🐛 fix(desktop): prevent frequent logout from token refresh retry#14928
Merged
Conversation
The OIDC server rotates refresh tokens and revokes the whole grant when a consumed refresh token is reused. The desktop refresh wrapper retried the token request up to 4 times reusing the same stored refresh token, so any failure after the server had already consumed it (lost response, timeout, parse error) guaranteed an invalid_grant on the next attempt and logged the user out. - RemoteServerConfigCtr: drop the in-line retry — refresh is now a single attempt; transient failures recover on the next refresh cycle - AuthCtr: refresh proactively only when the access token is near expiry instead of on every launch/activation, cutting refresh-token rotations from dozens a day to roughly one a week - remove the now-unused async-retry dependency
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4e5232758b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if (this.shouldProactivelyRefresh()) { | ||
| logger.info('Token refresh interval exceeded on app activation, refreshing token'); | ||
| // Refresh only when the token is actually near expiry (see initializeAutoRefresh). | ||
| if (this.remoteServerConfigCtr.isTokenExpiringSoon()) { |
There was a problem hiding this comment.
Use a short buffer for proactive refresh checks
onAppActivate now calls isTokenExpiringSoon() with its default 24-hour buffer, so any deployment issuing access tokens with lifetime ≤24h (common in self-hosted OIDC) will be treated as “expiring soon” immediately after login and will refresh again on every activation/startup. This removes the old debounce guard and can recreate high refresh-token rotation churn (and the same invalid_grant/forced logout path on transient lost responses) that this fix is trying to reduce; pass an explicit small buffer (e.g. minutes) or make it token-lifetime/config aware.
Useful? React with 👍 / 👎.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## canary #14928 +/- ##
========================================
Coverage 65.91% 65.91%
========================================
Files 2975 2975
Lines 262826 262826
Branches 26698 25835 -863
========================================
Hits 173241 173241
Misses 89424 89424
Partials 161 161
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
isTokenExpiringSoon() defaults to a 24h buffer. An OIDC server issuing access tokens with a lifetime <= 24h would be treated as "expiring soon" right after login, refreshing on every launch/activation and recreating the refresh-token rotation churn this branch removes. Pass an explicit 10-minute buffer at all three call sites (auto-refresh timer, startup init, app activation) so the behaviour no longer depends on the server's access-token lifetime.
Merged
arvinxx
added a commit
that referenced
this pull request
May 29, 2026
# 🚀 LobeHub Release (20260528) **Release Date:** May 28, 2026 **Since v2.2.0:** 220 merged PRs · 15 contributors > This cycle brings heterogeneous "platform agents" you can dispatch to local or remote devices, a rebuilt onboarding flow, document-centric chat, and a unified model-runtime error model — with new DeepSeek V4 and Gemini 3.5 Flash support along the way. --- ## ✨ Highlights - **More Hetero Agents (OpenClaw / Hermes)** — Create heterogeneous agents and dispatch them to local or remote devices through the device gateway, with an execution-target switcher in the composer and persistent CLI sessions. (#15065, #15179, #15022) - **iMessage on Desktop** — New iMessage setup and bridge on desktop, plus bot attachments across every platform. (#15228, #15227, #15029) - **Skills in the Composer** — Drag skill chips into chat, trigger installed skills from the slash menu mid-line, and surface project-level skills in the homogeneous agent runtime. (#15095, #15061, #15110) - **New Models** — DeepSeek V4 Flash/Pro and Gemini 3.5 Flash across providers, with thinking params for structured output and chat cost estimates. (#15031, #15001, #15051, #14876) - **Agent Runtime Observability** — OpenTelemetry GenAI semantic conventions plus per-call generation tracing. (#15123, #15124) --- ## 🤖 Agents & Heterogeneous Runtime - **Platform agent creation** — OpenClaw/Hermes creation UI, device guard, and remote dispatch backend. (#15065) - **Execution-target switcher** — Pick local vs remote execution directly in the composer; device-selection UX with