Files
nick-doc/Issues/ISSUE-085-frontend-token-refresh-queue-dispatches-with-undefined-authori.md
Siavash Sameni dceaf82934 audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

1.4 KiB

issue, title, severity, domain, labels, status, created, source
issue title severity domain labels status created source
085 Frontend: token refresh queue dispatches with undefined Authorization header medium Authentication
bug
frontend
session
open 2026-05-30 Full Codebase Audit 2026-05-30

Frontend: token refresh queue dispatches with undefined Authorization header

Severity: medium Domain: Authentication Labels: bug, frontend, session

Description

src/lib/axios.ts:136 flushes queued requests after a refresh attempt unconditionally. When the refresh yields no token (expired session, network error), queued requests are dispatched with Authorization: Bearer undefined, which backend middleware treats as an invalid token, causing all queued requests to fail with 401 — but no logout or error surfacing occurs.

Options

  1. On no token: reject queued requests (fail fast) and trigger logout/redirect.
  2. Skip the forEach when newAccessToken is falsy and let requests retry later.
  3. Move the forEach inside the if(newAccessToken) guard and reject the queue in the else branch.

Recommendation

Move flush inside the token guard and explicitly reject queued callbacks so they error rather than retry with 'Bearer undefined'.

Affected Files

  • frontend/src/lib/axios.ts:136

References