auth: stop retrying invalid_grant refresh tokens, surface actionable 401s#312
Open
samcm wants to merge 1 commit into
Open
auth: stop retrying invalid_grant refresh tokens, surface actionable 401s#312samcm wants to merge 1 commit into
samcm wants to merge 1 commit into
Conversation
…401s A rotating refresh token consumed by the provider mid-outage (response lost to a connection drop) can never succeed again. The store now records the rejected token, fails fast with ErrReauthRequired instead of calling the token endpoint on every request, and resumes automatically when a new credential is written (panda auth login, or another process's rotation). Request paths that previously sent unauthenticated requests when the token source failed (server proxy relay, proxy client query) now fail fast with 'run panda auth login' instead of relaying the proxy's opaque 'missing or invalid Authorization header' 401. The CLI also attaches a re-auth hint to any 401, which covers older servers.
Contributor
🐼 Smoke eval —
|
| question | result | tokens | tools |
|---|---|---|---|
forky_node_coverage |
✅ | 16,664 | 8 |
tracoor_node_coverage |
✅ | 18,001 | 6 |
mainnet_block_arrival_p50 |
✅ | 16,253 | 9 |
list_datasources |
✅ | 13,014 | 2 |
block_count_24h |
✅ | 16,279 | 9 |
missed_slots_24h |
✅ | 27,369 | 15 |
chartkit_default_arrival_distribution |
✅ | 32,484 | 16 |
storage_upload_session_scoped |
✅ | 16,891 | 8 |
🔭 Langfuse traces (8 runs; ⚠️ = failed)
The report walks this branch's commits against the master baseline and the most recent release. A self-contained copy is in the run's eval-smoke-* artifact.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When the OAuth provider rejects a stored refresh token with invalid_grant, the credential store now marks it dead and stops calling the token endpoint, returning ErrReauthRequired until a new credential lands via
panda auth loginor another process's rotation. The server's proxy relay and the proxy client's query path no longer send unauthenticated requests when no token is available; they fail with a 401 telling the user to runpanda auth login. The CLI attaches the same hint to any 401 from the server, which covers older servers too.