feat: B2 — 401 interceptor + auto-refresh token (fix SuperOAuth path + response shape)

backend/src/routes/auth.routes.ts

@@ -152,7 +152,7 @@ router.post("/refresh", async (req: Request, res: Response): Promise<void> => {
   }
 
   try {
-    const response = await fetch(`${superOAuthUrl}/api/v1/auth/token/refresh`, {
+    const response = await fetch(`${superOAuthUrl}/api/v1/auth/refresh`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({ refreshToken }),
@@ -160,22 +160,22 @@ router.post("/refresh", async (req: Request, res: Response): Promise<void> => {
 
     const data = await response.json() as {
       success: boolean;
-      data?: { tokens: { accessToken: string; refreshToken?: string }; user?: { id: string; email: string | null; nickname: string } };
+      data?: { accessToken: string; refreshToken?: string };
       error?: string;
     };
 
-    if (!response.ok || !data.data?.tokens?.accessToken) {
+    if (!response.ok || !data.data?.accessToken) {
       res.clearCookie(COOKIE_NAME);
       res.clearCookie(REFRESH_COOKIE_NAME);
       res.status(401).json({ success: false, error: "REFRESH_FAILED" });
       return;
     }
 
-    res.cookie(COOKIE_NAME, data.data.tokens.accessToken, COOKIE_OPTIONS);
-    if (data.data.tokens.refreshToken) {
-      res.cookie(REFRESH_COOKIE_NAME, data.data.tokens.refreshToken, REFRESH_COOKIE_OPTIONS);
+    res.cookie(COOKIE_NAME, data.data.accessToken, COOKIE_OPTIONS);
+    if (data.data.refreshToken) {
+      res.cookie(REFRESH_COOKIE_NAME, data.data.refreshToken, REFRESH_COOKIE_OPTIONS);
     }
-    res.json({ success: true, data: { user: data.data.user ?? null } });
+    res.json({ success: true });
   } catch (err) {
     logger.error("POST /auth/refresh — auth service unavailable", { err });
     res.status(500).json({ success: false, error: "AUTH_SERVICE_UNAVAILABLE" });