fix(amazonq): retry LSP token refresh on recoverable errors only. (aws#7192)

Hweinstock · web-flow · commit b60036b6c2ed · 2025-04-28T23:15:42.000-04:00
## Problem Some users were having invalid bearer token exceptions when making chat requests through agentic chat. This highlights an issue in how we sync the token. Originally, we thought this was because of a race condition. We check the token every 10 seconds for changes, and if its expired, refresh it and send it to the language server. However, that still leaves a 10 second gap where the language server could use an expired token before we update it. However, we add a buffer of one minute to our `isExpired` check here: https://github.com/aws/aws-toolkit-vscode/blob/db673c9b74b36591bb5642b3da7d4bc7ae2afaf4/packages/core/src/auth/sso/model.ts#L160 Therefore, this causes the token to expire a minute early, meaning there is a full minute, where our checks should detect the expired token and refresh it both locally and on the language server. However, they don't because the checks aren't actually being made. This is because of how we handle token refresh errors. Note the following behavior: - if refresh throws a recoverable error, we throw it. See [here](https://github.com/aws/aws-toolkit-vscode/blob/6dbb21e50e539c5973586714295e3ce066b030ef/packages/core/src/auth/auth.ts#L856-L878). - if refresh throws a non-recoverable error we invalidate the connection. see [here](https://github.com/aws/aws-toolkit-vscode/blob/6dbb21e50e539c5973586714295e3ce066b030ef/packages/core/src/auth/auth.ts#L893-L948). The current `refreshConnection` logic doesn't work with this because we continuously try to refresh until it throws an error. However, based on the behavior above, we do want to retry on refresh errors since that means the error is recoverable! Additionally, we don't want to retry when token refreshes result in an invalid connection because those are nonrecoverable errors. ## Solution - Refactor our token refreshes to log errors thrown and continue to retry (since these are implicitly recoverable errors). - Avoid refreshing when the connection state is invalid (since this implies an unrecoverable error). ## Notes - Flare auth can't come soon enough. This behavior is not obvious to a consumer, and leads to bugs like this. - debugged w/ @nkomonen-amazon --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). - License: I confirm that my contribution is made under the terms of the Apache 2.0 license.
diff --git a/packages/amazonq/src/lsp/auth.ts b/packages/amazonq/src/lsp/auth.ts
@@ -66,20 +66,29 @@ export const notificationTypes = {
  * Facade over our VSCode Auth that does crud operations on the language server auth
  */
 export class AmazonQLspAuth {
-    constructor(private readonly client: LanguageClient) {}
+    #logErrorIfChanged = onceChanged((s) => getLogger('amazonqLsp').error(s))
+    constructor(
+        private readonly client: LanguageClient,
+        private readonly authUtil: AuthUtil = AuthUtil.instance
+    ) {}
 
     /**
      * @param force bypass memoization, and forcefully update the bearer token
      */
     async refreshConnection(force: boolean = false) {
-        const activeConnection = AuthUtil.instance.auth.activeConnection
-        if (activeConnection?.type === 'sso') {
+        const activeConnection = this.authUtil.auth.activeConnection
+        if (activeConnection?.state === 'valid' && activeConnection?.type === 'sso') {
             // send the token to the language server
-            const token = await AuthUtil.instance.getBearerToken()
+            const token = await this.authUtil.getBearerToken()
             await (force ? this._updateBearerToken(token) : this.updateBearerToken(token))
         }
     }
 
+    async logRefreshError(e: unknown) {
+        const err = e as Error
+        this.#logErrorIfChanged(`Unable to update bearer token: ${err.name}:${err.message}`)
+    }
+
     public updateBearerToken = onceChanged(this._updateBearerToken.bind(this))
     private async _updateBearerToken(token: string) {
         const request = await this.createUpdateCredentialsRequest({
@@ -93,10 +102,7 @@ export class AmazonQLspAuth {
 
     public startTokenRefreshInterval(pollingTime: number = oneMinute / 2) {
         const interval = setInterval(async () => {
-            await this.refreshConnection().catch((e) => {
-                getLogger('amazonqLsp').error('Unable to update bearer token: %s', (e as Error).message)
-                clearInterval(interval)
-            })
+            await this.refreshConnection().catch((e) => this.logRefreshError(e))
         }, pollingTime)
         return interval
     }
