Fix plural translation display and token refresh race condition

- Add RefreshActivePluralForms() to KeyDetailDrawer for external refresh
- Call refresh after applying translations to show new plural cells
- Add TokenRefreshCoordinator to prevent concurrent token refreshes
- Remove duplicate _isRefreshing flags from AuthenticatedHttpHandler and
  LrmAuthStateProvider in favor of centralized coordination

Author: nickprotop

cloud/src/LrmCloud.Web/Components/KeyDetailDrawer.razor

@@ -282,6 +282,15 @@
     private HashSet<string> _activePluralForms = new();
 
     protected override void OnParametersSet()
+    {
+        RefreshActivePluralForms();
+    }
+
+    /// <summary>
+    /// Refreshes the active plural forms from the current Row state.
+    /// Call this after externally modifying Row.Translations (e.g., after translation).
+    /// </summary>
+    public void RefreshActivePluralForms()
     {
         // Initialize active plural forms from existing translations
         _activePluralForms = GetExistingPluralForms();
@@ -297,6 +306,8 @@
         {
             _activePluralForms.Add(PluralForms.One);
         }
+
+        StateHasChanged();
     }
 
     private bool HasChanges => Row.Translations.Values.Any(t => t.IsDirty);

cloud/src/LrmCloud.Web/Pages/Projects/Editor.razor

@@ -117,7 +117,8 @@ else
         <MudDrawerContainer Class="pa-4">
             @if (_selectedRow != null)
             {
-                <KeyDetailDrawer Row="@_selectedRow"
+                <KeyDetailDrawer @ref="_keyDetailDrawer"
+                                 Row="@_selectedRow"
                                  Languages="@_languages"
                                  DefaultLanguage="@_project.DefaultLanguage"
                                  ProjectFormat="@_project.Format"
@@ -181,6 +182,7 @@ else
     private bool _drawerOpen;
     private TranslationGridRow? _selectedRow;        // Clone for drawer editing (isolated)
     private TranslationGridRow? _originalSelectedRow; // Original row reference (in grid)
+    private KeyDetailDrawer? _keyDetailDrawer;
     private AddKeyDialog? _addKeyDialog;
     private ConfirmDeleteDialog? _deleteDialog;
     private IEnumerable<TranslationGridRow>? _pendingDeleteRows;
@@ -777,6 +779,8 @@ else
 
         if (appliedCount > 0)
         {
+            // Refresh the drawer's plural form display to show new cells
+            _keyDetailDrawer?.RefreshActivePluralForms();
             Snackbar.Add($"Applied {appliedCount} translations. Click Apply to stage changes.", Severity.Success);
             StateHasChanged();
         }

cloud/src/LrmCloud.Web/Program.cs

@@ -35,6 +35,9 @@
     return new HttpClient(handler) { BaseAddress = apiBaseUrl };
 });
 
+// Token refresh coordinator (singleton to coordinate across all service instances)
+builder.Services.AddSingleton<TokenRefreshCoordinator>();
+
 // Auth service (depends on HttpClient, so register after)
 builder.Services.AddScoped<AuthService>();
 

cloud/src/LrmCloud.Web/Services/AuthService.cs

@@ -14,12 +14,14 @@ public class AuthService
     private readonly HttpClient _httpClient;
     private readonly TokenStorageService _tokenStorage;
     private readonly LrmAuthStateProvider _authStateProvider;
+    private readonly TokenRefreshCoordinator _refreshCoordinator;
 
