From 70f6c6befbffed69b8df3209ea7fddfc2fc797a7 Mon Sep 17 00:00:00 2001
From: Vadym Samoilenko <vadymsamoilenko@oliver.agency>
Date: Wed, 29 Apr 2026 14:11:50 +0100
Subject: [PATCH] security: reject refresh tokens used as access tokens (C-02)

get_current_user and get_current_user_optional now reject any token
whose payload carries type="refresh". Access tokens carry no type field
so the check is asymmetric and safe. Prevents a refresh-cookie value
from being replayed as a Bearer access token.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/app/core/dependencies.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/backend/app/core/dependencies.py b/backend/app/core/dependencies.py
index 066388c..0b09b9d 100644
--- a/backend/app/core/dependencies.py
+++ b/backend/app/core/dependencies.py
@@ -21,6 +21,13 @@ async def get_current_user(
 ) -> User:
     token = credentials.credentials
     payload = decode_token(token)
+
+    if payload.get("type") == "refresh":
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Could not validate credentials",
+        )
+
     user_id: str = payload.get("sub")
 
     if user_id is None:
@@ -77,6 +84,9 @@ async def get_current_user_optional(
             return None
 
         payload = decode_token(token)
+        if payload.get("type") == "refresh":
+            return None
+
         user_id: str = payload.get("sub")
 
         if user_id is None: