fix: Fix agent using stale oauth tokens (#579)

Author: charlesvien

apps/twig/src/main/index.ts

@@ -33,6 +33,7 @@ import { setMainWindowGetter } from "./trpc/context.js";
 import { trpcRouter } from "./trpc/index.js";
 
 import "./services/index.js";
+import type { AgentService } from "./services/agent/service.js";
 import type { AppLifecycleService } from "./services/app-lifecycle/service.js";
 import type { DeepLinkService } from "./services/deep-link/service.js";
 import type { ExternalAppsService } from "./services/external-apps/service.js";
@@ -257,6 +258,19 @@ function createWindow(): void {
                 container.get<UIService>(MAIN_TOKENS.UIService).clearStorage();
               },
             },
+            {
+              label: "Mark all agent sessions for recreation",
+              click: () => {
+                const count = container
+                  .get<AgentService>(MAIN_TOKENS.AgentService)
+                  .markAllSessionsForRecreation();
+                dialog.showMessageBox({
+                  type: "info",
+                  title: "Sessions Marked",
+                  message: `Marked ${count} session(s) for recreation.\n\nThey will be recreated on the next prompt.`,
+                });
+              },
+            },
           ],
         },
       ],

apps/twig/src/main/services/agent/schemas.ts

@@ -117,10 +117,9 @@ export const reconnectSessionInput = z.object({
 
 export type ReconnectSessionInput = z.infer<typeof reconnectSessionInput>;
 
-// Token refresh input
-export const tokenRefreshInput = z.object({
-  taskRunId: z.string(),
-  newToken: z.string(),
+// Token update input - updates the global token for all agent operations
+export const tokenUpdateInput = z.object({
+  token: z.string(),
 });
 
 // Set model input

apps/twig/src/main/services/agent/service.ts

@@ -189,6 +189,22 @@ export class AgentService extends TypedEventEmitter<AgentServiceEvents> {
     });
   }
 
+  /**
+   * Mark all sessions for recreation (developer tool for testing token refresh).
+   * Sessions will be recreated before their next prompt.
+   */
+  public markAllSessionsForRecreation(): number {
+    let count = 0;
+    for (const session of this.sessions.values()) {
+      session.needsRecreation = true;
+      count++;
+    }
+    log.info("Marked all sessions for recreation (dev tool)", {
+      sessionCount: count,
+    });
+    return count;
+  }
+
   /**
    * Respond to a pending permission request from the UI.
    * This resolves the promise that the agent is waiting on.
@@ -450,7 +466,7 @@ export class AgentService extends TypedEventEmitter<AgentServiceEvents> {
     const config = existing.config;
     const pendingContext = existing.pendingContext;
 
-    this.cleanupSession(taskRunId);
+    await this.cleanupSession(taskRunId);
 
     const newSession = await this.getOrCreateSession(config, true);
     if (!newSession) {
@@ -532,8 +548,12 @@ export class AgentService extends TypedEventEmitter<AgentServiceEvents> {
     const session = this.sessions.get(sessionId);
     if (!session) return false;
 
-    this.cleanupSession(sessionId);
-    return true;
+    try {
+      await this.cleanupSession(sessionId);
+      return true;
+    } catch (_err) {
+      return false;
+    }
   }
 
   async cancelPrompt(
@@ -783,9 +803,25 @@ For git operations while detached:
     }
   }
 
