Fix: DO-11363 missing auth cookies redirect to login, only refresh token on 401 not 403 status

[krzysztof-causalens]

Motivation and Context

When a browser session cookie expires and is no longer sent, Dara can receive authenticated API requests with no bearer token and no session cookie. The backend classified that as a 400 bad_request, which the frontend routes to /error?code=400 rather than back to login.

The client also attempted refresh-token recovery for 403 responses. A 403 means the user is authenticated but not authorized, so refreshing the session is not expected to resolve it and can mask the authorization failure.

Implementation Description

Missing auth credentials now return the existing expired-session auth payload with HTTP 401, so the frontend treats the response as an authentication failure and redirects users to login with the correct session-expired reason. Malformed Authorization headers still return 400, preserving the bad-request behavior for invalid auth syntax.

The HTTP client now attempts /api/auth/refresh-token only for 401 responses. 403 responses are returned to callers for normal auth-error handling without using the refresh token.

Backend auth tests cover the missing-credentials path on /verify-session, update the general protected-endpoint expectation, and keep stale-cookie cleanup behavior aligned with the new status. JS HTTP tests now cover refresh-on-401 and no-refresh-on-403.

Any new dependencies Introduced

No new dependencies.

How Has This Been Tested?

• cd packages/dara-core && DARA_TEST_FLAG=True poetry run pytest tests/python/test_auth.py -q
• cd packages/dara-core && pnpm exec vitest run tests/js/http.spec.tsx --reporter=verbose
• poetry anthology run lint
• poetry anthology run format-check
• pnpm lerna run lint
• pnpm lerna run format:check
• git diff --check

PR Checklist:

• I have implemented all requirements? (see JIRA, project documentation).
• I am not affecting someone else's work, If I am, they are included as a reviewer.
• I have added relevant tests (unit, integration or regression).
• I have added comments to all the bits that are hard to follow. N/A: no non-obvious code added.
• I have added/updated Documentation. N/A: behavior fix covered by changelog.
• I have updated the appropriate changelog with a line for my changes.

Screenshots (if appropriate):

N/A

[krzysztof-causalens]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Another round soon, please!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[krzysztof-causalens]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Another round soon, please!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[sam-causalens]

LGTM