fix: address critical issues in Qwen OAuth implementation

daniel-lxs · daniel-lxs · commit c33ff7a29ea0 · 2025-08-24T22:18:50.000-05:00
- Add mutex/promise-based deduplication to prevent race conditions in token refresh - Add error handling for credential file write operations - Ensure only one token refresh happens at a time for concurrent requests - Continue with refreshed token in memory if file write fails Addresses review feedback from PR #7380
diff --git a/src/api/providers/qwen-code.ts b/src/api/providers/qwen-code.ts
@@ -52,6 +52,7 @@ export class QwenCodeHandler extends BaseProvider implements SingleCompletionHan
 	protected options: QwenCodeHandlerOptions
 	private credentials: QwenOAuthCredentials | null = null
 	private client: OpenAI | undefined
+	private refreshPromise: Promise<QwenOAuthCredentials> | null = null
 
 	constructor(options: QwenCodeHandlerOptions) {
 		super()
@@ -84,6 +85,24 @@ export class QwenCodeHandler extends BaseProvider implements SingleCompletionHan
 	}
 
 	private async refreshAccessToken(credentials: QwenOAuthCredentials): Promise<QwenOAuthCredentials> {
+		// If a refresh is already in progress, return the existing promise
+		if (this.refreshPromise) {
+			return this.refreshPromise
+		}
+
+		// Create a new refresh promise
+		this.refreshPromise = this.doRefreshAccessToken(credentials)
+
+		try {
+			const result = await this.refreshPromise
+			return result
+		} finally {
+			// Clear the promise after completion (success or failure)
+			this.refreshPromise = null
+		}
+	}
+
+	private async doRefreshAccessToken(credentials: QwenOAuthCredentials): Promise<QwenOAuthCredentials> {
 		if (!credentials.refresh_token) {
 			throw new Error("No refresh token available in credentials.")
 		}
@@ -123,7 +142,12 @@ export class QwenCodeHandler extends BaseProvider implements SingleCompletionHan
 		}
 
 		const filePath = getQwenCachedCredentialPath(this.options.qwenCodeOauthPath)
-		await fs.writeFile(filePath, JSON.stringify(newCredentials, null, 2))
+		try {
+			await fs.writeFile(filePath, JSON.stringify(newCredentials, null, 2))
+		} catch (error) {
+			console.error("Failed to save refreshed credentials:", error)
+			// Continue with the refreshed token in memory even if file write fails
+		}
 
 		return newCredentials
 	}
