Updated files

.gitignore

@@ -1,3 +1,15 @@
+# Ignore temp, cache, and binary files
+tmp/
+chroma_db/
+logs/
+data/
+__pycache__/
+*.sqlite3
+*.db
+*.pyc
+*.pyo
+*.pyd
+*.log
 # Byte-compiled / optimized / DLL files
 __pycache__/
 *.py[cod]

data/active_sessions.json

@@ -1,12 +1,7 @@
 {
   "admin_user": {
-    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiYWRtaW5fdXNlciIsInVzZXJuYW1lIjoiYWRtaW4iLCJleHAiOjE3NTI0MjY2NDV9.Csfsds7stWuRB_NcJKMZQB40PFBqUpg6X2EFmjoAmUE",
-    "created_at": "2025-07-13T14:40:45.815582",
-    "last_activity": "2025-07-13T14:49:54.108574"
-  },
-  "user_3": {
-    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoidXNlcl8zIiwidXNlcm5hbWUiOiJhbmFudGh1IiwiZXhwIjoxNzUyNDI3MzMyfQ.GSrJR06gLnNW5whgYok7_gV1YJSbfd0Lpia7Z8z6jak",
-    "created_at": "2025-07-13T14:52:12.892422",
-    "last_activity": "2025-07-13T14:52:23.475883"
+    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiYWRtaW5fdXNlciIsInVzZXJuYW1lIjoiYWRtaW4iLCJleHAiOjE3NTI1NDc2NjR9.SZ56Rw7mAUJgfScxu1ElGfI5dfWuUxTwUX6xi3d_7a8",
+    "created_at": "2025-07-15T00:17:44.795086",
+    "last_activity": "2025-07-15T00:50:22.820489"
   }
 }

main.py

@@ -1,3 +1,22 @@
+import shutil
+# ...existing code...
+import os
+import sys
+import json
+import asyncio
+from typing import Dict, List, Optional, Any
+from datetime import datetime
+# ...existing code...
+
+# Place this after app and get_current_user_dependency are defined
+# (see lines ~161 and ~231)
+
+from fastapi import UploadFile, File
+
+# ...existing code...
+
+
+# ...existing code...
 import os
 import sys
 import json
@@ -69,19 +88,27 @@ async def initialize_research_mate():
     print("🚀 Starting ResearchMate background initialization...")
     
     try:
+        # Ensure vectorstore/chroma persist directory exists before initializing components
+        base_dir = Path(__file__).parent.resolve()
+        chroma_dir = base_dir / "tmp" / "researchmate" / "chroma_persist"
+        chroma_dir.mkdir(parents=True, exist_ok=True)
+
+        # Set environment variable for ChromaDB persist directory (if needed by your code)
+        os.environ["CHROMA_PERSIST_DIR"] = str(chroma_dir)
+
         # Run initialization in thread pool to avoid blocking
         import concurrent.futures
         with concurrent.futures.ThreadPoolExecutor() as executor:
             loop = asyncio.get_event_loop()
-            
+
             print("📊 Initializing Citation Network Analyzer...")
             citation_analyzer = await loop.run_in_executor(executor, CitationNetworkAnalyzer)
             print("✅ Citation Network Analyzer initialized!")
-            
-            print("🧠 Initializing ResearchMate core...")
+
+            print(f"🧠 Initializing ResearchMate core (vectorstore at: {chroma_dir})")
             research_mate = await loop.run_in_executor(executor, ResearchMate)
             print("✅ ResearchMate core initialized!")
-        
+
         research_mate_initialized = True
         print("🎉 All components initialized successfully!")
     except Exception as e:
@@ -296,9 +323,9 @@ async def login(request: LoginRequest):
             response.set_cookie(
                 key="authToken",
                 value=result["token"],
-                httponly=False,  # Allow JavaScript access for debugging
-                secure=False,    # Don't require HTTPS for internal communication
-                samesite="lax",  # CSRF protection while allowing normal navigation
+                httponly=True,   # HttpOnly for security
+                secure=True,     # Secure for HTTPS
+                samesite="lax", # CSRF protection while allowing normal navigation
                 max_age=24*60*60,  # 24 hours
                 path="/",
                 domain=None      # Let browser determine domain
@@ -496,27 +523,28 @@ async def upload_pdf(file: UploadFile = File(...), current_user: dict = Depends(
         raise HTTPException(status_code=400, detail="Only PDF files are supported")
     
