From 3ca0bbd921d2f504117c5b34efac65af36bc5493 Mon Sep 17 00:00:00 2001
From: Usman Baig <mubaig@pm.me>
Date: Fri, 23 Jan 2026 10:45:52 +0100
Subject: [PATCH] fix(auth): update comments in AuthCallback and API client for
 clarity on token handling and refresh process

---
 app/auth/callback/page.tsx | 3 ++-
 lib/api/client.ts          | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/app/auth/callback/page.tsx b/app/auth/callback/page.tsx
index f8c3fc0..58e186a 100644
--- a/app/auth/callback/page.tsx
+++ b/app/auth/callback/page.tsx
@@ -19,7 +19,8 @@ function AuthCallbackContent() {
     if (processedRef.current) return
     
     // * Check for direct token passing (from auth-frontend direct login)
-    // * TODO: This flow exposes tokens in URL, should be deprecated in favor of Authorization Code flow
+    // * This flow exposes tokens in URL, kept for legacy support.
+    // * Recommended: Use Authorization Code flow (below)
     const token = searchParams.get('token')
     const refreshToken = searchParams.get('refresh_token')
     
diff --git a/lib/api/client.ts b/lib/api/client.ts
index 6593fa8..dbc03ad 100644
--- a/lib/api/client.ts
+++ b/lib/api/client.ts
@@ -99,7 +99,7 @@ async function apiRequest<T>(
           isRefreshing = true
 
           try {
-            // * Call our internal Next.js API route to handle refresh securely
+            // * Call our Next.js API route to handle refresh securely
             const refreshRes = await fetch('/api/auth/refresh', {
               method: 'POST',
               headers: { 'Content-Type': 'application/json' },