Full-codebase-audit 2026-05-30 outputs: - Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md - 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer). - Scanner docs from scratch (was zero): architecture, data model, API ref, payment flow, operations runbook + repo README. - Doc-sync updates across API reference, data models, flows, design system. - Secret Rotation Runbook (08 - Operations) for the exposed credentials. - Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js. Issues remain status:open intentionally — the code fixes are uncommitted-then-committed working-tree changes per repo and aren't "resolved" until merged/deployed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
40 lines
1.5 KiB
Markdown
40 lines
1.5 KiB
Markdown
---
|
|
issue: 053
|
|
title: "Axios interceptor only retriggers token refresh for 401, not 403"
|
|
severity: major
|
|
domain: Authentication
|
|
status: resolved
|
|
resolved: 2026-05-29
|
|
fix: "Extended axios response interceptor condition from status === 401 to (status === 401 || status === 403) in axios.ts."
|
|
labels: [frontend, bug]
|
|
status: open
|
|
created: 2026-05-29
|
|
source: Doc vs Code Audit 2026-05-29
|
|
---
|
|
|
|
# 🟠 Axios interceptor only retriggers token refresh for 401, not 403
|
|
|
|
**Severity:** major
|
|
**Domain:** Authentication
|
|
**Labels:** frontend, bug
|
|
|
|
## Description
|
|
|
|
`frontend/src/lib/axios.ts` (line ~105) only triggers the token-refresh flow for `status === 401`. A `403` response (e.g. `EMAIL_NOT_VERIFIED`, blocked account, under-privileged action) is not intercepted — it propagates as an unhandled error and some components may not handle it gracefully.
|
|
|
|
## Current Behavior
|
|
|
|
Backend returns `403` → interceptor neither refreshes nor surfaces a meaningful state → error propagates raw to the calling component.
|
|
|
|
## Expected Behavior
|
|
|
|
A `403` should NOT trigger a token refresh (it is an authorization failure, not an expired token), but it should be surfaced clearly — e.g. redirect to the verify-email page for `EMAIL_NOT_VERIFIED`. The doc's claim that the interceptor "handles 401/403" should match the code.
|
|
|
|
## Affected Files
|
|
|
|
- `frontend/src/lib/axios.ts` — response interceptor (~line 105)
|
|
|
|
## References
|
|
|
|
- [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md) — Finding M1
|