From b81b77ac2f92f063303b721a534755527468daca Mon Sep 17 00:00:00 2001
From: Hikari <hikari@nhcarrigan.com>
Date: Mon, 23 Feb 2026 20:09:36 -0800
Subject: [PATCH] fix: omit audit log entries for 401s on /api/auth/me

Token expiry probes against /api/auth/me are expected behaviour during
the refresh flow and should not generate unauthorized access audit events.
---
 api/src/app/app.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/src/app/app.ts b/api/src/app/app.ts
index bdaee04..433b8a5 100644
--- a/api/src/app/app.ts
+++ b/api/src/app/app.ts
@@ -22,8 +22,8 @@ export async function app(fastify: FastifyInstance, opts: AppOptions) {
       });
     }
 
-    // Log unauthorized access attempts
-    if (error.statusCode === 401 || error.statusCode === 403) {
+    // Log unauthorized access attempts (exclude /api/auth/me as 401s there are expected during token refresh)
+    if ((error.statusCode === 401 || error.statusCode === 403) && request.url !== '/api/auth/me') {
       await AuditService.log({
         action: AuditAction.unauthorizedAccess,
         category: AuditCategory.security,