fix: respect expired server TTL and use current token for cache storage

BYK · BYK · commit be173eb890cc · 2026-03-04T16:44:37.000Z
- Fix fallback TTL overriding explicitly expired server cache headers.
  Changed isEntryFresh() to use serverTtl !== 0 (catches both positive
  and negative values) instead of serverTtl &gt; 0 (missed negative/expired).
  Same fix in collectEntryMetadata() with explicit &lt; 0 branch.
- Fix cache storing stale token after 401 refresh. Use getAuthToken()
  (reads current DB value) instead of the captured token variable when
  building cache request headers, so post-refresh tokens are stored.
diff --git a/src/lib/response-cache.ts b/src/lib/response-cache.ts
@@ -232,14 +232,16 @@ function isEntryFresh(
     return true;
   }
 
-  // CachePolicy says stale — check if we should override with fallback TTL
+  // CachePolicy says stale — check if we should override with fallback TTL.
+  // timeToLive() returns 0 when the server sent no cache headers, or a
+  // positive/negative value when it did (negative = already expired).
   const serverTtl = policy.timeToLive();
-  if (serverTtl > 0) {
-    // Server provided a TTL and it expired — respect the server
+  if (serverTtl !== 0) {
+    // Server provided an explicit TTL — respect it (even if expired)
     return false;
   }
 
-  // No server TTL — use our fallback tier
+  // No server TTL (0) — use our URL-based fallback tier
   const tier = classifyUrl(url);
   const fallbackTtl = FALLBACK_TTL_MS[tier];
   const age = Date.now() - entry.createdAt;
@@ -516,12 +518,17 @@ async function collectEntryMetadata(
       const entry = JSON.parse(raw) as CacheEntry;
       const policy = CachePolicy.fromObject(entry.policy);
 
+      // timeToLive() returns 0 when the server sent no cache headers,
+      // positive when still fresh, negative when explicitly expired.
       const serverTtl = policy.timeToLive();
       let expired: boolean;
       if (serverTtl > 0) {
         expired = false;
+      } else if (serverTtl < 0) {
+        // Server-provided TTL has expired — don't override with fallback
+        expired = true;
       } else {
-        // Use the entry's stored URL for accurate tier classification
+        // No server TTL (0) — use URL-based fallback tier
         const tier = classifyUrl(entry.url ?? "");
         expired = now - entry.createdAt > FALLBACK_TTL_MS[tier];
       }
diff --git a/src/lib/sentry-client.ts b/src/lib/sentry-client.ts
@@ -280,7 +280,14 @@ async function fetchWithRetry(
     const result = await executeAttempt(input, init, headers, isLastAttempt);
 
     if (result.action === "done") {
-      cacheResponse(method, fullUrl, authHeaders(token), result.response);
+      // Use getAuthToken() instead of captured `token` — after a 401 refresh,
+      // handleUnauthorized stores a new token in the DB
+      cacheResponse(
+        method,
+        fullUrl,
+        authHeaders(getAuthToken()),
+        result.response
+      );
       return result.response;
     }
     if (result.action === "throw") {
