Trey T
39cf3f2a74
Captured a real iOS Feeld token-refresh request — our outbound headers were unmistakably "not the iOS app." Aligning so requests fingerprint identically. - APP_VERSION 8.11.0 → 9.4.3 in constants.ts, server/index.js, vite.config.ts - Bundle id corrected to com.3nder.threender (was com.3nder.ios) - REQUEST_HEADERS User-Agent now the realistic Alamofire iOS UA, not 'feeld-mobile' - server/index.js refreshAccessToken now sends the full Firebase iOS header set (FirebaseAuth.iOS UA, X-Client-Version, X-Firebase-AppCheck fallback, X-Firebase-GMPID, X-Ios-Bundle-Identifier) and uses camelCase body keys. Response parsing accepts both camelCase and snake_case for resilience. - vite proxy /api/firebase now applies the same iOS headers in dev mode - vite proxy /api/graphql strips browser sec-* fingerprint headers and sets the realistic Alamofire UA unconditionally (was a conditional 'feeld-mobile') Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>