Fix Fitbit auth failure: stale JWT, token desync, and silent error swallowing

Three bugs caused 'Authentication required' errors when connecting/reconnecting Fitbit:

1. useTrackerAuth read session.access_token from React state set once at init — after
   the Supabase JWT expired (~1hr), the stale token was still sent. Now calls
   getAccessToken() which auto-refreshes via SecureStore/GoAuth.

2. getAccessToken() now syncs refreshed tokens back to React state, Zustand store,
   and the Supabase JS client when it detects the token changed — preventing desync
   between the three auth layers.

3. fitbit-auth-start returned JSON 401 on auth errors, but expo-web-browser cannot
   parse JSON responses. Now extracts redirect_uri before auth check and redirects
   errors back to the app as ?error=...&success=false query params.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: schwaaamp

mobile/src/utils/auth/__tests__/useAuth.test.tsx

@@ -2,6 +2,8 @@ import { renderHook, waitFor, act } from '@testing-library/react-native';
 import { useAuth, resetSessionInit } from '../useAuth';
 import * as SupabaseAuth from '@/utils/supabaseAuth';
 import { signInWithGoogleWebBrowser } from '../googleAuth';
+import { supabase } from '@/utils/supabaseClient';
+import { useAuthStore } from '../store';
 import { Platform } from 'react-native';
 
 // Mock dependencies
@@ -544,4 +546,129 @@ describe('useAuth Hook', () => {
       });
     });
   });
+
+  describe('Token refresh sync (getAccessToken)', () => {
+    const initialSession = {
+      access_token: 'initial-token',
+      refresh_token: 'refresh-token',
+      expires_at: Date.now() / 1000 + 3600,
+    };
+
+    const refreshedSession = {
+      access_token: 'refreshed-token',
+      refresh_token: 'new-refresh-token',
+      expires_at: Date.now() / 1000 + 7200,
+    };
+
+    it('should update React session state when getAccessToken detects a refreshed token', async () => {
+      // Start with initial session
+      SupabaseAuth.getSession.mockResolvedValue(initialSession);
+
+      const { result } = renderHook(() => useAuth());
+
+      await waitFor(() => {
+        expect(result.current.isReady).toBe(true);
+        expect(result.current.session?.access_token).toBe('initial-token');
+      });
+
+      // Now getSession returns refreshed token (as if SupabaseAuth.refreshSession ran)
+      SupabaseAuth.getSession.mockResolvedValue(refreshedSession);
+
+      await act(async () => {
+        const token = await result.current.getAccessToken();
+        expect(token).toBe('refreshed-token');
+      });
+
+      // The hook's session state should now reflect the refreshed token
+      expect(result.current.session?.access_token).toBe('refreshed-token');
+    });
+
+    it('should sync Zustand auth store when token is refreshed', async () => {
+      SupabaseAuth.getSession.mockResolvedValue(initialSession);
+
+      const { result } = renderHook(() => useAuth());
+
+      await waitFor(() => {
+        expect(result.current.isReady).toBe(true);
+      });
+
+      // Clear mock call history from initialization
+      const setAuthMock = useAuthStore.getState().setAuth as jest.Mock;
+      setAuthMock.mockClear();
+
+      // Return refreshed session
+      SupabaseAuth.getSession.mockResolvedValue(refreshedSession);
+
+      await act(async () => {
+        await result.current.getAccessToken();
+      });
+
+      // Zustand store should be updated with the new token
+      expect(setAuthMock).toHaveBeenCalledWith({ token: 'refreshed-token' });
+    });
+
+    it('should update Supabase client session when token is refreshed', async () => {
+      SupabaseAuth.getSession.mockResolvedValue(initialSession);
+
+      const { result } = renderHook(() => useAuth());
+
+      await waitFor(() => {
+        expect(result.current.isReady).toBe(true);
+      });
+
+      // Spy on supabase.auth.setSession
+      const setSessionSpy = jest.spyOn(supabase.auth, 'setSession').mockResolvedValue({
+        data: { session: null, user: null },
+        error: null,
+      });
+
+      // Return refreshed session
+      SupabaseAuth.getSession.mockResolvedValue(refreshedSession);
+
+      await act(async () => {
+        await result.current.getAccessToken();
+      });
+
+      // Supabase client should be updated with the new tokens
+      expect(setSessionSpy).toHaveBeenCalledWith({
+        access_token: 'refreshed-token',
+        refresh_token: 'new-refresh-token',
+      });
+
+      setSessionSpy.mockRestore();
+    });
+
+    it('should NOT sync state when token has not changed', async () => {
+      SupabaseAuth.getSession.mockResolvedValue(initialSession);
+
+      const setSessionSpy = jest.spyOn(supabase.auth, 'setSession').mockResolvedValue({
+        data: { session: null, user: null },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useAuth());
+
+      await waitFor(() => {
+        expect(result.current.isReady).toBe(true);
+      });
+
+      // Clear mock calls from initialization
+      const setAuthMock = useAuthStore.getState().setAuth as jest.Mock;
+      setAuthMock.mockClear();
+      setSessionSpy.mockClear();
+
+      // Return the SAME session (no refresh happened)
+      SupabaseAuth.getSession.mockResolvedValue(initialSession);
+
+      await act(async () => {
+        await result.current.getAccessToken();
+      });
+
+      // Neither Zustand store nor Supabase client should be updated
+      expect(setAuthMock).not.toHaveBeenCalled();
+      expect(setSessionSpy).not.toHaveBeenCalled();
+
+      setSessionSpy.mockRestore();
+    });
+  });
 });

