since you have set refresh_token as an HTTP-only cookie, it cannot be accessed directly from the frontend. However, your backend should be able to read it from the request.

Possible reasons for the issue:

Cookie Settings: You have httponly=True and secure=False. If your app runs over HTTPS, you need to set secure=True. Also, try changing samesite='Lax' to samesite='None' along with secure=True.

Domain Mismatch: If your backend and frontend run on different domains, you might need to set the cookie with domain="yourdomain.com" in response.set_cookie.

CORS and Cookie Settings: Check your Django settings for SESSION_COOKIE_SAMESITE and CSRF_COOKIE_SAMESITE. Also, ensure that your frontend requests are sent with credentials: "include".

To debug: Check if the refresh_token is actually set in the browser using Developer Tools (Application -> Cookies).

Log request.COOKIES in your backend using print(request.COOKIES) to see if the cookie is being received.

Try these steps and let me know if the issue persists. We can debug further with additional logs