Files
nick-doc/Issues/ISSUE-053-axios-interceptor-only-handles-401-not-403-for-token-refresh.md
Siavash Sameni 7a616744f4 docs: complete code-reality alignment for remaining docs + reconcile issue set
Remaining docs updated to match code (the docs that the first pass had not covered):
- Flows: Chat, Referral, Rating, Registration, Google OAuth, Negotiation, Payout,
  Trezor Safekeeping — corrected endpoints, socket events, status enums, auth gaps
- API Reference: User API, Trezor API — admin route prefix/verb/status corrections,
  added undocumented endpoints (ton-proof challenge, profile email verify,
  GET /trezor/account, POST /trezor/verify-operation)
- Data Models: Chat, Notification, Payment, PointTransaction, User — corrected
  enums (PaymentProvider, escrowState, PointTransaction.type, User.status),
  90-day notification TTL, soft-delete semantics, wallet fields

Trezor "zero frontend" finding (audit C31/C32) corrected as STALE:
- Verified current code HAS a full frontend Trezor implementation (admin/trezor
  page, TrezorSettingsView, trezorConnector via @trezor/connect-web,
  TrezorSignDialog, actions/trezor.ts building the {message,signature} object)
- Fixed Trezor Safekeeping Flow doc (removed false "no frontend" warnings)
- Reclassified ISSUE-012 as invalid/superseded with explanation

Issue set reconciled to a single canonical numbering (ISSUE-001..054):
- Adopted the comprehensive 51-issue set (long-slug, fully indexed)
- Removed 35 superseded short-slug duplicates from the first pass
- Removed a duplicate ISSUE-046 file
- Added 3 issues the 51-set lacked: ISSUE-052 (completed-not-counted-in-stats),
  ISSUE-053 (axios 401-only interceptor), ISSUE-054 (rate limiter counts all attempts)
- Regenerated Issues Index: 53 open (14 critical, 39 major) + 1 invalid

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-29 15:15:02 +04:00

1.3 KiB

issue, title, severity, domain, labels, status, created, source
issue title severity domain labels status created source
053 Axios interceptor only retriggers token refresh for 401, not 403 major Authentication
frontend
bug
open 2026-05-29 Doc vs Code Audit 2026-05-29

🟠 Axios interceptor only retriggers token refresh for 401, not 403

Severity: major Domain: Authentication Labels: frontend, bug

Description

frontend/src/lib/axios.ts (line ~105) only triggers the token-refresh flow for status === 401. A 403 response (e.g. EMAIL_NOT_VERIFIED, blocked account, under-privileged action) is not intercepted — it propagates as an unhandled error and some components may not handle it gracefully.

Current Behavior

Backend returns 403 → interceptor neither refreshes nor surfaces a meaningful state → error propagates raw to the calling component.

Expected Behavior

A 403 should NOT trigger a token refresh (it is an authorization failure, not an expired token), but it should be surfaced clearly — e.g. redirect to the verify-email page for EMAIL_NOT_VERIFIED. The doc's claim that the interceptor "handles 401/403" should match the code.

Affected Files

  • frontend/src/lib/axios.ts — response interceptor (~line 105)

References