Print gh auth refresh for 401 returns#13068
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates CLI authentication guidance on HTTP 401 errors to prefer gh auth refresh when the user’s stored credentials are refreshable (i.e., created via gh auth login), reducing friction compared to always suggesting gh auth login.
Changes:
- Add token “refreshable” detection and use it to suggest
gh auth refreshfor invalid/expired stored OAuth tokens. - Update
ghtop-level 401 error recovery message to dynamically choosegh auth refresh -h <host>vsgh auth login. - Add/adjust tests for the new recovery-command selection and updated
auth statusoutput.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/cmd/auth/status/status.go | Switches re-auth guidance to gh auth refresh when the invalid token is refreshable. |
| pkg/cmd/auth/status/status_test.go | Updates expected output to reflect refresh guidance for refreshable tokens. |
| pkg/cmd/auth/shared/writeable.go | Introduces AuthTokenRefreshable helper for identifying refreshable stored OAuth tokens. |
| internal/ghcmd/cmd.go | On 401, determines whether to print gh auth refresh -h <host> or fallback to gh auth login. |
| internal/ghcmd/cmd_test.go | Adds unit tests covering authRecoveryCommand behavior across token/source/requestURL cases. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
`gh auth refresh` exists to make it simpler for users to refresh their tokens on expiration/scope mismatch, but help messages only suggest using it in limited scenarios, and not in a common case of a token expiring and the user receiving a 401 error. Now, the auth flow will detect this case, and for refreshable tokens (namely, tokens created by logging in with `gh auth login` in the first place), it will suggest using `gh auth refresh` for these cases.
5ac48b6 to
a656271
Compare
Member
|
Apologies for the delay @333fred - I rebased and force pushed because there was some conflicts with |
BagToad
requested changes
Apr 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
gh auth refreshexists to make it simpler for users to refresh their tokens on expiration/scope mismatch, but help messages only suggest using it in limited scenarios, and not in a common case of a token expiring and the user receiving a 401 error. Now, the auth flow will detect this case, and for refreshable tokens (namely, tokens created by logging in withgh auth loginin the first place), it will suggest usinggh auth refreshfor these cases.Fixes #13066.