Files
nick-doc/Issues/ISSUE-021-axios-interceptor-403-not-handled.md
Siavash Sameni a1f056e6a5 docs: align flow docs with code reality + create 35 implementation issue files
Flow docs updated (11 files):
- Delivery Confirmation: reversed actor roles (buyer generates, seller verifies),
  fixed endpoint paths (/delivery-code/generate, /delivery-code/verify)
- Passkey (WebAuthn): removed stub/simulated-key claims; real @simplewebauthn/server
  attestation is implemented; refresh tokens are persisted
- Dispute: corrected resolve schema (action enum), removed non-existent statuses,
  documented security gaps (no role guards on status/resolve/assign), route shadowing,
  all socket events are TODO stubs
- Seller Offer: corrected all endpoint paths, removed 'active' status, documented
  withdraw dead code, missing seller history page, select-offer notification gap
- Notification: corrected mark-all-read method+path, fixed GET /:id broken lookup,
  added unread-count-update socket event
- Authentication: corrected rate limiter (counts all attempts), axios 403 not handled,
  deleteAccount wrong endpoint bug, changePassword no UI
- Password Reset: corrected 6-digit code (not 8), documented no-complexity gap on
  reset-with-code vs token reset
- Payment Flow DePay: /create→/save, removed phantom sub-routes, SIM_ bypass risk,
  PaymentProvider type gap, getProviderIntentEndpoint routing bug
- Payment Flow SHKeeper: removed phantom polling endpoint, fixed release/refund paths
- Purchase Request: added pending_payment/active statuses, fixed sellers/attachments
  endpoints, corrected socket events, PUT→PATCH bug
- Escrow: documented dispute resolve does not touch escrow, route shadowing, confirm-delivery auth gap

Issues created (35 files in Issues/):
- 9 security issues (critical) including: dispute privilege escalation ×4,
  unauthenticated payment/scanner endpoints ×2, SIM_ production bypass,
  confirm-delivery ownership gap
- 26 additional major/critical bugs covering broken endpoints, missing features,
  data integrity gaps, and frontend-backend mismatches

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-29 14:47:49 +04:00

1.5 KiB

issue, title, severity, domain, labels, status, created, source
issue title severity domain labels status created source
021 Axios interceptor only retriggers token refresh for 401, not 403 major auth
frontend
bug
open 2026-05-29 Doc vs Code Audit 2026-05-29

🟠 Axios interceptor only retriggers token refresh for 401, not 403

Severity: major Domain: auth Labels: frontend, bug

Description

frontend/src/lib/axios.ts (line ~105) only triggers the token refresh flow for status === 401:

if (status === 401 && !isAuthRoute && !originalRequest?._retry) {
  // trigger refresh
}

A 403 response (e.g., EMAIL_NOT_VERIFIED, a blocked account, or an under-privileged action) is not intercepted — it propagates as an unhandled error. Depending on how calling components handle errors, this may result in a blank screen or silent failure rather than an appropriate user message.

Current Behavior

Backend returns 403 EMAIL_NOT_VERIFIED → interceptor does not retry or refresh → error propagates to the component. Some components may not handle this gracefully.

Expected Behavior

The interceptor (or a separate error handler) should:

  • On 403: not attempt a token refresh (a 403 is an authorization failure, not an expired token)
  • But should surface the error clearly to the user (e.g., redirect to verify-email page for EMAIL_NOT_VERIFIED errors)

Affected Files

  • frontend/src/lib/axios.ts — response interceptor

References