fix: set refresh token (not access token) in HttpOnly cookie

The login endpoint was incorrectly storing the access token in the refresh_token cookie. This caused silent refresh to fail after page reload since the short-lived access token couldn't be used for refresh. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-24 22:46:39 +02:00 · 2026-03-08 20:49:41 +01:00 · 2026-03-08 20:49:41 +01:00 · 1643db0e7b
commit 1643db0e7b
parent 779d90ca43
2 changed files with 3 additions and 1 deletions
--- a/packages/core-service/src/core/auth/auth.controller.ts
+++ b/packages/core-service/src/core/auth/auth.controller.ts
@ -45,7 +45,7 @@ export class AuthController {

    // Refresh-Token als HttpOnly Cookie setzen (NICHT im localStorage!)
    // Regel: Kein localStorage fuer Tokens
-    this.setRefreshTokenCookie(res, result.accessToken);
+    this.setRefreshTokenCookie(res, result.refreshToken);

    return {
      accessToken: result.accessToken,
--- a/packages/core-service/src/core/auth/auth.service.ts
+++ b/packages/core-service/src/core/auth/auth.service.ts
@ -21,6 +21,7 @@ interface TokenPair {

 interface LoginResponse {
  accessToken: string;
+  refreshToken: string;
  user: {
    id: string;
    email: string;
@ -151,6 +152,7 @@ export class AuthService {

    return {
      accessToken: tokens.accessToken,
+      refreshToken: tokens.refreshToken,
      user: {
        id: user.id,
        email: user.email,