Full-codebase-audit 2026-05-30 outputs: - Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md - 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer). - Scanner docs from scratch (was zero): architecture, data model, API ref, payment flow, operations runbook + repo README. - Doc-sync updates across API reference, data models, flows, design system. - Secret Rotation Runbook (08 - Operations) for the exposed credentials. - Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js. Issues remain status:open intentionally — the code fixes are uncommitted-then-committed working-tree changes per repo and aren't "resolved" until merged/deployed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1.5 KiB
1.5 KiB
issue, title, severity, domain, status, resolved, fix, labels, status, created, source
| issue | title | severity | domain | status | resolved | fix | labels | status | created | source | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 053 | Axios interceptor only retriggers token refresh for 401, not 403 | major | Authentication | resolved | 2026-05-29 | Extended axios response interceptor condition from status === 401 to (status === 401 || status === 403) in axios.ts. |
|
open | 2026-05-29 | Doc vs Code Audit 2026-05-29 |
🟠 Axios interceptor only retriggers token refresh for 401, not 403
Severity: major Domain: Authentication Labels: frontend, bug
Description
frontend/src/lib/axios.ts (line ~105) only triggers the token-refresh flow for status === 401. A 403 response (e.g. EMAIL_NOT_VERIFIED, blocked account, under-privileged action) is not intercepted — it propagates as an unhandled error and some components may not handle it gracefully.
Current Behavior
Backend returns 403 → interceptor neither refreshes nor surfaces a meaningful state → error propagates raw to the calling component.
Expected Behavior
A 403 should NOT trigger a token refresh (it is an authorization failure, not an expired token), but it should be surfaced clearly — e.g. redirect to the verify-email page for EMAIL_NOT_VERIFIED. The doc's claim that the interceptor "handles 401/403" should match the code.
Affected Files
frontend/src/lib/axios.ts— response interceptor (~line 105)
References
- Doc vs Code Audit Report — Finding M1