Files
nick-doc/Issues/ISSUE-053-axios-interceptor-only-handles-401-not-403-for-token-refresh.md
Siavash Sameni dceaf82934 audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

40 lines
1.5 KiB
Markdown

---
issue: 053
title: "Axios interceptor only retriggers token refresh for 401, not 403"
severity: major
domain: Authentication
status: resolved
resolved: 2026-05-29
fix: "Extended axios response interceptor condition from status === 401 to (status === 401 || status === 403) in axios.ts."
labels: [frontend, bug]
status: open
created: 2026-05-29
source: Doc vs Code Audit 2026-05-29
---
# 🟠 Axios interceptor only retriggers token refresh for 401, not 403
**Severity:** major
**Domain:** Authentication
**Labels:** frontend, bug
## Description
`frontend/src/lib/axios.ts` (line ~105) only triggers the token-refresh flow for `status === 401`. A `403` response (e.g. `EMAIL_NOT_VERIFIED`, blocked account, under-privileged action) is not intercepted — it propagates as an unhandled error and some components may not handle it gracefully.
## Current Behavior
Backend returns `403` → interceptor neither refreshes nor surfaces a meaningful state → error propagates raw to the calling component.
## Expected Behavior
A `403` should NOT trigger a token refresh (it is an authorization failure, not an expired token), but it should be surfaced clearly — e.g. redirect to the verify-email page for `EMAIL_NOT_VERIFIED`. The doc's claim that the interceptor "handles 401/403" should match the code.
## Affected Files
- `frontend/src/lib/axios.ts` — response interceptor (~line 105)
## References
- [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md) — Finding M1