fix(auth): keep refresh token when refresh response omits refresh_token#93
Conversation
Asana's refresh_token grant response does not rotate the refresh token, so persisting tokenResponse.refresh_token verbatim dropped the stored refresh token after the first renewal. Every later expiry then found no refresh token, leaving the CLI silently logged out about an hour after OAuth login. Includes a failing-first regression test.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Warning Review limit reached
Next review available in: 36 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
No issues found across 3 files
Architecture diagram
sequenceDiagram
participant Client as Client (Extension/CLI)
participant Auth as refreshTokenIfNeeded
participant Config as Config Store (file)
participant Asana as Asana OAuth API
Note over Client,Asana: OAuth token refresh flow (fix applied)
Client->>Auth: Call refreshTokenIfNeeded()
Auth->>Config: Read config (accessToken, refreshToken, expiresAt)
Config-->>Auth: config object
Auth->>Auth: Check if token expired (expiresAt < now)
alt Token expired or near expiry
Auth->>Asana: POST /oauth/token (grant_type=refresh_token)
Asana-->>Auth: OAuthTokenResponse
Note over Auth: Contains access_token, expires_in,<br/>refresh_token (optional per Asana)
alt refresh_token present in response
Auth->>Config: Save new accessToken and refreshToken
else refresh_token omitted (Asana default behavior)
Auth->>Config: Save new accessToken,<br/>keep existing refreshToken (??)
end
Config-->>Auth: Config saved
Auth-->>Client: true (success)
else Token still valid
Auth-->>Client: false (no refresh needed)
end
There was a problem hiding this comment.
Code Review
This pull request updates the Asana client to retain the stored refresh token when the token refresh response omits the refresh_token field, preventing auto-refresh from breaking after the first renewal. It also updates the OAuthTokenResponse interface to mark refresh_token as optional and adds a corresponding unit test. The review feedback suggests wrapping the test's fetch mocking and assertions in a try...finally block to ensure global.fetch is always restored, preventing potential test pollution if an assertion fails.
|
/gemini review |
|



Summary
Asana's OAuth
refresh_tokengrant response omitsrefresh_tokenin the response body. The existing code was overwriting/dropping the previously stored refresh token whenever a refresh response omitted a new one. Once the access token subsequently expired too, there was no valid token pair left to refresh with, silently logging the user out.This fixes the user-reported issue: 로그인 후 일정 시간 후 로그인이 풀리는 문제 (login silently expires/logs out after some time, ~1 hour, when using OAuth token login).
Fix: keep the existing refresh token when the refresh response doesn't include a new one.
Related issue
No specific tracked issue number — this addresses the user-reported bug: "token 사용해서 로그인시 일정시간후 로그인 풀림" (로그인 후 일정 시간 후 로그인이 풀리는 문제).
Checklist
bun run test)bun run lint)BREAKING CHANGE:note is includedSummary by cubic
Retains the stored OAuth refresh token when Asana’s refresh response omits
refresh_token, preventing silent logout after the next access token expiry (~1 hour). Adds a regression test and restoresglobal.fetchin tests to avoid pollution.refreshTokenwhen refresh responses omitrefresh_token.refresh_tokenoptional inOAuthTokenResponsewith documentation.global.fetchinfinallyto prevent test pollution.Written for commit 2648bd9. Summary will update on new commits.