Files
nick-doc/Issues/ISSUE-053-axios-interceptor-only-handles-401-not-403-for-token-refresh.md
Siavash Sameni dceaf82934 audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

1.5 KiB

issue, title, severity, domain, status, resolved, fix, labels, status, created, source
issue title severity domain status resolved fix labels status created source
053 Axios interceptor only retriggers token refresh for 401, not 403 major Authentication resolved 2026-05-29 Extended axios response interceptor condition from status === 401 to (status === 401 || status === 403) in axios.ts.
frontend
bug
open 2026-05-29 Doc vs Code Audit 2026-05-29

🟠 Axios interceptor only retriggers token refresh for 401, not 403

Severity: major Domain: Authentication Labels: frontend, bug

Description

frontend/src/lib/axios.ts (line ~105) only triggers the token-refresh flow for status === 401. A 403 response (e.g. EMAIL_NOT_VERIFIED, blocked account, under-privileged action) is not intercepted — it propagates as an unhandled error and some components may not handle it gracefully.

Current Behavior

Backend returns 403 → interceptor neither refreshes nor surfaces a meaningful state → error propagates raw to the calling component.

Expected Behavior

A 403 should NOT trigger a token refresh (it is an authorization failure, not an expired token), but it should be surfaced clearly — e.g. redirect to the verify-email page for EMAIL_NOT_VERIFIED. The doc's claim that the interceptor "handles 401/403" should match the code.

Affected Files

  • frontend/src/lib/axios.ts — response interceptor (~line 105)

References