     try:
-        # Save uploaded file
-        upload_dir = Path("uploads")
-        upload_dir.mkdir(exist_ok=True)
+        # Use a cross-platform upload directory relative to the project root
+        base_dir = Path(__file__).parent.resolve()
+        upload_dir = base_dir / "uploads"
+        upload_dir.mkdir(parents=True, exist_ok=True)
         file_path = upload_dir / file.filename
-        
+
         with open(file_path, "wb") as buffer:
             content = await file.read()
             buffer.write(content)
-        
+
         # Process PDF
         result = research_mate.upload_pdf(str(file_path))
-        
+
         # Clean up file
         file_path.unlink()
-        
+
         if not result.get("success"):
             raise HTTPException(status_code=400, detail=result.get("error", "PDF analysis failed"))
-        
+
         return result
     except Exception as e:
-        raise HTTPException(status_code=500, detail=str(e))
+        raise HTTPException(status_code=500, detail=f"Failed to upload/process file: {e}")
 
 @app.post("/api/projects")
 async def create_project(project: ProjectCreate, current_user: dict = Depends(get_current_user_dependency)):
@@ -526,37 +554,9 @@ async def create_project(project: ProjectCreate, current_user: dict = Depends(ge
     try:
         user_id = current_user.get("user_id")
         result = research_mate.create_project(project.name, project.research_question, project.keywords, user_id)
-        if not result.get("success"):
-            raise HTTPException(status_code=400, detail=result.get("error", "Project creation failed"))
-        return result
-    except Exception as e:
-        raise HTTPException(status_code=500, detail=str(e))
-
-@app.get("/api/projects")
-async def list_projects(current_user: dict = Depends(get_current_user_dependency)):
-    if research_mate is None:
-        raise HTTPException(status_code=503, detail="ResearchMate not initialized")
-    
-    try:
-        user_id = current_user.get("user_id")
-        result = research_mate.list_projects(user_id)
-        if not result.get("success"):
-            raise HTTPException(status_code=400, detail=result.get("error", "Failed to list projects"))
-        return result
-    except Exception as e:
-        raise HTTPException(status_code=500, detail=str(e))
-
-@app.get("/api/projects/{project_id}")
-async def get_project(project_id: str, current_user: dict = Depends(get_current_user_dependency)):
-    if research_mate is None:
-        raise HTTPException(status_code=503, detail="ResearchMate not initialized")
-    
-    try:
-        user_id = current_user.get("user_id")
-        result = research_mate.get_project(project_id, user_id)
-        if not result.get("success"):
-            raise HTTPException(status_code=404, detail=result.get("error", "Project not found"))
-        return result
+        if result["success"]:
+            # Project creation successful, return result
+            return result
     except Exception as e:
         raise HTTPException(status_code=500, detail=str(e))
 
@@ -827,7 +827,7 @@ if __name__ == "__main__":
     
     # Hugging Face Spaces uses port 7860
     port = int(os.environ.get('PORT', 7860))
-    host = "0.0.0.0"
+    host = "127.0.0.1"
     
     print("Starting ResearchMate on Hugging Face Spaces...")
     print(f"Web Interface: http://0.0.0.0:{port}")

src/static/js/main.js

@@ -3,182 +3,62 @@
 // Global variables
 let currentToast = null;
 
-// Authentication utilities with enhanced security
-let sessionTimeout = null;
-let lastActivityTime = Date.now();
-const SESSION_TIMEOUT_MINUTES = 480; // 8 hours for prototype (less aggressive)
-const ACTIVITY_CHECK_INTERVAL = 300000; // Check every 5 minutes
-
-function getAuthToken() {
-    // Check both sessionStorage (preferred) and localStorage (fallback)
-    return sessionStorage.getItem('authToken') || localStorage.getItem('authToken');
-}
+// Authentication/session handled by backend HttpOnly cookie and /api/user/status
+// All API calls should use apiRequest with credentials: 'include'.
+// No token storage or Authorization header needed.
+// Session timeout and activity tracking handled server-side.
 
