fix(faza-e): refresh dedup, fetch timeout, error surfacing

4 fixes for the symptoms Marius hit on Faza E pilot — search returning
"Eroare la căutare" after sessions got stale, even after relogin:

1. Refresh deduplication
   Authentik rotates refresh_tokens — exchange-once. Parallel map +
   search + parcela.get all hit jwt callback concurrently, each fires
   its own refresh, the first wins, the rest get invalid_grant and
   poison the JWT with token.error=RefreshAccessTokenError → user
   appears logged out for no good reason. Cache the inflight refresh
   promise in-memory keyed by refresh_token so concurrent callers
   share one Authentik exchange.

2. Fetch timeout in gis-api-client
   AbortSignal.timeout(30s) on every api.gis.ac call. Without it, a
   slow upstream (ANCPI scrape, orchestrator hiccup) hangs the route
   for the full Next.js default → Marius saw 10s gaps with no
   feedback. Throws GisApiError(504, upstream_timeout) instead.

3. Better error surfacing
   /api/gis/* routes return { error, hint: <first 200 chars> } on
   non-GisApiError throws instead of a bare "internal_error". Easier
   to triage from browser DevTools without paging through container
   logs.

4. Remove diagnostic [gis-search] logs
   Diagnostic served its purpose (identified the stale-token cause
   pre-refresh-fix). Now noise; keep only [auth] refresh success/fail
   + per-route internal_error.

Also adds AbortSignal.timeout(8s) on the Authentik refresh fetch
itself to keep the jwt callback bounded.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/core/auth/auth-options.ts

@@ -12,48 +12,79 @@ import { useGisAcFlag } from "@/core/feature-flags/use-gis-ac";
  *
  * Marks the JWT with token.error="RefreshAccessTokenError" on failure;
  * the client can react by forcing a re-login.
+ *
+ * **Concurrency:** Authentik rotates refresh_tokens — a refresh_token can
+ * only be exchanged once. With parallel requests (typical for a map app —
+ * map tiles + parcela.get + search all firing at once), each request
+ * triggers its own jwt callback, each calls refresh, only the first wins
+ * and the rest get `invalid_grant` → user is logged out for no good
+ * reason. We dedupe in-memory by refresh_token key so concurrent callers
+ * share a single Authentik request.
  */
+const inflightRefreshes = new Map<string, Promise<JWT>>();
+
 async function refreshAuthentikToken(token: JWT): Promise<JWT> {
-  try {
-    const issuer = process.env.AUTHENTIK_ISSUER;
-    const clientId = process.env.AUTHENTIK_CLIENT_ID;
-    const clientSecret = process.env.AUTHENTIK_CLIENT_SECRET;
-    if (!issuer || !clientId || !clientSecret || !token.refreshToken) {
-      throw new Error("refresh_prerequisites_missing");
-    }
-    const url = `${issuer.replace(/\/$/, "")}/token/`;
-    const res = await fetch(url, {
-      method: "POST",
-      headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: new URLSearchParams({
-        grant_type: "refresh_token",
-        refresh_token: String(token.refreshToken),
-        client_id: clientId,
-        client_secret: clientSecret,
-      }),
-      cache: "no-store",
-    });
-    const body = (await res.json()) as {
-      access_token?: string;
-      refresh_token?: string;
-      expires_in?: number;
-      error?: string;
-    };
-    if (!res.ok || !body.access_token) {
-      console.warn("[auth] refresh failed:", res.status, body.error);
-      return { ...token, error: "RefreshAccessTokenError" };
-    }
-    return {
-      ...token,
-      accessToken: body.access_token,
-      accessTokenExpires: Date.now() + (body.expires_in ?? 300) * 1000,
-      refreshToken: body.refresh_token ?? token.refreshToken,
-      error: undefined,
-    };
-  } catch (err) {
-    console.warn("[auth] refresh error:", err);
+  const refreshToken = token.refreshToken ? String(token.refreshToken) : "";
+  if (!refreshToken) {
     return { ...token, error: "RefreshAccessTokenError" };
   }
+
+  // Dedupe concurrent refreshes for the same refresh_token.
+  const existing = inflightRefreshes.get(refreshToken);
+  if (existing) {
+    return existing.then((fresh) => ({ ...token, ...fresh }));
+  }
+
+  const promise = (async (): Promise<JWT> => {
+    try {
+      const issuer = process.env.AUTHENTIK_ISSUER;
+      const clientId = process.env.AUTHENTIK_CLIENT_ID;
+      const clientSecret = process.env.AUTHENTIK_CLIENT_SECRET;
+      if (!issuer || !clientId || !clientSecret) {
+        throw new Error("refresh_prerequisites_missing");
+      }
+      const url = `${issuer.replace(/\/$/, "")}/token/`;
+      const res = await fetch(url, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          grant_type: "refresh_token",
+          refresh_token: refreshToken,
+          client_id: clientId,
+          client_secret: clientSecret,
+        }),
+        cache: "no-store",
+        signal: AbortSignal.timeout(8_000),
+      });
+      const body = (await res.json()) as {
+        access_token?: string;
+        refresh_token?: string;
+        expires_in?: number;
+        error?: string;
+      };
+      if (!res.ok || !body.access_token) {
+        console.warn("[auth] refresh failed:", res.status, body.error);
+        return { ...token, error: "RefreshAccessTokenError" };
+      }
+      console.log("[auth] refresh OK expires_in=%d", body.expires_in ?? 300);
+      return {
+        ...token,
+        accessToken: body.access_token,
+        accessTokenExpires: Date.now() + (body.expires_in ?? 300) * 1000,
+        refreshToken: body.refresh_token ?? refreshToken,
+        error: undefined,
+      };
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.warn("[auth] refresh error:", msg);
+      return { ...token, error: "RefreshAccessTokenError" };
+    } finally {
+      inflightRefreshes.delete(refreshToken);
+    }
+  })();
+
+  inflightRefreshes.set(refreshToken, promise);
+  return promise;
 }
 
 export const authOptions: NextAuthOptions = {