allow renewal of token if its safe to do so when using proxy auth with custom login

http/auth.go

@@ -12,7 +12,9 @@ import (
 	"github.com/golang-jwt/jwt/v4"
 	"github.com/golang-jwt/jwt/v4/request"
 
+	fbAuth "github.com/filebrowser/filebrowser/v2/auth"
 	fbErrors "github.com/filebrowser/filebrowser/v2/errors"
+	"github.com/filebrowser/filebrowser/v2/settings"
 	"github.com/filebrowser/filebrowser/v2/users"
 )
 
@@ -64,6 +66,20 @@ func (e extractor) ExtractToken(r *http.Request) (string, error) {
 	return "", request.ErrNoTokenInRequest
 }
 
+func renewableErr(err error, d *data) bool {
+	if d.settings.AuthMethod != fbAuth.MethodProxyAuth || err == nil {
+		return false
+	}
+	if d.settings.LogoutPage == "" || d.settings.LogoutPage == settings.DefaultLogoutPage {
+		return false
+	}
+	var verr *jwt.ValidationError
+	if !errors.As(err, &verr) || verr == nil || verr.Errors != jwt.ValidationErrorExpired {
+		return false
+	}
+	return true
+}
+
 func withUser(fn handleFunc) handleFunc {
 	return func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
 		keyFunc := func(_ *jwt.Token) (interface{}, error) {
@@ -73,7 +89,7 @@ func withUser(fn handleFunc) handleFunc {
 		var tk authToken
 		token, err := request.ParseFromRequest(r, &extractor{}, keyFunc, request.WithClaims(&tk))
 
-		if err != nil || !token.Valid {
+		if (err != nil || !token.Valid) && !renewableErr(err, d) {
 			return http.StatusUnauthorized, nil
 		}