fix(minimax-oauth): quarantine dead tokens on terminal refresh failure#28003
Closed
EloquentBrush0x wants to merge 1 commit into
Closed
fix(minimax-oauth): quarantine dead tokens on terminal refresh failure#28003EloquentBrush0x wants to merge 1 commit into
EloquentBrush0x wants to merge 1 commit into
Conversation
resolve_minimax_oauth_runtime_credentials called _refresh_minimax_oauth_state without a try/except, so a terminal failure (invalid_grant, refresh_token_reused, invalid_refresh_token) raised AuthError but left the dead refresh_token in auth.json. Every subsequent API call retried the same token via a network round-trip, failing identically each time. Fix: wrap the refresh call and, when exc.relogin_required is True and a refresh_token is present, clear the dead OAuth fields (access_token, refresh_token, expires_*) and write a last_auth_error quarantine marker to auth.json before re-raising. The next call sees no access_token and fails fast with "not_logged_in" — no network retry — and the user is prompted to re-authenticate. Mirrors the existing quarantine pattern for Nous (_quarantine_nous_oauth_state), xAI-OAuth (PR NousResearch#27898), and Codex-OAuth (PR NousResearch#27911). Persist failure is best-effort (logged at DEBUG, error still re-raised).
|
BoardJames triage: this also looks shared/systemic rather than branch-local. All non-test checks are green (attribution, common-ancestor, ruff/ty, ruff enforcement, Windows footguns, nix ubuntu/macos, supply-chain, e2e, and both Docker builds). The full |
teknium1
pushed a commit
that referenced
this pull request
May 18, 2026
resolve_minimax_oauth_runtime_credentials called _refresh_minimax_oauth_state without a try/except, so a terminal failure (invalid_grant, refresh_token_reused, invalid_refresh_token) raised AuthError but left the dead refresh_token in auth.json. Every subsequent API call retried the same token via a network round-trip, failing identically each time. Fix: wrap the refresh call and, when exc.relogin_required is True and a refresh_token is present, clear the dead OAuth fields (access_token, refresh_token, expires_*) and write a last_auth_error quarantine marker to auth.json before re-raising. The next call sees no access_token and fails fast with 'not_logged_in' — no network retry — and the user is prompted to re-authenticate. Mirrors the existing quarantine pattern for Nous (_quarantine_nous_oauth_state), xAI-OAuth (#28116), and Codex-OAuth (#28118). Persist failure is best-effort (logged at DEBUG, error still re-raised). Salvaged from #28003 by @EloquentBrush0x — contributor's branch was severely stale (would have reverted ~5000 LOC across azure/kanban/i18n subsystems); fix re-applied surgically with their pattern preserved and added two regression tests (terminal-quarantines + transient-does-not-quarantine).
Contributor
3 tasks
Lillard01
pushed a commit
to Lillard01/hermes-agent
that referenced
this pull request
May 21, 2026
resolve_minimax_oauth_runtime_credentials called _refresh_minimax_oauth_state without a try/except, so a terminal failure (invalid_grant, refresh_token_reused, invalid_refresh_token) raised AuthError but left the dead refresh_token in auth.json. Every subsequent API call retried the same token via a network round-trip, failing identically each time. Fix: wrap the refresh call and, when exc.relogin_required is True and a refresh_token is present, clear the dead OAuth fields (access_token, refresh_token, expires_*) and write a last_auth_error quarantine marker to auth.json before re-raising. The next call sees no access_token and fails fast with 'not_logged_in' — no network retry — and the user is prompted to re-authenticate. Mirrors the existing quarantine pattern for Nous (_quarantine_nous_oauth_state), xAI-OAuth (NousResearch#28116), and Codex-OAuth (NousResearch#28118). Persist failure is best-effort (logged at DEBUG, error still re-raised). Salvaged from NousResearch#28003 by @EloquentBrush0x — contributor's branch was severely stale (would have reverted ~5000 LOC across azure/kanban/i18n subsystems); fix re-applied surgically with their pattern preserved and added two regression tests (terminal-quarantines + transient-does-not-quarantine).