-    public AuthService(HttpClient httpClient, TokenStorageService tokenStorage, LrmAuthStateProvider authStateProvider)
+    public AuthService(HttpClient httpClient, TokenStorageService tokenStorage, LrmAuthStateProvider authStateProvider, TokenRefreshCoordinator refreshCoordinator)
     {
         _httpClient = httpClient;
         _tokenStorage = tokenStorage;
         _authStateProvider = authStateProvider;
+        _refreshCoordinator = refreshCoordinator;
     }
 
     public async Task<AuthResult> LoginAsync(LoginRequest request)
@@ -138,6 +140,18 @@ public async Task<AuthResult> VerifyEmailAsync(string token)
 
     public async Task<bool> RefreshTokenAsync()
     {
+        // Use coordinator to prevent concurrent refresh attempts
+        if (!await _refreshCoordinator.TryAcquireRefreshLockAsync())
+        {
+            // Another refresh is in progress or was recently attempted
+            // Wait for it to complete and check if tokens are now valid
+            await _refreshCoordinator.WaitForRefreshAsync(TimeSpan.FromSeconds(5));
+
+            // Check if we now have valid tokens (from the other refresh)
+            var token = await _tokenStorage.GetAccessTokenAsync();
+            return !string.IsNullOrEmpty(token) && !await _tokenStorage.IsTokenExpiredAsync();
+        }
+
         try
         {
             var refreshToken = await _tokenStorage.GetRefreshTokenAsync();
@@ -180,6 +194,10 @@ await _tokenStorage.StoreTokensAsync(
             // The user may still be able to retry later
             return false;
         }
+        finally
+        {
+            _refreshCoordinator.ReleaseRefreshLock();
+        }
     }
 
     public async Task LogoutAsync()

cloud/src/LrmCloud.Web/Services/AuthenticatedHttpHandler.cs

@@ -10,7 +10,6 @@ public class AuthenticatedHttpHandler : DelegatingHandler
 {
     private readonly TokenStorageService _tokenStorage;
     private readonly IServiceProvider _serviceProvider;
-    private bool _isRefreshing;
 
     public AuthenticatedHttpHandler(TokenStorageService tokenStorage, IServiceProvider serviceProvider)
     {
@@ -34,7 +33,7 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
         var response = await base.SendAsync(request, cancellationToken);
 
         // Handle 401 Unauthorized - try to refresh token
-        if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized && !isAuthEndpoint && !_isRefreshing)
+        if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized && !isAuthEndpoint)
         {
             if (await TryRefreshTokenAsync())
             {
@@ -59,26 +58,16 @@ private async Task AddAuthHeaderAsync(HttpRequestMessage request)
 
     private async Task<bool> TryRefreshTokenAsync()
     {
-        if (_isRefreshing)
+        if (!await _tokenStorage.CanRefreshAsync())
             return false;
 
-        _isRefreshing = true;
-        try
-        {
-            if (!await _tokenStorage.CanRefreshAsync())
-                return false;
-
-            // Get AuthService from service provider (avoiding circular dependency)
-            var authService = _serviceProvider.GetService<AuthService>();
-            if (authService == null)
-                return false;
+        // Get AuthService from service provider (avoiding circular dependency)
+        // AuthService now uses TokenRefreshCoordinator internally for synchronization
+        var authService = _serviceProvider.GetService<AuthService>();
+        if (authService == null)
+            return false;
 
-            return await authService.RefreshTokenAsync();
-        }
-        finally
-        {
-            _isRefreshing = false;
-        }
+        return await authService.RefreshTokenAsync();
     }
 
     private static async Task<HttpRequestMessage> CloneRequestAsync(HttpRequestMessage request)

cloud/src/LrmCloud.Web/Services/LrmAuthStateProvider.cs

@@ -15,7 +15,6 @@ public class LrmAuthStateProvider : AuthenticationStateProvider
     private readonly IServiceProvider _serviceProvider;
     private UserDto? _cachedUser;
     private bool _isInitialized;
-    private bool _isRefreshing;
 
