Bug

POST /api/auth/refresh currently calls refreshToken() without reading any value from the request body. The service then mints a new access token with a hardcoded user payload.

Current controller/service path:

export async function refresh(req, res) {
  const result = await refreshToken();
  return ok(res, result);
}

export async function refreshToken() {
  return { token: signAccessToken({ sub: "usr_existing", role: "client" }) };
}

Reproduction request:

{}

Observed behavior from current origin/main:

HTTP 200
{ "success": true, "data": { "token": "..." } }

Impact

• Any caller can request a fresh token without presenting a token value.
• The refresh response is not tied to the caller's identity.
• The endpoint bypasses the expected proof-of-session check for token refresh.

Expected behavior

The refresh endpoint should require a token value, reject missing or invalid tokens, and only mint a new access token from verified token claims.

Proposed fix

• Add request validation for a required token string.
• Verify the supplied token before minting a replacement token.
• Return 400 for missing/invalid request shape and 401 for invalid token values.
• Add endpoint regression tests for missing, invalid, and valid refresh token paths.

This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information.

Parent bounty: #743.