POST /api/v2/user/token/refresh reads the HttpOnly refresh cookie, rotates the session, mints a new JWT, and sets the new cookie — reusing the shared auth.RefreshSession core (no v1 change) and the #2912 cookie helpers / authTokenBody response shape. The cookie is set via the unwrapped echo ctx, not the OpenAPI spec. translateDomainError now maps *echo.HTTPError (which RefreshSession returns for missing/invalid/expired/replayed tokens) so those land as the right status instead of a 500. Completes the v1→v2 REST migration. |
||
|---|---|---|
| .. | ||
| shared | ||
| v1 | ||
| v2 | ||