Captured a real iOS Feeld token-refresh request — our outbound headers were
unmistakably "not the iOS app." Aligning so requests fingerprint identically.
- APP_VERSION 8.11.0 → 9.4.3 in constants.ts, server/index.js, vite.config.ts
- Bundle id corrected to com.3nder.threender (was com.3nder.ios)
- REQUEST_HEADERS User-Agent now the realistic Alamofire iOS UA, not 'feeld-mobile'
- server/index.js refreshAccessToken now sends the full Firebase iOS header
set (FirebaseAuth.iOS UA, X-Client-Version, X-Firebase-AppCheck fallback,
X-Firebase-GMPID, X-Ios-Bundle-Identifier) and uses camelCase body keys.
Response parsing accepts both camelCase and snake_case for resilience.
- vite proxy /api/firebase now applies the same iOS headers in dev mode
- vite proxy /api/graphql strips browser sec-* fingerprint headers and sets
the realistic Alamofire UA unconditionally (was a conditional 'feeld-mobile')
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Trey T
39cf3f2a74