-function setAuthToken(token) {
-    // Store in sessionStorage for better security (clears on browser close)
-    sessionStorage.setItem('authToken', token);
-    // Also store in localStorage for compatibility, but with shorter expiry
-    localStorage.setItem('authToken', token);
-    localStorage.setItem('tokenTimestamp', Date.now().toString());
-    
-    // Set cookie with HttpOnly equivalent behavior
-    document.cookie = `authToken=${token}; path=/; SameSite=Strict; Secure=${location.protocol === 'https:'}`;
-    
-    // Reset activity tracking
-    lastActivityTime = Date.now();
-    startSessionTimeout();
-}
-
-function clearAuthToken() {
-    sessionStorage.removeItem('authToken');
-    sessionStorage.removeItem('userId');
-    localStorage.removeItem('authToken');
-    localStorage.removeItem('userId');
-    localStorage.removeItem('tokenTimestamp');
-    
-    // Clear cookie
-    document.cookie = 'authToken=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Strict';
-    
-    clearTimeout(sessionTimeout);
-}
-
-function isTokenExpired() {
-    const timestamp = localStorage.getItem('tokenTimestamp');
-    if (!timestamp) return true;
-    
-    const tokenAge = Date.now() - parseInt(timestamp);
-    const maxAge = 24 * 60 * 60 * 1000; // 24 hours
-    
-    return tokenAge > maxAge;
-}
 
-function startSessionTimeout() {
-    clearTimeout(sessionTimeout);
-    sessionTimeout = setTimeout(() => {
-        const inactivityTime = Date.now() - lastActivityTime;
-        if (inactivityTime >= SESSION_TIMEOUT_MINUTES * 60 * 1000) {
-            // Session expired due to inactivity
-            showToast('Session expired due to inactivity. Please log in again.', 'warning');
-            logout();
+// Document ready
+document.addEventListener('DOMContentLoaded', function() {
+    // Always verify authentication with backend on page load
+    fetch('/api/user/status', {
+        credentials: 'include'
+    })
+    .then(response => {
+        if (response.ok) {
+            // User is authenticated, continue
+            // Optionally, start session timeout or other logic here
         } else {
-            // Still active, reset timer
-            startSessionTimeout();
+            // Not authenticated, redirect to login if not already there
+            if (window.location.pathname !== '/login') {
+                window.location.href = '/login';
+            }
+        }
+    })
+    .catch((error) => {
+        console.error('User status check error:', error);
+        if (window.location.pathname !== '/login') {
+            window.location.href = '/login';
         }
-    }, ACTIVITY_CHECK_INTERVAL);
-}
-
-function trackActivity() {
-    lastActivityTime = Date.now();
-}
-
-function setAuthHeaders(headers = {}) {
-    const token = getAuthToken();
-    if (token && !isTokenExpired()) {
-        headers['Authorization'] = `Bearer ${token}`;
-    }
-    return headers;
-}
-
-function makeAuthenticatedRequest(url, options = {}) {
-    const headers = setAuthHeaders(options.headers || {});
-    return fetch(url, {
-        ...options,
-        headers: headers
     });
-}
-
-// Check if user is authenticated
-function isAuthenticated() {
-    const token = getAuthToken();
-    return !!(token && !isTokenExpired());
-}
 
-// Redirect to login if not authenticated
-function requireAuth() {
-    if (!isAuthenticated()) {
-        clearAuthToken();
-        window.location.href = '/login';
-        return false;
-    }
-    return true;
-}
+    // (trackActivity removed: no longer needed)
 