mobile/src/utils/auth/useAuth.ts

@@ -411,8 +411,24 @@ export const useAuth = (): UseAuthReturn => {
 
   const getAccessToken = useCallback(async (): Promise<string | undefined> => {
     const currentSession = await SupabaseAuth.getSession();
-    return currentSession?.access_token;
-  }, []);
+    if (!currentSession?.access_token) return undefined;
+
+    // If the token was refreshed (SupabaseAuth.getSession auto-refreshes expired
+    // tokens via GoAuth), sync the new token to all auth state holders so other
+    // consumers don't operate with a stale JWT.
+    if (currentSession.access_token !== session?.access_token) {
+      setSession(currentSession);
+      useAuthStore.getState().setAuth({ token: currentSession.access_token });
+
+      // Keep the Supabase JS client in sync for RLS queries
+      supabase.auth.setSession({
+        access_token: currentSession.access_token,
+        refresh_token: currentSession.refresh_token || '',
+      }).catch(() => {});
+    }
+
+    return currentSession.access_token;
+  }, [session?.access_token]);
 
   // Legacy: Keep for WebView compatibility on web platform
   const handleAuthMessage = useCallback(async (data: AuthMessageData): Promise<void> => {

mobile/src/utils/fitnessTrackers/__tests__/useTrackerAuth.test.tsx

@@ -18,11 +18,12 @@ import { CONNECTED_TRACKERS_QUERY_KEY } from '../useConnectedTrackers';
 // Mocks
 // ---------------------------------------------------------------------------
 
-// useAuth mock — default: valid session
+// useAuth mock — default: valid session with getAccessToken
 const mockSession = { access_token: 'test-jwt-token' };
+const mockGetAccessToken = jest.fn<() => Promise<string | undefined>>().mockResolvedValue('fresh-jwt-token');
 jest.mock('@/utils/auth/useAuth', () => ({
   __esModule: true,
-  default: () => ({ session: mockSession }),
+  default: () => ({ session: mockSession, getAccessToken: mockGetAccessToken }),
 }));
 
 // Typed references to jest.setup.js mocks
@@ -72,6 +73,7 @@ beforeEach(() => {
   queryClient = createTestQueryClient();
   process.env.EXPO_PUBLIC_SUPABASE_URL = SUPABASE_URL;
   mockSession.access_token = 'test-jwt-token';
+  mockGetAccessToken.mockResolvedValue('fresh-jwt-token');
   mockCreateURL.mockImplementation((path: string) => `healthdecoder://${path}`);
 });
 
@@ -101,7 +103,7 @@ describe('useTrackerAuth', () => {
     });
 
     it('clearError resets error after a failed auth attempt', async () => {
-      mockSession.access_token = '';
+      mockGetAccessToken.mockResolvedValue(undefined);
 
       const { result } = renderHook(() => useTrackerAuth(), {
         wrapper: createWrapper(queryClient),
@@ -126,8 +128,8 @@ describe('useTrackerAuth', () => {
   // -------------------------------------------------------------------------
 
   describe('guard clauses', () => {
-    it('returns error when session has no access_token', async () => {
-      mockSession.access_token = '';
+    it('returns error when getAccessToken returns undefined (no session)', async () => {
+      mockGetAccessToken.mockResolvedValue(undefined);
 
       const { result } = renderHook(() => useTrackerAuth(), {
         wrapper: createWrapper(queryClient),
@@ -232,7 +234,7 @@ describe('useTrackerAuth', () => {
     });
 
     it('constructs the correct auth URL with encoded token and redirect_uri', async () => {
-      mockSession.access_token = 'token/with special&chars=yes';
+      mockGetAccessToken.mockResolvedValue('token/with special&chars=yes');
       mockOpenAuthSession.mockResolvedValue(browserSuccess({ tracker_id: 'trk-1' }));
 
       const { result } = renderHook(() => useTrackerAuth(), {
@@ -248,7 +250,7 @@ describe('useTrackerAuth', () => {
 
