fix: pass CSRF token to switch-context call in refresh route

The auth API requires CSRF tokens on POST requests. The switch-context call was failing silently with 403, causing refreshed tokens to lack org_id.
2026-03-13 11:29:45 +01:00
parent 34c80d0857
commit 2d3388546f
1 changed files with 8 additions and 3 deletions
--- a/app/api/auth/refresh/route.ts
+++ b/app/api/auth/refresh/route.ts
@@ -42,6 +42,12 @@ export async function POST() {
    const data = await res.json()
    let finalAccessToken = data.access_token

+    // * Get CSRF token from Auth API refresh response (needed for switch-context call)
+    const csrfToken = res.headers.get('X-CSRF-Token')
+    // * Also check for CSRF token in the cookie store (browser may have sent it)
+    const csrfFromCookie = cookieStore.get('csrf_token')?.value
+    const csrfForRequests = csrfToken || csrfFromCookie || ''
+
    // * Step 2: Restore organization context
    // * The auth service's refresh endpoint returns a "base" token without org_id.
    // * We need to call switch-context to get an org-scoped token so that
@@ -73,6 +79,8 @@ export async function POST() {
          headers: {
            'Content-Type': 'application/json',
            'Authorization': `Bearer ${finalAccessToken}`,
+            'X-CSRF-Token': csrfForRequests,
+            'Cookie': `csrf_token=${csrfForRequests}`,
          },
          body: JSON.stringify({ organization_id: orgId }),
        })
@@ -83,9 +91,6 @@ export async function POST() {
      } catch { /* proceed with base token */ }
    }

-    // * Get CSRF token from Auth API response header (for cookie rotation)
-    const csrfToken = res.headers.get('X-CSRF-Token')
-
    cookieStore.set('access_token', finalAccessToken, {
      httpOnly: true,
      secure: process.env.NODE_ENV === 'production',