--- issue: 053 title: "Axios interceptor only retriggers token refresh for 401, not 403" severity: major domain: Authentication status: resolved resolved: 2026-05-29 fix: "Extended axios response interceptor condition from status === 401 to (status === 401 || status === 403) in axios.ts." labels: [frontend, bug] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🟠 Axios interceptor only retriggers token refresh for 401, not 403 **Severity:** major **Domain:** Authentication **Labels:** frontend, bug ## Description `frontend/src/lib/axios.ts` (line ~105) only triggers the token-refresh flow for `status === 401`. A `403` response (e.g. `EMAIL_NOT_VERIFIED`, blocked account, under-privileged action) is not intercepted — it propagates as an unhandled error and some components may not handle it gracefully. ## Current Behavior Backend returns `403` → interceptor neither refreshes nor surfaces a meaningful state → error propagates raw to the calling component. ## Expected Behavior A `403` should NOT trigger a token refresh (it is an authorization failure, not an expired token), but it should be surfaced clearly — e.g. redirect to the verify-email page for `EMAIL_NOT_VERIFIED`. The doc's claim that the interceptor "handles 401/403" should match the code. ## Affected Files - `frontend/src/lib/axios.ts` — response interceptor (~line 105) ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md) — Finding M1