perf: reuse locals.session from hook in all remaining routes

Extends the previous loader-only sweep across the full tree: every remaining `await locals.auth()` now falls back through `locals.session ?? await locals.auth()`, so the hook's cached result is reused. 68 files, 107 sites touched — loaders, form actions, and API endpoints across cospend / tasks / fitness / faith / recipe / admin. hooks.server.ts is intentionally left alone since it's the originating call that populates locals.session in the first place.
2026-04-23 15:08:10 +02:00
parent 800a544190
commit c912afd46a
70 changed files with 110 additions and 109 deletions
@@ -8,7 +8,7 @@ Order = impact. Font items + app.html preload intentionally skipped.
 - [x] 2. Chart.js dynamic import in `FitnessChart.svelte` (drop 244 KB from non-stats fitness routes)
 - [x] 3. Recipe API endpoints — drop `JSON.parse(JSON.stringify(...))` double-serialize (9 endpoints). Client-side shuffle / cache headers deferred (would require rethinking hero preload + hydration)
 - [x] 4. Favorites page — drop unnecessary `all_brief` fetch (verified Search uses `favoritesOnly` so `allRecipes` was redundant)
- [x] 5. Replace redundant `locals.auth()` with `locals.session` across recipe/calendar/fitness loaders (loaders only; actions + admin/edit/add pages skipped)
+- [x] 5. Replace redundant `locals.auth()` with `locals.session` across all routes (68 files, 107 sites — loaders, actions, API endpoints)
 - [ ] 6. Stream fitness stats loader — return promises for slow panels
 - [ ] 7. Overview endpoint — add `.select(...)` projection, cap timeseries window
 - [ ] 8. Calendar payload trim — drop `name` from `yearDays`, pre-filter `feastDots` server-side
@@ -27,6 +27,7 @@ Order = impact. Font items + app.html preload intentionally skipped.
 [ ] Make the Period ended button a lot more prominent
 [ ] swap heart emoji on recipe favorites to lucide icon
 [ ] coop and migros cards on shopping list for scanning
 [ ] login icon from lucide in header
 ## Refactor Recipe Search Component
@@ -1,6 +1,6 @@
 {
 	"name": "homepage",
-	"version": "1.46.17",
+	"version": "1.46.18",
 	"private": true,
 	"type": "module",
 	"scripts": {
@@ -31,7 +31,7 @@ export interface AuthenticatedUser {
 export async function requireAuth(
 	locals: RequestEvent['locals']
 ): Promise<AuthenticatedUser> {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	if (!session || !session.user?.nickname) {
 		throw json({ error: 'Unauthorized' }, { status: 401 });
@@ -53,7 +53,7 @@ export async function requireGroup(
 	locals: RequestEvent['locals'],
 	group: string
 ): Promise<AuthenticatedUser> {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	if (!session || !session.user?.nickname) {
 		throw json({ error: 'Unauthorized' }, { status: 401 });
@@ -92,7 +92,7 @@ export async function requireGroup(
 export async function optionalAuth(
 	locals: RequestEvent['locals']
 ): Promise<AuthenticatedUser | null> {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	if (!session || !session.user?.nickname) {
 		return null;
@@ -12,7 +12,7 @@ export async function getShoppingUser(
  url: URL
 ): Promise<string | null> {
  // Check session first
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (auth?.user?.nickname) return auth.user.nickname;
  // Check share token
@@ -3,7 +3,7 @@ import type { Actions, PageServerLoad } from "./$types"
 import { error } from "@sveltejs/kit"
 export const load: PageServerLoad = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  const user = session?.user ?? null;
 	return {user}
 }
@@ -3,7 +3,7 @@ import { redirect } from '@sveltejs/kit';
 import { errorWithVerse } from '$lib/server/errorQuote';
 export const load: PageServerLoad = async ({ locals, fetch, url }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session) {
    throw redirect(302, '/login');
@@ -13,7 +13,7 @@ function serializeItems(items: IShoppingItem[]): ShoppingItem[] {
 }
 export const load: PageServerLoad = async ({ locals, url }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  const token = url.searchParams.get('token');
  // Allow access with valid share token even without session
@@ -3,7 +3,7 @@ import { redirect } from '@sveltejs/kit';
 import { errorWithVerse } from '$lib/server/errorQuote';
 export const load: PageServerLoad = async ({ locals, fetch, url }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session) {
    throw redirect(302, '/login');
@@ -3,7 +3,7 @@ import { redirect, fail } from '@sveltejs/kit';
 import { PREDEFINED_USERS, isPredefinedUsersMode } from '$lib/config/users';
 export const load: PageServerLoad = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session) {
