--- issue: 085 title: "Frontend: token refresh queue dispatches with undefined Authorization header" severity: medium domain: Authentication labels: [bug, frontend, session] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Frontend: token refresh queue dispatches with undefined Authorization header **Severity:** medium **Domain:** Authentication **Labels:** bug, frontend, session ## Description `src/lib/axios.ts:136` flushes queued requests after a refresh attempt unconditionally. When the refresh yields no token (expired session, network error), queued requests are dispatched with `Authorization: Bearer undefined`, which backend middleware treats as an invalid token, causing all queued requests to fail with 401 — but no logout or error surfacing occurs. ## Options 1. On no token: reject queued requests (fail fast) and trigger logout/redirect. 2. Skip the `forEach` when `newAccessToken` is falsy and let requests retry later. 3. Move the `forEach` inside the `if(newAccessToken)` guard and reject the queue in the `else` branch. ## Recommendation Move flush inside the token guard and explicitly reject queued callbacks so they error rather than retry with `'Bearer undefined'`. ## Affected Files - `frontend/src/lib/axios.ts:136` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-11