-// Document ready with enhanced security
-document.addEventListener('DOMContentLoaded', function() {
-    // Check authentication on protected pages
-    if (window.location.pathname !== '/login' && !isAuthenticated()) {
-        clearAuthToken();
-        window.location.href = '/login';
-        return;
-    }
-    
-    // Start session timeout if authenticated
-    if (isAuthenticated()) {
-        startSessionTimeout();
-    }
-    
-    // Track user activity for session timeout
-    document.addEventListener('click', trackActivity);
-    document.addEventListener('keypress', trackActivity);
-    document.addEventListener('scroll', trackActivity);
-    document.addEventListener('mousemove', trackActivity);
-    
     // Initialize tooltips
     initializeTooltips();
-    
-    // Handle page visibility changes (user switches tabs or minimizes browser)
-    document.addEventListener('visibilitychange', function() {
-        if (document.hidden) {
-            // Page is hidden, reduce activity tracking
-            clearTimeout(sessionTimeout);
-        } else {
-            // Page is visible again, resume activity tracking
-            if (isAuthenticated()) {
-                trackActivity();
-                startSessionTimeout();
-            }
-        }
-    });
-    
+
     // Handle beforeunload event (browser/tab closing)
     window.addEventListener('beforeunload', function() {
         // Clear sessionStorage on page unload (but keep localStorage for potential restoration)
         sessionStorage.clear();
     });
-    
-    // Periodically validate token with server (disabled for prototype)
-    // if (isAuthenticated()) {
-    //     setInterval(async function() {
-    //         try {
-    //             const response = await makeAuthenticatedRequest('/api/user/status');
-    //             if (!response.ok) {
-    //                 // Token is invalid or expired
-    //                 showToast('Session expired. Please log in again.', 'warning');
-    //                 logout();
-    //             }
-    //         } catch (error) {
-    //             console.log('Token validation failed:', error);
-    //         }
-    //     }, 5 * 60 * 1000); // Check every 5 minutes
-    // }
-    
+
     // Initialize smooth scrolling
     initializeSmoothScrolling();
-    
+
     // Initialize animations
     initializeAnimations();
-    
+
     // Initialize keyboard shortcuts
     initializeKeyboardShortcuts();
-    
-    // Theme toggle removed
-    
+
     // Initialize upload
     initializeUpload();
-    
+
     // Initialize search page (if on search page)
     initializeSearchPage();
-    
+
     console.log('ResearchMate initialized successfully!');
 });
 
@@ -259,35 +139,35 @@ function initializeKeyboardShortcuts() {
 // Theme toggle removed: always use dark theme
 
 // Enhanced Upload functionality
-function initializeUpload() {
+async function initializeUpload() {
     const uploadArea = document.getElementById('upload-area');
     const fileInput = document.getElementById('pdf-file');
     const uploadBtn = document.getElementById('upload-btn');
-    
+
     if (!uploadArea || !fileInput || !uploadBtn) return;
-    
+
     // Restore previous upload results if they exist
-    restoreUploadResults();
-    
+    await restoreUploadResults();
+
     // Click to browse files
     uploadArea.addEventListener('click', () => {
         fileInput.click();
     });
-    
+
     // Drag and drop functionality
     uploadArea.addEventListener('dragover', (e) => {
         e.preventDefault();
         uploadArea.classList.add('dragover');
     });
-    
+
     uploadArea.addEventListener('dragleave', () => {
         uploadArea.classList.remove('dragover');
     });
-    
+
     uploadArea.addEventListener('drop', (e) => {
         e.preventDefault();
         uploadArea.classList.remove('dragover');
-        
+
         const files = e.dataTransfer.files;
         if (files.length > 0 && files[0].type === 'application/pdf') {
             fileInput.files = files;
@@ -296,18 +176,18 @@ function initializeUpload() {
             showToast('Please select a valid PDF file', 'danger');
         }
     });
-    
+
     // File input change
     fileInput.addEventListener('change', (e) => {
         if (e.target.files.length > 0) {
             handleFileSelection(e.target.files[0]);
         }
     });
-    
+
     function handleFileSelection(file) {
         uploadBtn.disabled = false;
         uploadBtn.innerHTML = `<i class="fas fa-upload me-2"></i>Upload "${file.name}"`;
-        
+
         // Update upload area
         uploadArea.innerHTML = `
             <i class="fas fa-file-pdf text-danger"></i>
@@ -335,43 +215,36 @@ function toggleUploadArea() {
 }
 
