fix auth

src/swingmusic/api/auth.py

@@ -39,9 +39,30 @@ api = APIBlueprint("auth", __name__, url_prefix="/auth", abp_tags=[bp_tag])
 
 def get_limiter():
     """Get the rate limiter from app context."""
-    from flask import current_app
+    # Prefer the global limiter initialized in app_builder.build().
+    # flask-limiter v4 may store a set in current_app.extensions["limiter"],
+    # so resolve defensively across versions.
+    try:
+        from swingmusic.app_builder import limiter as app_limiter
 
-    return current_app.extensions.get("limiter")
+        if app_limiter is not None and hasattr(app_limiter, "limit"):
+            return app_limiter
+    except Exception:
+        pass
+
+    ext = current_app.extensions.get("limiter")
+    if ext is None:
+        return None
+
+    if hasattr(ext, "limit"):
+        return ext
+
+    if isinstance(ext, set):
+        for candidate in ext:
+            if hasattr(candidate, "limit"):
+                return candidate
+
+    return None
 
 
 def rate_limit(limit: str):
@@ -208,10 +229,15 @@ def login(body: LoginBody):
 
     # Cache user session in DragonflyDB for fast lookups
     session_service = get_user_session_service()
-    if session_service.session_cache.client.is_available():
+    if session_service.cache.client.is_available():
         import contextlib
 
         with contextlib.suppress(Exception):
+            session_service.create_session(
+                token,
+                user.todict(),
+                ttl_hours=max(1, int(age // 3600)),
+            )
             session_service.set_user_session(user.id, user.todict(), ttl_seconds=age)
 
     return res
@@ -334,13 +360,17 @@ def get_pair():
     server_url = request.headers.get("Origin", "").strip()
     if not server_url:
         server_url = request.host_url.rstrip("/")
+    else:
+        server_url = server_url.rstrip("/")
 
     return {
         "code": code,
         "expires_at": expires_at,
         "ttl_seconds": pair_token_store.ttl_seconds,
         "server_url": server_url,
-        "qr_payload": f"{server_url} {code}",
+        # Keep payload contract explicit for mobile/desktop clients.
+        # Format: "<server_url>|<pair_code>"
+        "qr_payload": f"{server_url}|{code}",
     }
 
 
@@ -582,11 +612,11 @@ def logout():
     # Invalidate session in DragonflyDB
     if current_user:
         session_service = get_user_session_service()
-        if session_service.session_cache.client.is_available():
+        if session_service.cache.client.is_available():
             import contextlib
 
             with contextlib.suppress(Exception):
-                session_service.invalidate_session(current_user["id"])
+                session_service.invalidate_user_session(current_user["id"])
 
     res = jsonify({"msg": "Logged out"})
     res.delete_cookie("access_token_cookie")