What happened?
Description
Several race conditions exist in the Qwen OAuth token management system, which can cause the application
to trigger unnecessary re-authentication flows even after tokens have been successfully refreshed by
another process. These issues can lead to a degraded user experience and potential authentication
failures in concurrent environments.
Issues Identified
- 1-Second Cache Delay Skips File Checks: The checkAndReloadIfNeeded() function has a 1-second cache
delay, which can result in stale tokens being returned when tokens have been refreshed by another
process.
- Stale Promise Return: The getValidCredentials() method returns a cached promise without
revalidating the file state, potentially returning expired credentials.
- Missing File Re-read After Token Save: After successfully saving refreshed credentials, the memory
cache is not updated from the file, leading to stale data persistence.
- Memory Cache Uses Stale Data: Token validation uses the memory cache without ensuring it's the most
recent data from the file.
- Immediate Re-authentication on Refresh Failures: Any refresh failure immediately triggers
re-authentication without checking if tokens were actually refreshed by another process.
What did you expect to happen?
Expected Behavior
- Token validation should always use the most recent data from the file system.
- Concurrent token refreshes by different processes should not lead to unnecessary re-authentication.
- The system should gracefully handle token refresh failures without immediately falling back to
re-authentication.
Actual Behavior
- Stale tokens are returned due to cache delays and lack of file revalidation.
- Unnecessary re-authentication is triggered, disrupting the user experience.
Client information
Details
CLI Version 0.0.9
Model qwen3-coder-plus
Sandbox no sandbox
OS linux
Auth Method qwen-oauth
Login information
No response
Anything else we need to know?
observed that even with succeed token refresh, the cli still enforce re-auth when start qwen code cli.
What happened?
Description
Several race conditions exist in the Qwen OAuth token management system, which can cause the application
to trigger unnecessary re-authentication flows even after tokens have been successfully refreshed by
another process. These issues can lead to a degraded user experience and potential authentication
failures in concurrent environments.
Issues Identified
delay, which can result in stale tokens being returned when tokens have been refreshed by another
process.
revalidating the file state, potentially returning expired credentials.
cache is not updated from the file, leading to stale data persistence.
recent data from the file.
re-authentication without checking if tokens were actually refreshed by another process.
What did you expect to happen?
Expected Behavior
re-authentication.
Actual Behavior
Client information
Details
Login information
No response
Anything else we need to know?
observed that even with succeed token refresh, the cli still enforce re-auth when start qwen code cli.