { error, json } from '@sveltejs/kit';
 
 export const GET: RequestHandler = async ({ locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth?.user?.nickname) throw error(401, 'Not logged in');
 
   await dbConnect();
@@ -26,7 +26,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 };
 
 export const DELETE: RequestHandler = async ({ locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
   if (!auth?.user?.nickname) throw error(401, 'Not logged in');
 
   await dbConnect();

src/routes/tasks/+page.server.ts

@@ -2,7 +2,7 @@ import type { PageServerLoad } from './$types';
 import { redirect } from '@sveltejs/kit';
 
 export const load: PageServerLoad = async ({ locals, fetch }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session) throw redirect(302, '/login');
 
   const [tasksRes, statsRes] = await Promise.all([

src/routes/tasks/rewards/+page.server.ts

@@ -2,7 +2,7 @@ import type { PageServerLoad } from './$types';
 import { redirect } from '@sveltejs/kit';
 
 export const load: PageServerLoad = async ({ locals, fetch }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
   if (!session) throw redirect(302, '/login');
 
   const statsRes = await fetch('/api/tasks/stats');