actionable guidance. (#15179, #15111) - **CLI hetero dispatch** — OpenClaw/Hermes dispatch with persistent sessions and a notify protocol. (#15022) - **Gateway snapshot as source of truth** — Consume the gateway `uiMessages` snapshot at step boundaries to keep chat state consistent. (#15153, #15152) - **Client sub-agent as a normal tool call** — Simplifies the sub-agent execution path. (#15281) - **Hermes agent chain** — Implements the Hermes agent chain logic. (#15189) - **Device registry** — TRPC endpoints to register, list, update, and remove devices. (#15299) - **Desktop device routing** — Route gateway agent runs through `lh hetero exec`; restore `userId` in gateway dispatch and gate local-system by execution target. (#15132, #15232) - **Agent signals** — Anchor agent-signal receipts to messages and isolate memory-agent messages into a child thread. (#14969, #14921) --- ## 🚀 Onboarding - **Simplified first screen** — Defer topic creation to first send. (#15090) - **Market Agent Picker** — Added as a classic onboarding step, with template prefetch. (#14980, #15041) - **Welcome guidance** — Show agent welcome guidance on first run. (#15098) - **Mobile** — Adapt agent onboarding UI and restore Classic-step padding on mobile. (#15019, #15032) - **Discovery** — Streamline discovery to a single profession question. (#14987) - **Analytics** — Track onboarding step events and create-agent modal source. (#15133, #15028) --- ## 📄 Documents, Pages & Knowledge - **Thread chat in preview** — Embed thread chat in the document preview portal. (#15216) - **Non-markdown rendering** — Render non-markdown docs as a read-only highlight. (#15272) - **Multi-select** — Multi-select delete in the document tree. (#15125) - **Page-agent streaming** — Preview `initPage` streaming arguments. (#15039) - **Per-agent topics** — Per-agent topic management page. (#15207) - **Server-side category** — Derive document category server-side and drop frontend predicates. (#15076) --- ## 🧩 Skills & Tools - **Drag skill chips** — Drag skills into chat input and register agent-document skills. (#15095) - **Slash menu** — Installed skills appear in the slash menu with a mid-line trigger. (#15061) - **Project skills** — Recognize project-level skills in the homogeneous agent runtime and surface them regardless of active device. (#15110, #15177) - **VFS archiving** — Archive oversized tool results to VFS instead of truncating. (#15074) - **@localfile mentions** — Drag folders into chat input as `@localFile` mentions on desktop. (#15071) --- ## 🧠 Model Runtime & Providers - **Error spec registry** — Unify error codes into a spec + pattern registry, split `ProviderBizError` into finer codes, classify Cloud-only codes via a tier digit, and add `DatabasePersistError`. (#15262, #15286, #15278, #15279) - **New models** — DeepSeek V4 Flash/Pro (opencode-go) and Gemini 3.5 Flash; DeepSeek V4 Pro on SiliconCloud. (#15031, #15001, #15017, #15267) - **Structured output** — Thinking params for structured output, Bedrock structured generation, and DeepSeek `generateObject` tool choice. (#15051, #15174, #15054) - **Cost** — Chat cost estimate support; preserve usage cost in custom streams. (#14876, #15218) --- ## 💬 Chat & User Experience - **Follow-up chips** — Extend follow-up chip suggestions to general chat with scene-specific model config. (#15101, #14797) - **Input drafts** — Persist unsent input drafts across tab switches and prevent repeated draft restore. (#14992, #15024) - **Command menu** — Order topic/message search by recency and promote inline type filters. (#15094, #14986) - **Zoom HUD** — Show a zoom-level HUD on Cmd +/− and Cmd 0. (#15294) - **Copy** — Unescape markdown escapes when copying user messages. (#15253) --- ## 🖥️ Desktop - **App Nap fix** — Prevent App Nap from dropping the gateway WebSocket during display sleep. (#14994) - **File preview** — Preview `.cjs`/`.mjs`/no-extension files instead of binary fallback and expand `~` when opening local files. (#15168, #15284) - **Cross-platform settings** — Open settings via main-window navigation on Windows/Linux and restore the route after an update restart. (#15036, #14922) - **Token refresh** — Prevent frequent logout from token-refresh retries. (#14928) --- ## 📊 Observability - **OTel GenAI** — Instrument Agent Runtime with OpenTelemetry GenAI semantic conventions. (#15123) - **Generation tracing** — Per-call `llm_generation_tracing` with a pre-allocated tracingId and recordFeedback router. (#15124, #15146) - **Error classification** — Persist `ERROR_CODE_SPECS` classification on operation errors. (#15273) --- ## 🗃️ Database Migrations - **Batch migrations** — Topic usage stats, push tokens, `tasks.editor_data`, and document shares. (#15280) - **Tracing & eval tables** — Add `llm_generation_tracing` and agent eval experiment tables. (#15126) > Self-hosted operators should run the database migration (`pnpm db:migrate`, or restart with auto-migrate enabled) after upgrading. The changes are additive and backwards-compatible. --- ## 🔒 Security & Reliability - **Security:** Remove the `getPlaintextCred` tool to prevent plaintext credential exposure. (#14998) - **Security:** Prompt account selection for Google OAuth and add `prompt=consent` to the OIDC authorization URL to fix missing refresh tokens. (#15234, #15010) - **Reliability:** Preserve streamed content across a mid-stream cancel. (#15173) - **Reliability:** Bound the Redis command timeout and configure the Anthropic client timeout. (#15091, #15042) - **Reliability:** Prevent infinite recursion in the assistant chain. (#15288) --- ## 👥 Contributors Huge thanks to **15 contributors** who shipped **220 merged PRs** this cycle. @AnotiaWang · @sxjeru · @algojogacor · @hardy-one · @arvinxx · @Innei · @tjx666 · @lijian · @AmAzing129 · @rdmclin2 · @neko · @cy948 · @CanisMinor · @sudongyuer · @rivertwilight Plus @lobehubbot and renovate[bot] for maintenance. --- **Full Changelog**: v2.2.0...release/weekly-20260528
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
💻 Change Type
🔗 Related Issue
N/A
🔀 Description of Change
Desktop users were frequently getting logged out of cloud sync.
Root cause. The cloud OIDC provider runs with
rotateRefreshToken: true: every refresh consumes the old refresh token immediately, and reusing a consumed token triggers reuse detection —invalid_grantplus revocation of the whole grant.RemoteServerConfigCtr.refreshAccessTokenwrapped the token request in a retry loop (1 initial + 3 retries) that re-read the same stored refresh token on every attempt. The store is only updated after a fully successful round-trip, so whenever an attempt failed after the server had already consumed the token (lost response, timeout, JSON parse error), the next retry resent the now-consumed token → guaranteedinvalid_grant→clearTokens()→ forced re-login. The retry meant to add resilience instead converted a transient network blip into a hard logout.This was amplified by
AuthCtrproactively refreshing on every app launch and every activation (5-minute debounce), producing dozens of refresh-token rotations per day — dozens of chances to hit the race.Fix (desktop client only):
RemoteServerConfigCtr: remove the in-line retry. A refresh is now a single attempt; transient failures recover naturally on the next refresh cycle (the 2-minute timer / next launch). Single-flight dedup (refreshPromise) and the fatal-error classifier (isNonRetryableError, used to decide logout) are kept.AuthCtr: refresh proactively only when the access token is actually near expiry (isTokenExpiringSoon()), instead of on every launch/activation. The access token lives 7 days, so this cuts rotations from dozens/day to roughly one/week. Removes the now-dead debounce machinery (shouldProactivelyRefresh,TOKEN_REFRESH_DEBOUNCE).async-retrydependency.🧪 How to Test
RemoteServerConfigCtr.test.tsandAuthCtr.test.tsupdated; the former retry test (asserting 4 fetch calls) now asserts a single attempt, and theinvalid_grantpath explicitly asserts exactly one request — pinning the regression.AuthCtrproactive-refresh tests rewritten from debounce-based to expiry-based.Verification:
vitest72 passed (RemoteServerConfigCtr 49 + AuthCtr 23);tsgotype-check clean for both controllers;eslintclean.📸 Screenshots / Videos
No UI changes.
📝 Additional Information
Scope is desktop-only — no server / DB / migration changes, no cloud risk.
Known residual: a pure lost response (server consumed the token, the client never received the rotated one) still causes one logout on the next refresh, because the client genuinely never holds the new token. Fully closing this requires a server-side rotation grace window in the cloud OIDC provider (
oidc-providerhas no native support) — tracked as a separate follow-up, intentionally out of scope here.