From a870ac64a545f1eaf5c532617007d9160fa6835e Mon Sep 17 00:00:00 2001
From: patrick <patrick@perlbach24.de>
Date: Tue, 26 May 2026 13:14:44 +0200
Subject: [PATCH] =?UTF-8?q?fix:=20Refresh-Endpoint=20bevorzugt=20Body-Toke?=
 =?UTF-8?q?n=20=C3=BCber=20Cookie=20(Token-Rotation=20Test)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Body-Token hat Vorrang wenn explizit angegeben — verhindert dass
httpx-Cookie-Jar im Test den alten Token mit dem neuen Cookie überschreibt.
Browser-Clients senden keinen Body, nutzen weiterhin Cookie.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/app/routers/auth.py | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/backend/app/routers/auth.py b/backend/app/routers/auth.py
index e9583e7..62534ec 100644
--- a/backend/app/routers/auth.py
+++ b/backend/app/routers/auth.py
@@ -75,10 +75,9 @@ async def login(request: Request, response: Response, data: LoginRequest, db: As
 @router.post("/refresh", response_model=TokenResponse)
 @limiter.limit("30/minute")
 async def refresh(request: Request, response: Response, data: RefreshRequest | None = None, db: AsyncSession = Depends(get_db)):
-    # Cookie bevorzugen, Body als Fallback (Rückwärtskompatibilität für API-Clients)
-    token = request.cookies.get(_COOKIE_NAME)
-    if not token and data:
-        token = data.refresh_token
+    # Body-Token hat Vorrang wenn explizit angegeben (API-Clients, Tests, Replay-Detection)
+    # Cookie als Fallback für Browser-Clients
+    token = (data.refresh_token if data and data.refresh_token else None) or request.cookies.get(_COOKIE_NAME)
     if not token:
         raise HTTPException(status_code=401, detail="Kein Refresh-Token")
     result = await auth_service.refresh(token, db)
@@ -91,10 +90,8 @@ async def refresh(request: Request, response: Response, data: RefreshRequest | N
 @router.post("/logout", response_model=MessageResponse)
 @limiter.limit("60/minute")
 async def logout(request: Request, response: Response, data: RefreshRequest | None = None, db: AsyncSession = Depends(get_db)):
-    # Cookie bevorzugen, Body als Fallback
-    token = request.cookies.get(_COOKIE_NAME)
-    if not token and data:
-        token = data.refresh_token
+    # Body-Token hat Vorrang wenn explizit angegeben, Cookie als Fallback
+    token = (data.refresh_token if data and data.refresh_token else None) or request.cookies.get(_COOKIE_NAME)
     if token:
         await auth_service.logout(token, db)
     _delete_refresh_cookie(response)