-  private cleanupSession(taskRunId: string): void {
+  private async cleanupSession(taskRunId: string): Promise<void> {
     const session = this.sessions.get(taskRunId);
     if (session) {
+      // Cancel any ongoing operations
+      try {
+        if (!session.connection.signal.aborted) {
+          await session.connection.cancel({ sessionId: taskRunId });
+        }
+      } catch {
+        // Ignore cancel errors
+      }
+
+      // Cleanup agent (closes streams, aborts subprocess)
+      try {
+        await session.agent.cleanup();
+      } catch {
+        // Ignore cleanup errors
+      }
+
       this.cleanupMockNodeEnvironment(session.mockNodeDir);
       this.sessions.delete(taskRunId);
     }

apps/twig/src/main/services/oauth/schemas.ts

@@ -6,11 +6,13 @@ export type CloudRegion = z.infer<typeof cloudRegion>;
 /**
  * Error codes for OAuth operations.
  * - network_error: Transient network issue, should retry
+ * - server_error: Server error (5xx), should retry
  * - auth_error: Authentication failed (invalid token, 401/403), should logout
  * - unknown_error: Other errors
  */
 export const oAuthErrorCode = z.enum([
   "network_error",
+  "server_error",
   "auth_error",
   "unknown_error",
 ]);

apps/twig/src/main/services/oauth/service.ts

@@ -180,10 +180,19 @@ export class OAuthService {
       if (!response.ok) {
         // 401/403 are auth errors - the token is invalid
         const isAuthError = response.status === 401 || response.status === 403;
+        // 5xx are server errors - should be retried
+        const isServerError = response.status >= 500;
+        log.warn(
+          `Token refresh failed: ${response.status} ${response.statusText}`,
+        );
         return {
           success: false,
-          error: `Token refresh failed: ${response.statusText}`,
-          errorCode: isAuthError ? "auth_error" : "unknown_error",
+          error: `Token refresh failed: ${response.status} ${response.statusText}`,
+          errorCode: isAuthError
+            ? "auth_error"
+            : isServerError
+              ? "server_error"
+              : "unknown_error",
         };
       }
 

apps/twig/src/main/trpc/routers/agent.ts

@@ -18,7 +18,7 @@ import {
   setModelInput,
   startSessionInput,
   subscribeSessionInput,
-  tokenRefreshInput,
+  tokenUpdateInput,
 } from "../../services/agent/schemas.js";
 import type { AgentService } from "../../services/agent/service.js";
 import { publicProcedure, router } from "../trpc.js";
@@ -53,11 +53,9 @@ export const agentRouter = router({
     .output(sessionResponseSchema.nullable())
     .mutation(({ input }) => getService().reconnectSession(input)),
 
-  refreshToken: publicProcedure
-    .input(tokenRefreshInput)
-    .mutation(({ input }) => {
-      getService().updateToken(input.newToken);
-    }),
+  updateToken: publicProcedure.input(tokenUpdateInput).mutation(({ input }) => {
+    getService().updateToken(input.token);
+  }),
 
   setModel: publicProcedure
     .input(setModelInput)
@@ -138,4 +136,8 @@ export const agentRouter = router({
     .mutation(({ input }) =>
       getService().notifySessionContext(input.sessionId, input.context),
     ),
+
+  markAllForRecreation: publicProcedure.mutation(() =>
+    getService().markAllSessionsForRecreation(),
+  ),
 });

apps/twig/src/renderer/features/auth/stores/authStore.ts

@@ -38,6 +38,7 @@ interface AuthState {
   tokenExpiry: number | null; // Unix timestamp in milliseconds
   cloudRegion: CloudRegion | null;
   storedTokens: StoredTokens | null;
+  staleTokens: StoredTokens | null;
 
   // PostHog client
   isAuthenticated: boolean;
@@ -66,6 +67,7 @@ export const useAuthStore = create<AuthState>()(
         tokenExpiry: null,
         cloudRegion: null,
         storedTokens: null,
+        staleTokens: null,
 
         // PostHog client
         isAuthenticated: false,
@@ -126,6 +128,10 @@ export const useAuthStore = create<AuthState>()(
               projectId,
             });
 
+            trpcVanilla.agent.updateToken
+              .mutate({ token: tokenResponse.access_token })
+              .catch((err) => log.warn("Failed to update agent token", err));
+
             // Clear any cached data from previous sessions AFTER setting new auth
             queryClient.clear();
 
