From 1643db0e7b3be128c6843e0e647ca49a11419b2e Mon Sep 17 00:00:00 2001
From: Thomas Reitz <T.Reitz@xinion.de>
Date: Sun, 8 Mar 2026 20:49:41 +0100
Subject: [PATCH] fix: set refresh token (not access token) in HttpOnly cookie

The login endpoint was incorrectly storing the access token in the
refresh_token cookie. This caused silent refresh to fail after page
reload since the short-lived access token couldn't be used for refresh.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 packages/core-service/src/core/auth/auth.controller.ts | 2 +-
 packages/core-service/src/core/auth/auth.service.ts    | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/packages/core-service/src/core/auth/auth.controller.ts b/packages/core-service/src/core/auth/auth.controller.ts
index 019bd4f..4566aa9 100644
--- a/packages/core-service/src/core/auth/auth.controller.ts
+++ b/packages/core-service/src/core/auth/auth.controller.ts
@@ -45,7 +45,7 @@ export class AuthController {
 
     // Refresh-Token als HttpOnly Cookie setzen (NICHT im localStorage!)
     // Regel: Kein localStorage fuer Tokens
-    this.setRefreshTokenCookie(res, result.accessToken);
+    this.setRefreshTokenCookie(res, result.refreshToken);
 
     return {
       accessToken: result.accessToken,
diff --git a/packages/core-service/src/core/auth/auth.service.ts b/packages/core-service/src/core/auth/auth.service.ts
index b0cdc51..f12c20f 100644
--- a/packages/core-service/src/core/auth/auth.service.ts
+++ b/packages/core-service/src/core/auth/auth.service.ts
@@ -21,6 +21,7 @@ interface TokenPair {
 
 interface LoginResponse {
   accessToken: string;
+  refreshToken: string;
   user: {
     id: string;
     email: string;
@@ -151,6 +152,7 @@ export class AuthService {
 
     return {
       accessToken: tokens.accessToken,
+      refreshToken: tokens.refreshToken,
       user: {
         id: user.id,
         email: user.email,