    throw redirect(302, '/login');
@@ -18,7 +18,7 @@ export const load: PageServerLoad = async ({ locals }) => {
 export const actions: Actions = {
  default: async ({ request, locals, fetch, params }) => {
-    const session = await locals.auth();
+    const session = locals.session ?? await locals.auth();
    if (!session || !session.user?.nickname) {
      throw redirect(302, '/login');
@@ -2,7 +2,7 @@ import type { PageServerLoad } from './$types';
 import { redirect } from '@sveltejs/kit';
 export const load: PageServerLoad = async ({ locals, params }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session) {
    throw redirect(302, '/login');
@@ -3,7 +3,7 @@ import { redirect } from '@sveltejs/kit';
 import { errorWithVerse } from '$lib/server/errorQuote';
 export const load: PageServerLoad = async ({ locals, params, fetch, url }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session) {
    throw redirect(302, '/login');
@@ -2,7 +2,7 @@ import type { PageServerLoad } from './$types';
 import { redirect } from '@sveltejs/kit';
 export const load: PageServerLoad = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session) {
    throw redirect(302, '/login');
@@ -2,7 +2,7 @@ import type { PageServerLoad } from './$types';
 import { redirect } from '@sveltejs/kit';
 export const load: PageServerLoad = async ({ locals, params }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session) {
    throw redirect(302, '/login');
@@ -3,7 +3,7 @@ import type { PageServerLoad, Actions } from './$types';
 import { detectCospendLang, cospendRoot } from '$lib/js/cospendI18n';
 export const load: PageServerLoad = async ({ fetch, locals, request, url }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session) {
    throw redirect(302, '/login');
@@ -291,6 +291,6 @@ export const load: PageServerLoad = async ({ params, url, locals, fetch }) => {
 		todayIso,
 		selected: selectedEntry,
 		selectedIso,
-		session: locals.session ?? (await locals.auth())
+		session: locals.session ?? (locals.session ?? await locals.auth())
 	};
 };
@@ -96,6 +96,6 @@ export const load: PageServerLoad = async ({ params, url, locals, fetch }) => {
 		iso,
 		todayIso,
 		day1: entry,
-		session: locals.session ?? (await locals.auth())
+		session: locals.session ?? (locals.session ?? await locals.auth())
 	};
 };
@@ -54,7 +54,7 @@ export const load: PageServerLoad = async ({ params, url, locals, fetch }) => {
 export const actions: Actions = {
 	'pray-angelus': async ({ request, locals, fetch }) => {
-		const session = await locals.auth();
+		const session = locals.session ?? await locals.auth();
 		if (!session?.user?.nickname) {
 			throw error(401, 'Authentication required');
 		}
@@ -105,7 +105,7 @@ export const load: PageServerLoad = async ({ url, fetch, locals, params }) => {
 export const actions: Actions = {
  pray: async ({ locals, fetch }) => {
-    const session = await locals.auth();
+    const session = locals.session ?? await locals.auth();
    if (!session?.user?.nickname) {
      return { success: false };
    }
@@ -33,7 +33,7 @@ export const load: PageServerLoad = async ({ fetch, params, locals, url }) => {
 export const actions: Actions = {
    toggleFavorite: async ({ request, locals, url, fetch }) => {
-        const session = await locals.auth();
+        const session = locals.session ?? await locals.auth();
        if (!session?.user?.nickname) {
            throw error(401, 'Authentication required');
@@ -16,7 +16,7 @@ export const load: PageServerLoad = async ({locals, params}) => {
        throw redirect(301, '/rezepte/add');
    }
-    const session = await locals.auth();
+    const session = locals.session ?? await locals.auth();
    return {
 		user: session?.user
    };
@@ -25,7 +25,7 @@ export const load: PageServerLoad = async ({locals, params}) => {
 export const actions = {
 	default: async ({ request, locals, params }) => {
 		// Check authentication
-		const auth = await locals.auth();
+		const auth = locals.session ?? await locals.auth();
 		if (!auth) {
 			return fail(401, {
 				error: 'You must be logged in to add recipes',
@@ -3,7 +3,7 @@ import { redirect } from '@sveltejs/kit';
 import { errorWithVerse } from '$lib/server/errorQuote';
 export const load: PageServerLoad = async ({ locals, url, fetch }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	// Redirect to login if not authenticated
 	if (!session?.user?.nickname) {
@@ -3,7 +3,7 @@ import { redirect } from '@sveltejs/kit';
 import { errorWithVerse } from '$lib/server/errorQuote';
 export const load: PageServerLoad = async ({ locals, url, fetch }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	if (!session?.user?.nickname) {
