Fix API authentication issues

- Add Authorization header passthrough in nginx config
- Add cookie passthrough for session authentication
- Improve apiRequest error handling for non-JSON responses
- Only redirect to login on protected pages when auth fails

nginx.conf

@@ -46,8 +46,13 @@ server {
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Authorization $http_authorization;
         proxy_set_header Connection "";
         
+        # Pass cookies for session authentication
+        proxy_pass_header Set-Cookie;
+        proxy_cookie_path / /;
+        
         # Timeouts
         proxy_connect_timeout 60s;
         proxy_send_timeout 60s;

web/app.js

@@ -1765,7 +1765,20 @@ async function apiRequest(endpoint, method = 'GET', data = null) {
     
     try {
         const response = await fetch(`${API_BASE_URL}${endpoint}`, options);
-        const result = await response.json();
+        
+        // Check content-type before parsing
+        const contentType = response.headers.get('content-type');
+        let result;
+        
+        if (contentType && contentType.includes('application/json')) {
+            result = await response.json();
+        } else {
+            // Handle non-JSON responses (HTML error pages, etc.)
+            const text = await response.text();
+            console.error('API returned non-JSON response:', response.status, response.statusText);
+            console.error('Response text:', text.substring(0, 500));
+            return { error: `API returned non-JSON response (${response.status}): ${response.statusText}` };
+        }
         
         // Handle token expiration
         if (response.status === 401) {
@@ -1775,12 +1788,27 @@ async function apiRequest(endpoint, method = 'GET', data = null) {
                 // Retry the request
                 options.headers['Authorization'] = `Bearer ${localStorage.getItem('authToken')}`;
                 const retryResponse = await fetch(`${API_BASE_URL}${endpoint}`, options);
-                return await retryResponse.json();
+                
+                // Check content-type for retry response too
+                const retryContentType = retryResponse.headers.get('content-type');
+                if (retryContentType && retryContentType.includes('application/json')) {
+                    return await retryResponse.json();
+                } else {
+                    const retryText = await retryResponse.text();
+                    console.error('API retry returned non-JSON response:', retryResponse.status);
+                    return { error: 'API retry failed' };
+                }
             } else {
-                // Redirect to login
-                localStorage.removeItem('authToken');
-                localStorage.removeItem('refreshToken');
-                window.location.href = 'index.html';
+                // Only redirect if we're on a protected page and can't refresh
+                const isProtectedPage = window.location.pathname.includes('player.html') ||
+                                        window.location.pathname.includes('broker.html') ||
+                                        window.location.pathname.includes('profile.html') ||
+                                        window.location.pathname.includes('wallet.html');
+                if (isProtectedPage) {
+                    localStorage.removeItem('authToken');
+                    localStorage.removeItem('refreshToken');
+                    window.location.href = 'index.html';
+                }
                 return { error: 'Authentication required' };
             }
         }