Skip to content

fix(cli): serialize token refresh across processes#34

Open
appleboy wants to merge 2 commits into
mainfrom
worktree-keyring
Open

fix(cli): serialize token refresh across processes#34
appleboy wants to merge 2 commits into
mainfrom
worktree-keyring

Conversation

@appleboy
Copy link
Copy Markdown
Member

@appleboy appleboy commented Apr 23, 2026
edited
Loading

Summary

Two concurrent authgate-cli invocations that both see an expired access token race to call the refresh endpoint with the same refresh token. On servers that rotate refresh tokens (the go-authgate default), the first request consumes the token and the second gets invalid_grant, forcing the second CLI back into an interactive login. This PR serialises the refresh critical section across processes so only one refresh happens.

How it works

  • Cross-process advisory lock (github.com/gofrs/flock) wraps the load → refresh → save critical section. It relies on kernel fcntl/LockFileEx and is released automatically if the holder crashes — no stale-lock heuristics required.
  • Peer-refresh shortcut: after taking the lock the CLI re-reads the store; if a peer process already refreshed (the stored token is usable and differs from the stale copy), that fresh token is returned without a network call. If the peer rotated the refresh token, the rotated value is picked up before the exchange.
  • Signature change: refreshAccessToken now takes the full stale credstore.Token (instead of just the refresh-token string) so peer-refresh detection can compare both the access and refresh token fields.
  • Lock placement: the lock lives in refreshAccessToken, which every refresh path (run, ensureFreshToken, makeAPICallWithAutoRefresh) funnels through. For an explicit absolute token-file path the lock sits next to the file; for relative paths (the default, and keyring/auto backends where the token never touches disk) it is anchored under the user cache dir, so refresh never requires a writable working directory and concurrent runs from different directories still serialise. The client ID is hashed into the lock filename so it can never escape the lock directory.

Test plan

  • go test ./... passes (incl. existing TestRefreshAccessToken_RotationMode)
  • New TestRefreshAccessToken_PeerAlreadyRefreshed asserts no network call is made when the store already contains a peer-refreshed token
  • New lock_test.go covers acquire/release, hostile client IDs (path traversal), and relative-path placement
  • make lint is clean (golangci-lint: 0 issues)
  • Manual: run two CLI instances against a rotation-mode server with an expired access token — confirm only one refresh request hits the server

Notes

  • Reviewed with a multi-angle pass; behavior-preserving cleanups were folded in: the redundant lock-wrapper struct was dropped (*flock.Flock already satisfies io.Closer), and the peer-check reuses the shared tokenUsable predicate.
  • Copilot review fixes folded in: the lock is now anchored in a cwd-independent, reliably-writable location for keyring/relative-path runs, and the client ID is hashed into a filesystem-safe lock filename (no path-traversal or invalid-character risk).

🤖 Generated with Claude Code

Copilot AI review requested due to automatic review settings April 23, 2026 14:59
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Apr 23, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 67.44186% with 14 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
lock.go 66.66% 4 Missing and 4 partials ⚠️
auth.go 81.25% 2 Missing and 1 partial ⚠️
config.go 0.00% 2 Missing ⚠️
main.go 0.00% 1 Missing ⚠️

📢 Thoughts on this report? Let us know!

Copilot AI reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR prevents concurrent authgate-cli processes from racing during refresh-token rotation by serializing the refresh-and-save critical section using a cross-process advisory lock, and adds coverage to ensure peer-refreshed tokens short-circuit the network call.

Changes:

  • Add lockTokenStore (gofrs/flock-based) to serialize refresh across CLI processes.
  • Update refreshAccessToken to accept the full stale token, re-load the store after lock acquisition, and return peer-refreshed tokens without a refresh request.
  • Add a new test ensuring no network call occurs when a peer already refreshed, and update existing tests/call sites to the new refresh API.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
main_test.go Updates test config to include TokenFile, adjusts refresh tests to new signature, and adds peer-refresh short-circuit test.
main.go Updates refresh call site to pass the full stored token.
auth.go Implements lock + peer-check logic in refreshAccessToken; updates auto-refresh call site.
config.go Adds TokenFile to AppConfig and wires it through config/store initialization.
lock.go Introduces cross-process advisory lock implementation used by refresh flow.
go.mod Adds github.com/gofrs/flock dependency.
go.sum Adds checksums for the new dependency.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread lock.go
Comment thread lock.go Outdated
@appleboy appleboy force-pushed the worktree-keyring branch from 291eef5 to b18e909 Compare May 30, 2026 03:52
@appleboy
fix(cli): serialize token refresh across processes
17bddfd 
- Take a cross-process advisory lock (via gofrs/flock) around the refresh-and-save critical section so concurrent CLI invocations cannot spend the same refresh token twice
- Re-read the store under the lock and return a peer process's fresh token when it has already completed a refresh, avoiding an unnecessary network call and a guaranteed invalid_grant on rotation servers
- Change refreshAccessToken to accept the full stale Token so peer-refresh detection can compare access and refresh token fields
- Expose TokenFile on AppConfig so the lock path is known regardless of the active storage backend
- Add a test that pre-populates the store with a peer-refreshed token and asserts refreshAccessToken returns it without hitting the network
@appleboy appleboy force-pushed the worktree-keyring branch from b18e909 to 17bddfd Compare May 30, 2026 04:47
@appleboy
fix(cli): harden refresh lock file path
e201a50 
- Anchor the refresh lock under the user cache dir when the token file path is relative, so keyring/auto runs no longer require a writable working directory and still serialize across directories
- Hash the client ID into the lock filename so path separators or traversal segments cannot escape the lock directory or produce an invalid name
- Add lock tests covering acquire and release, hostile client IDs, and relative-path placement
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@appleboy @codecov-commenter