 		const callbackUrl = encodeURIComponent(url.pathname);
@@ -3,7 +3,7 @@ import { redirect } from '@sveltejs/kit';
 import { errorWithVerse } from '$lib/server/errorQuote';
 export const load: PageServerLoad = async ({ fetch, locals, url, params }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	// Redirect to login if not authenticated
 	if (!session?.user?.nickname) {
@@ -3,7 +3,7 @@ import { redirect } from '@sveltejs/kit';
 import { errorWithVerse } from '$lib/server/errorQuote';
 export const load: PageServerLoad = async ({ locals, params, url, fetch }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	// Redirect to login if not authenticated
 	if (!session?.user?.nickname) {
@@ -68,7 +68,7 @@ export const load: PageServerLoad = async ({ fetch, params, locals}) => {
    const apiRes = await fetch(`/api/rezepte/items/${params.name}`);
    const recipe = await apiRes.json();
-    const session = await locals.auth();
+    const session = locals.session ?? await locals.auth();
    return {
 		recipe: recipe,
 		user: session?.user
@@ -78,7 +78,7 @@ export const load: PageServerLoad = async ({ fetch, params, locals}) => {
 export const actions = {
 	default: async ({ request, locals, params }) => {
 		// Check authentication
-		const auth = await locals.auth();
+		const auth = locals.session ?? await locals.auth();
 		if (!auth) {
 			return fail(401, {
 				error: 'You must be logged in to edit recipes',
@@ -6,7 +6,7 @@ import { error } from '@sveltejs/kit';
 import mongoose from 'mongoose';
 export const GET: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session?.user?.nickname) {
    throw error(401, 'Authentication required');
@@ -29,7 +29,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 };
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session?.user?.nickname) {
    throw error(401, 'Authentication required');
@@ -67,7 +67,7 @@ export const POST: RequestHandler = async ({ request, locals }) => {
 };
 export const DELETE: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session?.user?.nickname) {
    throw error(401, 'Authentication required');
@@ -5,7 +5,7 @@ import { dbConnect } from '$utils/db';
 import { error } from '@sveltejs/kit';
 export const GET: RequestHandler = async ({ locals, params }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session?.user?.nickname) {
    return json({ isFavorite: false });
@@ -7,7 +7,7 @@ import { error } from '@sveltejs/kit';
 import { isEnglish, briefQueryConfig } from '$lib/server/recipeHelpers';
 export const GET: RequestHandler = async ({ params, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session?.user?.nickname) {
    throw error(401, 'Authentication required');
@@ -9,7 +9,7 @@ import type { NutritionMapping } from '$types/types';
 /** PATCH: Update individual nutrition mappings (manual edit UI) */
 export const PATCH: RequestHandler = async ({ params, request, locals }) => {
-	await locals.auth();
+	locals.session ?? await locals.auth();
 	await dbConnect();
 	const en = isEnglish(params.recipeLang!);
@@ -5,7 +5,7 @@ import { isEnglish } from '$lib/server/recipeHelpers';
 import { generateNutritionMappings } from '$lib/server/nutritionMatcher';
 export const POST: RequestHandler = async ({ params, locals, url }) => {
-	await locals.auth();
+	locals.session ?? await locals.auth();
 	await dbConnect();
 	const en = isEnglish(params.recipeLang!);
@@ -49,7 +49,7 @@ export const GET: RequestHandler = async ({ url, params, locals }) => {
    let recipes: BriefRecipeType[] = dbRecipes.map(r => toBrief(r, params.recipeLang!));
    // Handle favorites filter
-    const session = await locals.auth();
+    const session = locals.session ?? await locals.auth();
    if (favoritesOnly && session?.user) {
      const { UserFavorites } = await import('$models/UserFavorites');
      const userFavorites = await UserFavorites.findOne({ username: session.user.nickname });
@@ -3,7 +3,7 @@ import { ToTryRecipe } from '$models/ToTryRecipe';
 import { dbConnect } from '$utils/db';
 export const GET: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session?.user?.groups?.includes('rezepte_users')) {
    throw error(403, 'Forbidden');
@@ -20,7 +20,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 };
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session?.user?.groups?.includes('rezepte_users')) {
    throw error(403, 'Forbidden');
@@ -51,7 +51,7 @@ export const POST: RequestHandler = async ({ request, locals }) => {
 };
 export const PATCH: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session?.user?.groups?.includes('rezepte_users')) {