@@ -191,15 +197,24 @@ export const useAuthStore = create<AuthState>()(
                 });
 
                 if (!result.success || !result.data) {
-                  // Network errors should retry, auth errors should logout immediately
-                  if (result.errorCode === "network_error") {
+                  // Network/server errors should retry, auth errors should logout immediately
+                  if (
+                    result.errorCode === "network_error" ||
+                    result.errorCode === "server_error"
+                  ) {
                     log.warn(
-                      `Token refresh network error (attempt ${attempt + 1}): ${result.error}`,
+                      `Token refresh ${result.errorCode} (attempt ${attempt + 1}/${REFRESH_MAX_RETRIES}): ${result.error}`,
+                    );
+                    lastError = new Error(
+                      result.error || "Token refresh failed",
                     );
                     continue; // Retry
                   }
 
                   // Auth error or unknown - logout
+                  log.error(
+                    `Token refresh failed with ${result.errorCode}: ${result.error}`,
+                  );
                   get().logout();
                   throw new Error(result.error || "Token refresh failed");
                 }
@@ -244,6 +259,12 @@ export const useAuthStore = create<AuthState>()(
                   ...(projectId && { projectId }),
                 });
 
+                trpcVanilla.agent.updateToken
+                  .mutate({ token: tokenResponse.access_token })
+                  .catch((err) =>
+                    log.warn("Failed to update agent token", err),
+                  );
+
                 get().scheduleTokenRefresh();
                 return; // Success
               } catch (error) {
@@ -263,7 +284,9 @@ export const useAuthStore = create<AuthState>()(
             }
 
             // All retries exhausted
-            log.error("Token refresh failed after all retries");
+            log.error(
+              `Token refresh failed after all retries: ${lastError?.message || "Unknown error"}`,
+            );
             get().logout();
             throw lastError || new Error("Token refresh failed");
           };
@@ -384,6 +407,12 @@ export const useAuthStore = create<AuthState>()(
                   projectId,
                 });
 
+                trpcVanilla.agent.updateToken
+                  .mutate({ token: currentTokens.accessToken })
+                  .catch((err) =>
+                    log.warn("Failed to update agent token", err),
+                  );
+
                 get().scheduleTokenRefresh();
 
                 // Use distinct_id to match web sessions (same as PostHog web app)
@@ -457,12 +486,15 @@ export const useAuthStore = create<AuthState>()(
 
           useNavigationStore.getState().navigateToTaskInput();
 
+          const currentTokens = get().storedTokens;
+
           set({
             oauthAccessToken: null,
             oauthRefreshToken: null,
             tokenExpiry: null,
             cloudRegion: null,
             storedTokens: null,
+            staleTokens: currentTokens,
             isAuthenticated: false,
             client: null,
             projectId: null,
@@ -475,6 +507,7 @@ export const useAuthStore = create<AuthState>()(
         partialize: (state) => ({
           cloudRegion: state.cloudRegion,
           storedTokens: state.storedTokens,
+          staleTokens: state.staleTokens,
           projectId: state.projectId,
         }),
       },

apps/twig/src/renderer/features/sessions/stores/sessionStore.ts

@@ -1360,30 +1360,3 @@ export const useCurrentModeForTask = (
     return session?.currentMode;
   });
 };
-
-// Token refresh subscription
-let lastKnownToken: string | null = null;
-useAuthStore.subscribe(
-  (state) => state.oauthAccessToken,
-  (newToken) => {
-    if (!newToken || newToken === lastKnownToken) return;
-    lastKnownToken = newToken;
-
-    const sessions = useStore.getState().sessions;
-    for (const session of Object.values(sessions)) {
-      if (session.status === "connected" && !session.isCloud) {
-        trpcVanilla.agent.refreshToken
-          .mutate({
-            taskRunId: session.taskRunId,
-            newToken,
-          })
-          .catch((err) => {
-            log.warn("Failed to update session token", {
-              taskRunId: session.taskRunId,
-              error: err,
-            });
-          });
-      }
-    }
-  },
-);