     public LrmAuthStateProvider(TokenStorageService tokenStorage, HttpClient httpClient, IServiceProvider serviceProvider)
     {
@@ -37,12 +36,12 @@ public override async Task<AuthenticationState> GetAuthenticationStateAsync()
         if (await _tokenStorage.IsTokenExpiredAsync())
         {
             // Token expired, try to refresh if possible
-            if (await _tokenStorage.CanRefreshAsync() && !_isRefreshing)
+            if (await _tokenStorage.CanRefreshAsync())
             {
-                _isRefreshing = true;
                 try
                 {
                     // Attempt to refresh the token using AuthService
+                    // AuthService uses TokenRefreshCoordinator internally to prevent concurrent refreshes
                     var authService = _serviceProvider.GetService<AuthService>();
                     if (authService != null && await authService.RefreshTokenAsync())
                     {
@@ -61,17 +60,12 @@ public override async Task<AuthenticationState> GetAuthenticationStateAsync()
                     // Error during refresh - return unauthenticated
                     return new AuthenticationState(new ClaimsPrincipal(new ClaimsIdentity()));
                 }
-                finally
-                {
-                    _isRefreshing = false;
-                }
             }
-            else if (!_isRefreshing)
+            else
             {
-                // Can't refresh and not currently refreshing - return unauthenticated
+                // Can't refresh - return unauthenticated
                 return new AuthenticationState(new ClaimsPrincipal(new ClaimsIdentity()));
             }
-            // If _isRefreshing is true, we're in a refresh cycle, proceed with current token
         }
 
         // Try to get user info from cache or fetch from API

cloud/src/LrmCloud.Web/Services/TokenRefreshCoordinator.cs

@@ -0,0 +1,86 @@
+namespace LrmCloud.Web.Services;
+
+/// <summary>
+/// Coordinates token refresh attempts across different parts of the app
+/// to prevent race conditions when multiple components try to refresh simultaneously.
+/// </summary>
+public class TokenRefreshCoordinator
+{
+    private readonly SemaphoreSlim _refreshLock = new(1, 1);
+    private bool _refreshInProgress;
+    private DateTime? _lastRefreshAttempt;
+
+    /// <summary>
+    /// Minimum time between refresh attempts to prevent rapid-fire refreshes.
+    /// </summary>
+    private static readonly TimeSpan MinRefreshInterval = TimeSpan.FromSeconds(5);
+
+    /// <summary>
+    /// Try to acquire the refresh lock. Returns true if this caller should perform the refresh.
+    /// Returns false if another refresh is in progress or was recently attempted.
+    /// </summary>
+    public async Task<bool> TryAcquireRefreshLockAsync(CancellationToken cancellationToken = default)
+    {
+        // Quick check before waiting for lock
+        if (_refreshInProgress)
+            return false;
+
+        // Check if refresh was recently attempted (even if it failed)
+        if (_lastRefreshAttempt.HasValue &&
+            DateTime.UtcNow - _lastRefreshAttempt.Value < MinRefreshInterval)
+            return false;
+
+        // Try to acquire the lock with a short timeout
+        if (!await _refreshLock.WaitAsync(TimeSpan.FromMilliseconds(100), cancellationToken))
+            return false;
+
+        // Double-check after acquiring lock
+        if (_refreshInProgress)
+        {
+            _refreshLock.Release();
+            return false;
+        }
+
+        _refreshInProgress = true;
+        _lastRefreshAttempt = DateTime.UtcNow;
+        return true;
+    }
+
+    /// <summary>
+    /// Release the refresh lock after refresh attempt completes.
+    /// </summary>
+    public void ReleaseRefreshLock()
+    {
+        _refreshInProgress = false;
+        try
+        {
+            _refreshLock.Release();
+        }
+        catch (SemaphoreFullException)
+        {
+            // Already released, ignore
+        }
+    }
+
+    /// <summary>
+    /// Check if a refresh is currently in progress.
+    /// </summary>
+    public bool IsRefreshInProgress => _refreshInProgress;
+
+    /// <summary>
+    /// Wait for any ongoing refresh to complete.
+    /// Returns true if we waited, false if no refresh was in progress.
+    /// </summary>
+    public async Task<bool> WaitForRefreshAsync(TimeSpan timeout, CancellationToken cancellationToken = default)
+    {
+        if (!_refreshInProgress)
+            return false;
+
+        var startTime = DateTime.UtcNow;
+        while (_refreshInProgress && DateTime.UtcNow - startTime < timeout)
+        {
+            await Task.Delay(50, cancellationToken);
+        }
+        return true;
+    }
+}