refactor: Address technical debt in auth refresh implementation

frontend/src/services/api.ts

@@ -69,22 +69,27 @@ api.interceptors.response.use(
         console.error("Reactive refresh failed:", refreshError)
         
         // Final failure - session is dead
-        if (onUnauthorized) {
-          onUnauthorized()
-        }
+        handleUnauthorized()
         return Promise.reject(refreshError)
       }
     }
     
-    // If it's the refresh endpoint itself failing with 401, trigger logout
-    if (error.response?.status === 401 && isRefreshEndpoint) {
-        if (onUnauthorized) {
-            onUnauthorized()
-        }
+    // If it's a 401 on an endpoint we don't/can't refresh (like refresh itself or login)
+    if (error.response?.status === 401) {
+      handleUnauthorized()
     }
 
     return Promise.reject(error)
   }
 )
 
+/**
+ * Shared helper to trigger logout/unauthorized cleanup.
+ */
+function handleUnauthorized() {
+  if (onUnauthorized) {
+    onUnauthorized()
+  }
+}
+
 export default api