Mucky010
pushed a commit
to Mucky010/hermes-agent
that referenced
this pull request
May 24, 2026
resolve_minimax_oauth_runtime_credentials called _refresh_minimax_oauth_state without a try/except, so a terminal failure (invalid_grant, refresh_token_reused, invalid_refresh_token) raised AuthError but left the dead refresh_token in auth.json. Every subsequent API call retried the same token via a network round-trip, failing identically each time. Fix: wrap the refresh call and, when exc.relogin_required is True and a refresh_token is present, clear the dead OAuth fields (access_token, refresh_token, expires_*) and write a last_auth_error quarantine marker to auth.json before re-raising. The next call sees no access_token and fails fast with 'not_logged_in' — no network retry — and the user is prompted to re-authenticate. Mirrors the existing quarantine pattern for Nous (_quarantine_nous_oauth_state), xAI-OAuth (NousResearch#28116), and Codex-OAuth (NousResearch#28118). Persist failure is best-effort (logged at DEBUG, error still re-raised). Salvaged from NousResearch#28003 by @EloquentBrush0x — contributor's branch was severely stale (would have reverted ~5000 LOC across azure/kanban/i18n subsystems); fix re-applied surgically with their pattern preserved and added two regression tests (terminal-quarantines + transient-does-not-quarantine).
gweeteve
pushed a commit
to gweeteve/hermes-agent
that referenced
this pull request
Jun 2, 2026
resolve_minimax_oauth_runtime_credentials called _refresh_minimax_oauth_state without a try/except, so a terminal failure (invalid_grant, refresh_token_reused, invalid_refresh_token) raised AuthError but left the dead refresh_token in auth.json. Every subsequent API call retried the same token via a network round-trip, failing identically each time. Fix: wrap the refresh call and, when exc.relogin_required is True and a refresh_token is present, clear the dead OAuth fields (access_token, refresh_token, expires_*) and write a last_auth_error quarantine marker to auth.json before re-raising. The next call sees no access_token and fails fast with 'not_logged_in' — no network retry — and the user is prompted to re-authenticate. Mirrors the existing quarantine pattern for Nous (_quarantine_nous_oauth_state), xAI-OAuth (NousResearch#28116), and Codex-OAuth (NousResearch#28118). Persist failure is best-effort (logged at DEBUG, error still re-raised). Salvaged from NousResearch#28003 by @EloquentBrush0x — contributor's branch was severely stale (would have reverted ~5000 LOC across azure/kanban/i18n subsystems); fix re-applied surgically with their pattern preserved and added two regression tests (terminal-quarantines + transient-does-not-quarantine).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
resolve_minimax_oauth_runtime_credentialscalled_refresh_minimax_oauth_statewithout catching itsAuthError. On a terminal failure (invalid_grant,refresh_token_reused,invalid_refresh_token), the error propagated but the deadrefresh_tokenremained inauth.json— so every subsequent API call retried the same token via a network round-trip, failing identically each time.exc.relogin_requiredisTrueand arefresh_tokenis still present, clear the dead OAuth fields (access_token,refresh_token,expires_*) and write alast_auth_errorquarantine marker toauth.jsonbefore re-raising. The next call sees noaccess_tokenand fails fast with"not_logged_in"— no network retry._quarantine_nous_oauth_state), xAI-OAuth (PR fix(xai-oauth): quarantine terminal refresh errors to prevent dead-token replay across sessions #27898), and Codex-OAuth (PR fix(codex-oauth): quarantine terminal refresh errors so dead tokens are not replayed across sessions #27911). Persist failure is best-effort (logged at DEBUG; original error still re-raised).Test plan
_refresh_minimax_oauth_stateto raiseAuthError(relogin_required=True, code="refresh_failed"); assertauth.jsonlosesrefresh_tokenand gainslast_auth_error.relogin_required = True.AuthError(relogin_required=False); assertauth.jsonis unchanged.resolve_minimax_oauth_runtime_credentialsraises"not_logged_in"without a network request.