fix: use 303 See Other for outbound redirects to avoid 405 on POST flow

`NextResponse.redirect()` defaults to 307 (method-preserving). Now that this
route also accepts POST (added in the previous commit), a refresh that
arrived via POST would have its outbound redirect to /catalog or /signin
sent as POST too — both of which only handle GET, producing 405.

Switch both the success and failure redirects to 303 See Other, which
unconditionally instructs the browser to follow with GET. Caught by Copilot
review on the PR.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: peppescg

src/app/api/auth/token-refresh/route.test.ts

@@ -231,4 +231,23 @@ describe("GET /api/auth/token-refresh", () => {
       );
     });
   });
+
+  describe("redirect uses 303 See Other (forces GET on follow-up)", () => {
+    it("success redirect to safeRedirect is 303", async () => {
+      mockRefreshSuccess();
+      const response = await GET(
+        makeRequest(`${INTERNAL_URL}?redirect=%2Fcatalog`),
+      );
+      // 303 prevents a POST that arrived at this route (via 307 from a Server
+      // Action) from being replayed as a POST against /catalog.
+      expect(response.status).toBe(303);
+    });
+
+    it("failure redirect to /signin is 303", async () => {
+      vi.spyOn(console, "warn").mockImplementation(() => {});
+      mockRefreshFailure();
+      const response = await GET(makeRequest(INTERNAL_URL));
+      expect(response.status).toBe(303);
+    });
+  });
 });

src/app/api/auth/token-refresh/route.ts

@@ -30,7 +30,9 @@ const BASE_ORIGIN = new URL(BASE_URL).origin;
  *
  * Both GET and POST are exported: Next.js `redirect()` outside a Server Action uses
  * 307 (method-preserving), so a redirect triggered from a Server Component render
- * that follows a Server Action POST reaches this route as a POST.
+ * that follows a Server Action POST reaches this route as a POST. For the same
+ * reason, the outbound redirects below use 303 See Other (forces the browser to
+ * follow with GET) — a default 307 would re-POST `/catalog` or `/signin` and 405.
  */
 async function handler(request: NextRequest) {
   // Validate redirect target to prevent open redirects.
@@ -64,6 +66,7 @@ async function handler(request: NextRequest) {
 
     const redirectResponse = NextResponse.redirect(
       new URL(safeRedirect, BASE_URL),
+      { status: 303 },
     );
 
     // Copy Set-Cookie headers from Better Auth's internal response directly
@@ -88,7 +91,9 @@ async function handler(request: NextRequest) {
 async function signOutAndRedirect(
   requestHeaders: Headers,
 ): Promise<NextResponse> {
-  const response = NextResponse.redirect(new URL("/signin", BASE_URL));
+  const response = NextResponse.redirect(new URL("/signin", BASE_URL), {
+    status: 303,
+  });
   try {
     const signOutResponse = await auth.api.signOut({
       headers: requestHeaders,