    throw error(403, 'Forbidden');
@@ -96,7 +96,7 @@ export const PATCH: RequestHandler = async ({ request, locals }) => {
 };
 export const DELETE: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session?.user?.groups?.includes('rezepte_users')) {
    throw error(403, 'Forbidden');
@@ -3,7 +3,7 @@ import { Recipe } from '$models/Recipe';
 import { dbConnect } from '$utils/db';
 export const GET: RequestHandler = async ({ locals }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	if (!session?.user?.nickname) {
 		throw error(401, 'Anmeldung erforderlich');
@@ -5,7 +5,7 @@ import { dbConnect } from '$utils/db';
 import { error, json } from '@sveltejs/kit';
 export const GET: RequestHandler = async ({ locals, url }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth || !auth.user?.nickname) {
    throw error(401, 'Not logged in');
  }
@@ -19,7 +19,7 @@ interface DebtSummary {
 }
 export const GET: RequestHandler = async ({ locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth || !auth.user?.nickname) {
    throw error(401, 'Not logged in');
  }
@@ -4,7 +4,7 @@ import { dbConnect } from '$utils/db';
 import { error, json } from '@sveltejs/kit';
 export const GET: RequestHandler = async ({ locals, url }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth || !auth.user?.nickname) {
    throw error(401, 'Not logged in');
  }
@@ -6,7 +6,7 @@ import { dbConnect } from '$utils/db';
 // GET /api/cospend/list/share — list all active share tokens
 export const GET: RequestHandler = async ({ locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth?.user?.nickname) throw error(401, 'Not logged in');
  await dbConnect();
@@ -25,7 +25,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 // POST /api/cospend/list/share — create a new share token
 export const POST: RequestHandler = async ({ locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth?.user?.nickname) throw error(401, 'Not logged in');
  const { token, expiresAt } = await createShareToken(auth.user.nickname);
@@ -34,7 +34,7 @@ export const POST: RequestHandler = async ({ locals }) => {
 // PATCH /api/cospend/list/share — update a token's expiry
 export const PATCH: RequestHandler = async ({ request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth?.user?.nickname) throw error(401, 'Not logged in');
  const { id, expiresAt } = await request.json();
@@ -53,7 +53,7 @@ export const PATCH: RequestHandler = async ({ request, locals }) => {
 // DELETE /api/cospend/list/share — revoke a token
 export const DELETE: RequestHandler = async ({ request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth?.user?.nickname) throw error(401, 'Not logged in');
  const { id } = await request.json();
@@ -4,7 +4,7 @@ import { Payment } from '$models/Payment';
 import { dbConnect } from '$utils/db';
 export const GET: RequestHandler = async ({ url, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
@@ -13,7 +13,7 @@ interface SplitInput {
 }
 export const GET: RequestHandler = async ({ locals, url }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth || !auth.user?.nickname) {
    throw error(401, 'Not logged in');
  }
@@ -38,7 +38,7 @@ export const GET: RequestHandler = async ({ locals, url }) => {
 };
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth || !auth.user?.nickname) {
    throw error(401, 'Not logged in');
  }
@@ -5,7 +5,7 @@ import { dbConnect } from '$utils/db';
 import { error, json } from '@sveltejs/kit';
 export const GET: RequestHandler = async ({ params, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth || !auth.user?.nickname) {
    throw error(401, 'Not logged in');
  }
@@ -29,7 +29,7 @@ export const GET: RequestHandler = async ({ params, locals }) => {
 };
 export const PUT: RequestHandler = async ({ params, request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth || !auth.user?.nickname) {
    throw error(401, 'Not logged in');
  }
@@ -89,7 +89,7 @@ export const PUT: RequestHandler = async ({ params, request, locals }) => {
 };
 export const DELETE: RequestHandler = async ({ params, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth || !auth.user?.nickname) {
    throw error(401, 'Not logged in');
  }
@@ -5,7 +5,7 @@ import { error, json } from '@sveltejs/kit';
 import { calculateNextExecutionDate, validateCronExpression } from '$lib/utils/recurring';
 export const GET: RequestHandler = async ({ locals, url }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth || !auth.user?.nickname) {
    throw error(401, 'Not logged in');
  }
@@ -38,7 +38,7 @@ export const GET: RequestHandler = async ({ locals, url }) => {
 };
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth || !auth.user?.nickname) {
