fix(#411): QA-010 — fix minor JSDoc and comment issues across auth files

Fix response.ok JSDoc (2xx not 200), remove stale token refresh claim, remove non-actionable comment, fix CSRF comment placement, add 403 mapping rationale. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 13:50:04 -06:00
parent e600cfd2d0
commit 27c4c8edf3
5 changed files with 13 additions and 15 deletions
--- a/apps/api/src/auth/auth.controller.ts
+++ b/apps/api/src/auth/auth.controller.ts
@@ -112,12 +112,9 @@ export class AuthController {
   * Rate limiting and logging are applied to mitigate abuse (SEC-API-10).
   */
  @All("*")
-  /**
-   * BetterAuth implements CSRF protection internally via Fetch Metadata headers
-   * (Sec-Fetch-Site, Sec-Fetch-Mode) and SameSite=Lax cookies. The @SkipCsrf()
-   * decorator skips the custom CSRF guard to avoid double-protection conflicts.
-   * Reference: https://www.better-auth.com/docs/reference/security
-   */
+  // BetterAuth handles CSRF internally (Fetch Metadata + SameSite=Lax cookies).
+  // @SkipCsrf avoids double-protection conflicts.
+  // See: https://www.better-auth.com/docs/reference/security
  @SkipCsrf()
  @Throttle({ strict: { limit: 10, ttl: 60000 } })
  async handleAuth(@Req() req: ExpressRequest, @Res() res: ExpressResponse): Promise<void> {