 // Upload result persistence functions
-function saveUploadResults(data) {
+async function saveUploadResults(data) {
     try {
-        const currentUser = getCurrentUserId();
-        const currentSession = getSessionId();
-        
-        if (!currentUser || !currentSession) {
-            console.warn('Cannot save upload results: no user or session');
+        const currentUser = await getCurrentUserId();
+        if (!currentUser) {
+            console.warn('Cannot save upload results: no user');
             return;
         }
-        
         const dataToSave = {
             ...data,
             userId: currentUser,
-            sessionId: currentSession,
             savedAt: new Date().toISOString(),
             pageUrl: window.location.pathname
         };
-        
         saveToLocalStorage('researchmate_upload_results', dataToSave);
     } catch (error) {
         console.error('Failed to save upload results:', error);
     }
 }
 
-function restoreUploadResults() {
+async function restoreUploadResults() {
     try {
         const resultsContainer = document.getElementById('results-container');
         if (!resultsContainer) return;
-        
-        // Get current user from session/token
-        const currentUser = getCurrentUserId(); // You'll need to implement this
+        // Get current user from backend
+        const currentUser = await getCurrentUserId();
         if (!currentUser) {
             // No user logged in, clear any existing results
             clearUploadResults();
             return;
         }
-        
         const savedData = loadFromLocalStorage('researchmate_upload_results');
         if (savedData && savedData.pageUrl === window.location.pathname) {
             // Check if data belongs to current user
@@ -380,22 +253,12 @@ function restoreUploadResults() {
                 clearUploadResults();
                 return;
             }
-            
-            // Check if data is from current session
-            const currentSessionId = getSessionId(); // You'll need to implement this
-            if (savedData.sessionId !== currentSessionId) {
-                console.log('Upload results from different session, clearing');
-                clearUploadResults();
-                return;
-            }
-            
-            // Check if data is recent (within current session, max 1 hour)
+            // Check if data is recent (max 1 hour)
             const savedTime = new Date(savedData.savedAt);
             const now = new Date();
             const hoursDiff = (now - savedTime) / (1000 * 60 * 60);
-            
             if (hoursDiff < 1) {
-                console.log('Restoring upload results from current session');
+                console.log('Restoring upload results for user');
                 displayUploadResults(savedData);
                 showToast('Previous PDF analysis restored', 'info', 3000);
             } else {
@@ -408,15 +271,14 @@ function restoreUploadResults() {
     }
 }
 
-// Helper function to get current user ID
-function getCurrentUserId() {
+// Helper function to get current user ID from backend
+async function getCurrentUserId() {
     try {
-        const token = localStorage.getItem('authToken') || sessionStorage.getItem('authToken');
-        if (!token) return null;
-        
-        // Decode JWT token to get user ID (simple base64 decode)
-        const payload = JSON.parse(atob(token.split('.')[1]));
-        return payload.user_id || payload.sub;
+        const response = await fetch('/api/user/status', { credentials: 'include' });
+        if (!response.ok) return null;
+        const data = await response.json();
+        // Try user_id, id, or username as fallback
+        return data.user_id || data.id || data.username || null;
     } catch (error) {
         console.error('Failed to get current user ID:', error);
         return null;
@@ -1194,22 +1056,18 @@ function loadFromLocalStorage(key, defaultValue = null) {
 
 // Enhanced logout function with security cleanup
 function logout() {
-    // Clear all authentication data
-    clearAuthToken();
-    
     // Clear all session data
     sessionStorage.clear();
-    
-    // Clear specific localStorage items but keep non-sensitive data
-    const keysToRemove = ['authToken', 'userId', 'tokenTimestamp', 'userSession'];
-    keysToRemove.forEach(key => localStorage.removeItem(key));
-    
+    // Clear user info from localStorage
+    localStorage.removeItem('userId');
+    localStorage.removeItem('username');
     // Call logout API
     fetch('/api/auth/logout', {
         method: 'POST',
         headers: {
             'Content-Type': 'application/json',
-        }
+        },
+        credentials: 'include'
     })
     .then(() => {
         // Redirect to login page
@@ -1224,8 +1082,7 @@ function logout() {
 // Make logout function globally available
 window.logout = logout;
 