    throw error(401, 'Not logged in');
  }
@@ -6,7 +6,7 @@ import { calculateNextExecutionDate, validateCronExpression } from '$lib/utils/r
 import mongoose from 'mongoose';
 export const GET: RequestHandler = async ({ params, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth || !auth.user?.nickname) {
    throw error(401, 'Not logged in');
  }
@@ -35,7 +35,7 @@ export const GET: RequestHandler = async ({ params, locals }) => {
 };
 export const PUT: RequestHandler = async ({ params, request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth || !auth.user?.nickname) {
    throw error(401, 'Not logged in');
  }
@@ -154,7 +154,7 @@ export const PUT: RequestHandler = async ({ params, request, locals }) => {
 };
 export const DELETE: RequestHandler = async ({ params, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth || !auth.user?.nickname) {
    throw error(401, 'Not logged in');
  }
@@ -8,7 +8,7 @@ import { calculateNextExecutionDate } from '$lib/utils/recurring';
 import { convertToCHF } from '$lib/utils/currency';
 export const POST: RequestHandler = async ({ locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth || !auth.user?.nickname) {
    throw error(401, 'Not logged in');
  }
@@ -3,7 +3,7 @@ import { error, json } from '@sveltejs/kit';
 import { recurringPaymentScheduler } from '$lib/server/scheduler';
 export const GET: RequestHandler = async ({ locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth || !auth.user?.nickname) {
    throw error(401, 'Not logged in');
  }
@@ -22,7 +22,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 };
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth || !auth.user?.nickname) {
    throw error(401, 'Not logged in');
  }
@@ -6,7 +6,7 @@ import { randomUUID } from 'crypto';
 import { IMAGE_DIR } from '$env/static/private';
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth || !auth.user?.nickname) {
    throw error(401, 'Not logged in');
  }
@@ -5,7 +5,7 @@ import { Exercise } from '$models/Exercise';
 // GET /api/fitness/exercises - Search and filter exercises
 export const GET: RequestHandler = async ({ url, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -61,7 +61,7 @@ export const GET: RequestHandler = async ({ url, locals }) => {
 // GET /api/fitness/exercises/filters - Get available filter options
 export const POST: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -4,7 +4,7 @@ import { getEnrichedExerciseById, findSimilarExercises } from '$lib/data/exercis
 // GET /api/fitness/exercises/[id] - Get enriched exercise with EDB data + similar exercises
 export const GET: RequestHandler = async ({ params, locals, url }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	if (!session || !session.user?.nickname) {
 		return json({ error: 'Unauthorized' }, { status: 401 });
 	}
@@ -5,7 +5,7 @@ import { Exercise } from '$models/Exercise';
 // GET /api/fitness/exercises/filters - Get available filter options
 export const GET: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -4,7 +4,7 @@ import { dbConnect } from '$utils/db';
 import { IntervalTemplate, validateIntervalEntries } from '$models/IntervalTemplate';
 export const GET: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -20,7 +20,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 };
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -5,7 +5,7 @@ import { IntervalTemplate, validateIntervalEntries } from '$models/IntervalTempl
 import mongoose from 'mongoose';
 export const GET: RequestHandler = async ({ params, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -33,7 +33,7 @@ export const GET: RequestHandler = async ({ params, locals }) => {
 };
 export const PUT: RequestHandler = async ({ params, request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -72,7 +72,7 @@ export const PUT: RequestHandler = async ({ params, request, locals }) => {
 };
 export const DELETE: RequestHandler = async ({ params, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -5,7 +5,7 @@ import { WorkoutTemplate } from '$models/WorkoutTemplate';
 // POST /api/fitness/seed-example - Create the example workout template
 export const POST: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -17,7 +17,7 @@ function estimatedOneRepMax(weight: number, reps: number): number {
 // GET /api/fitness/sessions - Get all workout sessions for the user
 export const GET: RequestHandler = async ({ url, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -52,7 +52,7 @@ export const GET: RequestHandler = async ({ url, locals }) => {
 // POST /api/fitness/sessions - Create a new workout session
