The API refresh route currently allows anonymous callers to mint an access token.\n\nCurrent behavior:\n- POST /api/auth/refresh does not require Authorization.\n- The controller calls refreshToken() without caller context.\n- The service returns a token for the hard-coded subject usr_existing with role client.\n\nExpected behavior:\n- Anonymous refresh requests should return 401.\n- Authenticated refresh requests should mint a replacement token for the authenticated subject and role.\n\nVerification target:\n- Add API coverage for anonymous rejection and caller identity preservation.\n- Protect the refresh route with the existing auth middleware.\n- Reuse req.user when signing the refreshed token.\n\nParent bounty: #743
The API refresh route currently allows anonymous callers to mint an access token.\n\nCurrent behavior:\n- POST /api/auth/refresh does not require Authorization.\n- The controller calls refreshToken() without caller context.\n- The service returns a token for the hard-coded subject usr_existing with role client.\n\nExpected behavior:\n- Anonymous refresh requests should return 401.\n- Authenticated refresh requests should mint a replacement token for the authenticated subject and role.\n\nVerification target:\n- Add API coverage for anonymous rejection and caller identity preservation.\n- Protect the refresh route with the existing auth middleware.\n- Reuse req.user when signing the refreshed token.\n\nParent bounty: #743