-// Make makeAuthenticatedRequest globally available
-window.makeAuthenticatedRequest = makeAuthenticatedRequest;
+
 
 // Export functions for global use
 window.ResearchMate = {
@@ -1247,7 +1104,8 @@ window.ResearchMate = {
     saveUploadResults,
     restoreUploadResults,
     clearUploadResults,
-    displayUploadResults
+    displayUploadResults,
+    getCurrentUserId
 };
 
 // Make clearUploadResults globally available for onclick handlers

src/templates/index.html

@@ -223,12 +223,10 @@ document.addEventListener('DOMContentLoaded', function() {
 
 function loadSystemStatus() {
     // Load system status (components and general info)
-    makeAuthenticatedRequest('/api/status')
-        .then(response => response.json())
+    apiRequest('/api/status', { credentials: 'include' })
         .then(systemData => {
             // Load user-specific statistics
-            makeAuthenticatedRequest('/api/user/status')
-                .then(response => response.json())
+            apiRequest('/api/user/status', { credentials: 'include' })
                 .then(userData => {
                     const statusDiv = document.getElementById('system-status');
                     if (systemData.success && userData.success) {

src/templates/login.html

@@ -86,6 +86,29 @@
 {% block extra_js %}
 <script>
 document.addEventListener('DOMContentLoaded', function() {
+    // Always verify authentication with backend on page load
+    fetch('/api/user/status', {
+        credentials: 'include'
+    })
+    .then(response => {
+        if (response.ok) {
+            // User is authenticated, redirect to home if not already there
+            if (window.location.pathname === '/login') {
+                window.location.href = '/';
+            }
+        } else {
+            // Not authenticated, redirect to login if not already there
+            if (window.location.pathname !== '/login') {
+                window.location.href = '/login';
+            }
+        }
+    })
+    .catch((error) => {
+        console.error('User status check error:', error);
+        if (window.location.pathname !== '/login') {
+            window.location.href = '/login';
+        }
+    });
     const loginForm = document.getElementById('login-form');
     const registerForm = document.getElementById('register-form');
     const loginBtn = document.getElementById('login-btn');
@@ -124,10 +147,7 @@ document.addEventListener('DOMContentLoaded', function() {
             console.log('Login response:', data); // Debug log
             
             if (response.ok && data.success) {
-                // Store token as backup
-                if (data.token) {
-                    localStorage.setItem('authToken', data.token);
-                }
+                // Store user info for UI only
                 if (data.user_id) {
                     localStorage.setItem('userId', data.user_id);
                 }
@@ -254,36 +274,26 @@ document.addEventListener('DOMContentLoaded', function() {
         }
     }
     
-    // Check if user is already logged in - with better error handling
-    const token = localStorage.getItem('authToken');
-    if (token) {
-        // Verify token is still valid
-        fetch('/api/user/status', {
-            headers: {
-                'Authorization': `Bearer ${token}`
-            },
-            credentials: 'include'
-        })
-        .then(response => {
-            if (response.ok) {
-                // User is already logged in, redirect
-                console.log('User already logged in, redirecting...');
-                window.location.href = '/';
-            } else {
-                // Token is invalid, clear it
-                localStorage.removeItem('authToken');
-                localStorage.removeItem('userId');
-                localStorage.removeItem('username');
-            }
-        })
-        .catch((error) => {
-            console.error('Token verification error:', error);
-            // Token is invalid, clear it
-            localStorage.removeItem('authToken');
+    // Check if user is already logged in (cookie-based)
+    fetch('/api/user/status', {
+        credentials: 'include'
+    })
+    .then(response => {
+        if (response.ok) {
+            // User is already logged in, redirect
+            console.log('User already logged in, redirecting...');
+            window.location.href = '/';
+        } else {
+            // Not logged in, clear any UI user info
             localStorage.removeItem('userId');
             localStorage.removeItem('username');
-        });
-    }
+        }
+    })
+    .catch((error) => {
+        console.error('User status check error:', error);
+        localStorage.removeItem('userId');
+        localStorage.removeItem('username');
+    });
 });
 </script>
 {% endblock %}