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -7,7 +7,7 @@ import mongoose from 'mongoose';
 // GET /api/fitness/sessions/[id] - Get a specific workout session
 export const GET: RequestHandler = async ({ params, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -37,7 +37,7 @@ export const GET: RequestHandler = async ({ params, locals }) => {
 // PUT /api/fitness/sessions/[id] - Update a workout session
 export const PUT: RequestHandler = async ({ params, request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -135,7 +135,7 @@ export const PUT: RequestHandler = async ({ params, request, locals }) => {
 // DELETE /api/fitness/sessions/[id] - Delete a workout session
 export const DELETE: RequestHandler = async ({ params, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -59,7 +59,7 @@ function parseGpx(xml: string): IGpsPoint[] {
 // GET /api/fitness/sessions/[id]/gpx?exerciseIdx=N — download GPX export of the track
 export const GET: RequestHandler = async ({ params, url, locals }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	if (!session || !session.user?.nickname) {
 		return json({ error: 'Unauthorized' }, { status: 401 });
 	}
@@ -115,7 +115,7 @@ export const GET: RequestHandler = async ({ params, url, locals }) => {
 // POST /api/fitness/sessions/[id]/gpx — upload GPX file for an exercise
 export const POST: RequestHandler = async ({ params, request, locals }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	if (!session || !session.user?.nickname) {
 		return json({ error: 'Unauthorized' }, { status: 401 });
 	}
@@ -193,7 +193,7 @@ export const POST: RequestHandler = async ({ params, request, locals }) => {
 // DELETE /api/fitness/sessions/[id]/gpx — remove GPS track from an exercise
 export const DELETE: RequestHandler = async ({ params, request, locals }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	if (!session || !session.user?.nickname) {
 		return json({ error: 'Unauthorized' }, { status: 401 });
 	}
@@ -17,7 +17,7 @@ function estimatedOneRepMax(weight: number, reps: number): number {
 // POST /api/fitness/sessions/[id]/recalculate — recompute derived fields
 export const POST: RequestHandler = async ({ params, locals }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	if (!session || !session.user?.nickname) {
 		return json({ error: 'Unauthorized' }, { status: 401 });
 	}
@@ -5,7 +5,7 @@ import { WorkoutTemplate } from '$models/WorkoutTemplate';
 // GET /api/fitness/templates - Get all workout templates for the user
 export const GET: RequestHandler = async ({ url, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -36,7 +36,7 @@ export const GET: RequestHandler = async ({ url, locals }) => {
 // POST /api/fitness/templates - Create a new workout template
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -6,7 +6,7 @@ import mongoose from 'mongoose';
 // GET /api/fitness/templates/[id] - Get a specific workout template
 export const GET: RequestHandler = async ({ params, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -39,7 +39,7 @@ export const GET: RequestHandler = async ({ params, locals }) => {
 // PUT /api/fitness/templates/[id] - Update a workout template
 export const PUT: RequestHandler = async ({ params, request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -103,7 +103,7 @@ export const PUT: RequestHandler = async ({ params, request, locals }) => {
 // DELETE /api/fitness/templates/[id] - Delete a workout template
 export const DELETE: RequestHandler = async ({ params, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session || !session.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -6,7 +6,7 @@ import { broadcast } from '$lib/server/sseManager';
 // GET /api/fitness/workout/active — fetch current active workout
 export const GET: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session?.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -26,7 +26,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 // PUT /api/fitness/workout/active — create or update active workout state
 export const PUT: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session?.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -92,7 +92,7 @@ export const PUT: RequestHandler = async ({ request, locals }) => {
 // DELETE /api/fitness/workout/active — clear active workout (finish/cancel)
 export const DELETE: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session?.user?.nickname) {
    return json({ error: 'Unauthorized' }, { status: 401 });
  }
@@ -3,7 +3,7 @@ import { addConnection, removeConnection } from '$lib/server/sseManager';
 // GET /api/fitness/workout/active/stream — SSE endpoint
 export const GET: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session?.user?.nickname) {
