fix: Refresh-Endpoint bevorzugt Body-Token über Cookie (Token-Rotation Test)

Body-Token hat Vorrang wenn explizit angegeben — verhindert dass
httpx-Cookie-Jar im Test den alten Token mit dem neuen Cookie überschreibt.
Browser-Clients senden keinen Body, nutzen weiterhin Cookie.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/routers/auth.py

@@ -75,10 +75,9 @@ async def login(request: Request, response: Response, data: LoginRequest, db: As
 @router.post("/refresh", response_model=TokenResponse)
 @limiter.limit("30/minute")
 async def refresh(request: Request, response: Response, data: RefreshRequest | None = None, db: AsyncSession = Depends(get_db)):
-    # Cookie bevorzugen, Body als Fallback (Rückwärtskompatibilität für API-Clients)
-    token = request.cookies.get(_COOKIE_NAME)
-    if not token and data:
-        token = data.refresh_token
+    # Body-Token hat Vorrang wenn explizit angegeben (API-Clients, Tests, Replay-Detection)
+    # Cookie als Fallback für Browser-Clients
+    token = (data.refresh_token if data and data.refresh_token else None) or request.cookies.get(_COOKIE_NAME)
     if not token:
         raise HTTPException(status_code=401, detail="Kein Refresh-Token")
     result = await auth_service.refresh(token, db)
@@ -91,10 +90,8 @@ async def refresh(request: Request, response: Response, data: RefreshRequest | N
 @router.post("/logout", response_model=MessageResponse)
 @limiter.limit("60/minute")
 async def logout(request: Request, response: Response, data: RefreshRequest | None = None, db: AsyncSession = Depends(get_db)):
-    # Cookie bevorzugen, Body als Fallback
-    token = request.cookies.get(_COOKIE_NAME)
-    if not token and data:
-        token = data.refresh_token
+    # Body-Token hat Vorrang wenn explizit angegeben, Cookie als Fallback
+    token = (data.refresh_token if data and data.refresh_token else None) or request.cookies.get(_COOKIE_NAME)
     if token:
         await auth_service.logout(token, db)
     _delete_refresh_cookie(response)