src/templates/projects.html

@@ -113,13 +113,7 @@ document.addEventListener('DOMContentLoaded', function() {
     });
 
     function loadProjects() {
-        makeAuthenticatedRequest('/api/projects')
-            .then(response => {
-                if (!response.ok) {
-                    throw new Error(`HTTP ${response.status}: ${response.statusText}`);
-                }
-                return response.json();
-            })
+        apiRequest('/api/projects', { credentials: 'include' })
             .then(data => {
                 console.log('Projects API response:', data); // Debug log
                 if (data.success) {
@@ -145,19 +139,18 @@ document.addEventListener('DOMContentLoaded', function() {
             submitBtn.disabled = true;
         }
 
-        fetch('/api/projects', {
+        apiRequest('/api/projects', {
             method: 'POST',
             headers: {
-                'Content-Type': 'application/json',
-                'Authorization': `Bearer ${localStorage.getItem('authToken')}`
+                'Content-Type': 'application/json'
             },
+            credentials: 'include',
             body: JSON.stringify({
                 name: name,
                 research_question: researchQuestion,
                 keywords: keywords
             })
         })
-        .then(response => response.json())
         .then(data => {
             if (data.success) {
                 // Close modal and reset form
@@ -278,12 +271,7 @@ projectsContainer.innerHTML = html;
 
     // Global functions for project actions
     window.viewProject = function(projectId) {
-        fetch(`/api/projects/${projectId}`, {
-            headers: {
-                'Authorization': `Bearer ${localStorage.getItem('authToken')}`
-            }
-        })
-            .then(response => response.json())
+        apiRequest(`/api/projects/${projectId}`, { credentials: 'include' })
             .then(data => {
                 if (data.success) {
                     displayProjectDetails(data.project);
@@ -311,14 +299,13 @@ projectsContainer.innerHTML = html;
         // Show persistent loading message (no auto-dismiss)
         showAlert('info', 'Literature search in progress... This may take a few minutes.', 0); // 0 = no auto-dismiss
         
-        fetch(`/api/projects/${projectId}/search`, {
+        apiRequest(`/api/projects/${projectId}/search`, {
             method: 'POST',
             headers: {
-                'Content-Type': 'application/json',
-                'Authorization': `Bearer ${localStorage.getItem('authToken')}`
-            }
+                'Content-Type': 'application/json'
+            },
+            credentials: 'include'
         })
-        .then(response => response.json())
         .then(data => {
             // Remove loading alert if present
             if (window.currentActiveAlert && window.currentActiveAlert.parentNode) {
@@ -411,14 +398,13 @@ projectsContainer.innerHTML = html;
         
         showAlert('info', 'Analyzing project data... This may take a few minutes.', 0);
         
-        fetch(`/api/projects/${projectId}/analyze`, {
+        apiRequest(`/api/projects/${projectId}/analyze`, {
             method: 'POST',
             headers: {
-                'Content-Type': 'application/json',
-                'Authorization': `Bearer ${localStorage.getItem('authToken')}`
-            }
+                'Content-Type': 'application/json'
+            },
+            credentials: 'include'
         })
-        .then(response => response.json())
         .then(data => {
             // Remove loading alert if present
             if (window.currentActiveAlert && window.currentActiveAlert.parentNode) {
@@ -463,14 +449,13 @@ projectsContainer.innerHTML = html;
         
         showAlert('info', 'Generating literature review... This may take several minutes.', 0); // 0 = no auto-dismiss
         
-        fetch(`/api/projects/${projectId}/review`, {
+        apiRequest(`/api/projects/${projectId}/review`, {
             method: 'POST',
             headers: {
-                'Content-Type': 'application/json',
-                'Authorization': `Bearer ${localStorage.getItem('authToken')}`
-            }
+                'Content-Type': 'application/json'
+            },
+            credentials: 'include'
         })
-        .then(response => response.json())
         .then(data => {
             console.log('Review response:', data); // Debug log
             // Remove loading alert if present