    return new Response('Unauthorized', { status: 401 });
  }
@@ -147,7 +147,7 @@ export const POST: RequestHandler = async ({ request, locals }) => {
 */
 export const GET: RequestHandler = async ({ locals }) => {
 	// Check authentication
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	if (!session?.user) {
 		throw error(401, 'Unauthorized');
 	}
@@ -3,7 +3,7 @@ import { AngelusStreak } from '$models/AngelusStreak';
 import { dbConnect } from '$utils/db';
 export const GET: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session?.user?.nickname) {
    throw error(401, 'Authentication required');
@@ -29,7 +29,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 };
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session?.user?.nickname) {
    throw error(401, 'Authentication required');
@@ -3,7 +3,7 @@ import { RosaryStreak } from '$models/RosaryStreak';
 import { dbConnect } from '$utils/db';
 export const GET: RequestHandler = async ({ locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session?.user?.nickname) {
    throw error(401, 'Authentication required');
@@ -27,7 +27,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 };
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session?.user?.nickname) {
    throw error(401, 'Authentication required');
@@ -126,7 +126,7 @@ export const POST: RequestHandler = async ({ request, locals }) => {
 };
 export const GET: RequestHandler = async ({ locals }) => {
-	const session = await locals.auth();
+	const session = locals.session ?? await locals.auth();
 	if (!session?.user) {
 		throw error(401, 'Unauthorized');
 	}
@@ -4,7 +4,7 @@ import { dbConnect } from '$utils/db';
 import { error, json } from '@sveltejs/kit';
 export const GET: RequestHandler = async ({ locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth?.user?.nickname) throw error(401, 'Not logged in');
  await dbConnect();
@@ -17,7 +17,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 };
 export const POST: RequestHandler = async ({ request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth?.user?.nickname) throw error(401, 'Not logged in');
  const data = await request.json();
@@ -4,7 +4,7 @@ import { dbConnect } from '$utils/db';
 import { error, json } from '@sveltejs/kit';
 export const PUT: RequestHandler = async ({ params, request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth?.user?.nickname) throw error(401, 'Not logged in');
  const data = await request.json();
@@ -33,7 +33,7 @@ export const PUT: RequestHandler = async ({ params, request, locals }) => {
 };
 export const DELETE: RequestHandler = async ({ params, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth?.user?.nickname) throw error(401, 'Not logged in');
  await dbConnect();
@@ -22,7 +22,7 @@ function getNextDueDate(completedAt: Date, frequencyType: string, customDays?: n
 }
 export const POST: RequestHandler = async ({ params, request, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth?.user?.nickname) throw error(401, 'Not logged in');
  await dbConnect();
@@ -4,7 +4,7 @@ import { dbConnect } from '$utils/db';
 import { error, json } from '@sveltejs/kit';
 export const DELETE: RequestHandler = async ({ params, locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth?.user?.nickname) throw error(401, 'Not logged in');
  await dbConnect();
@@ -4,7 +4,7 @@ import { dbConnect } from '$utils/db';
 import { error, json } from '@sveltejs/kit';
 export const GET: RequestHandler = async ({ locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth?.user?.nickname) throw error(401, 'Not logged in');
  await dbConnect();
@@ -26,7 +26,7 @@ export const GET: RequestHandler = async ({ locals }) => {
 };
 export const DELETE: RequestHandler = async ({ locals }) => {
-  const auth = await locals.auth();
+  const auth = locals.session ?? await locals.auth();
  if (!auth?.user?.nickname) throw error(401, 'Not logged in');
  await dbConnect();
@@ -2,7 +2,7 @@ import type { PageServerLoad } from './$types';
 import { redirect } from '@sveltejs/kit';
 export const load: PageServerLoad = async ({ locals, fetch }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session) throw redirect(302, '/login');
  const [tasksRes, statsRes] = await Promise.all([
@@ -2,7 +2,7 @@ import type { PageServerLoad } from './$types';
 import { redirect } from '@sveltejs/kit';
 export const load: PageServerLoad = async ({ locals, fetch }) => {
-  const session = await locals.auth();
+  const session = locals.session ?? await locals.auth();
  if (!session) throw redirect(302, '/login');
  const statsRes = await fetch('/api/tasks/stats');