From 96dbeecc0fb14054f4336762a4bad2e6ff92a674 Mon Sep 17 00:00:00 2001
From: dmolinari <dmolinari@eldia.com>
Date: Tue, 14 Apr 2026 13:59:37 -0300
Subject: [PATCH] fix(web): use endsWith for /auth path exclusion in refresh
 interceptor

Avoids substring-match false positives on future endpoints whose URL could
contain /auth/refresh or /auth/login as infix (W-01 from verify report).
---
 src/web/src/api/axiosClient.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/web/src/api/axiosClient.ts b/src/web/src/api/axiosClient.ts
index b86ad81..e4ba7ad 100644
--- a/src/web/src/api/axiosClient.ts
+++ b/src/web/src/api/axiosClient.ts
@@ -64,8 +64,8 @@ axiosClient.interceptors.response.use(
       status !== 401 ||
       !original ||
       original._retry ||
-      url.includes('/auth/refresh') ||
-      url.includes('/auth/login')
+      url.endsWith('/auth/refresh') ||
+      url.endsWith('/auth/login')
     ) {
       return Promise.reject(error)
     }