chore: commit bun lock#6
Merged
Merged
Conversation
vcapretz
approved these changes
Mar 10, 2026
dielduarte
added a commit
that referenced
this pull request
Jun 25, 2026
Felipe review (#6): both refreshOAuthGrant and exchangeAuthorizationCode cast the JSON body with `as` after only checking response.ok. A 200 with an unexpected body (proxy error page, partial payload) would be persisted as a grant. Add parseTokenResponse() to validate the required fields and reuse it in both token calls.
dielduarte
added a commit
that referenced
this pull request
Jun 25, 2026
My earlier #6 validation required refresh_token_expires_in and broke login: the /oauth/token response does not contain it. Confirmed against the server source (apps/public-api): token.ts returns { access_token, token_type, expires_in, refresh_token, scope } for both authorization_code and refresh_token grants (token.ts:199-205, 384-388); the refresh-token expiry is stored server-side only (issue-tokens.ts:101-103) and never sent to the client. This is standard OAuth 2.0 — refresh timing is driven by the access-token expiry (JWT exp), and an expired/revoked refresh token is signalled by an invalid_grant error on refresh (token.ts:242-247), not by a client-known timestamp. Changes: - parseTokenResponse: validate access_token, refresh_token, scope (the fields the server actually returns); drop the refresh_token_expires_in requirement. - Remove refresh_token_expires_at from the grant model entirely (OAuthGrantData, storeOAuthGrant, login). The CLI's old 'now + refresh_token_expires_in' computed NaN -> persisted null; that phantom field is gone. - refreshOAuthGrant: no client-side expiry pre-check (unknowable); attempt refresh and surface re-login on a non-OK response. - Tests updated to the real response shape; doctor refresh-failure test now mocks a 400 invalid_grant instead of the removed pre-check.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.