       // Auth URL starts with the correct base
       expect(authUrl).toContain(`${SUPABASE_URL}/functions/v1/fitbit-auth-start`);
-      // Token is URI-encoded
+      // Token from getAccessToken() is URI-encoded
       expect(authUrl).toContain(`token=${encodeURIComponent('token/with special&chars=yes')}`);
       // redirect_uri is appended and encoded
       expect(authUrl).toContain(`redirect_uri=${encodeURIComponent('healthdecoder://auth/fitness-tracker')}`);
@@ -377,4 +379,78 @@ describe('useTrackerAuth', () => {
       expect(result.current.error).toBeNull();
     });
   });
+
+  // -------------------------------------------------------------------------
+  // Group 6 — Fresh token retrieval (Fix: stale JWT bug)
+  // -------------------------------------------------------------------------
+
+  describe('fresh token retrieval', () => {
+    it('calls getAccessToken() to get a fresh token instead of using session.access_token', async () => {
+      mockOpenAuthSession.mockResolvedValue(browserSuccess({ tracker_id: 'trk-1' }));
+
+      const { result } = renderHook(() => useTrackerAuth(), {
+        wrapper: createWrapper(queryClient),
+      });
+
+      await act(async () => {
+        await result.current.authenticate('fitbit');
+      });
+
+      // Must call getAccessToken to get a fresh (possibly refreshed) token
+      expect(mockGetAccessToken).toHaveBeenCalledTimes(1);
+    });
+
+    it('uses the fresh token from getAccessToken() in the auth URL, not the stale session token', async () => {
+      // Simulate stale session: session.access_token is old, getAccessToken returns fresh
+      mockSession.access_token = 'stale-expired-token';
+      mockGetAccessToken.mockResolvedValue('fresh-refreshed-token');
+      mockOpenAuthSession.mockResolvedValue(browserSuccess({ tracker_id: 'trk-1' }));
+
+      const { result } = renderHook(() => useTrackerAuth(), {
+        wrapper: createWrapper(queryClient),
+      });
+
+      await act(async () => {
+        await result.current.authenticate('fitbit');
+      });
+
+      const [authUrl] = mockOpenAuthSession.mock.calls[0];
+      // URL must contain the FRESH token, not the stale one
+      expect(authUrl).toContain(`token=${encodeURIComponent('fresh-refreshed-token')}`);
+      expect(authUrl).not.toContain('stale-expired-token');
+    });
+
+    it('returns not-authenticated error when getAccessToken() returns undefined', async () => {
+      mockGetAccessToken.mockResolvedValue(undefined);
+
+      const { result } = renderHook(() => useTrackerAuth(), {
+        wrapper: createWrapper(queryClient),
+      });
+
+      let authResult: any;
+      await act(async () => {
+        authResult = await result.current.authenticate('fitbit');
+      });
+
+      expect(authResult).toEqual({ success: false, error: 'Not authenticated' });
+      expect(mockOpenAuthSession).not.toHaveBeenCalled();
+    });
+
+    it('handles getAccessToken() throwing an error', async () => {
+      mockGetAccessToken.mockRejectedValue(new Error('SecureStore read failed'));
+
+      const { result } = renderHook(() => useTrackerAuth(), {
+        wrapper: createWrapper(queryClient),
+      });
+
+      let authResult: any;
+      await act(async () => {
+        authResult = await result.current.authenticate('fitbit');
+      });
+
+      expect(authResult.success).toBe(false);
+      expect(authResult.error).toBe('SecureStore read failed');
+      expect(mockOpenAuthSession).not.toHaveBeenCalled();
+    });
+  });
 });

mobile/src/utils/fitnessTrackers/useTrackerAuth.ts

@@ -39,30 +39,34 @@ export function useTrackerAuth(): UseTrackerAuthReturn {
   const [isAuthenticating, setIsAuthenticating] = useState(false);
   const [error, setError] = useState<string | null>(null);
   const queryClient = useQueryClient();
-  const { session } = useAuth();
+  const { getAccessToken } = useAuth();
 
   /**
    * Start the OAuth flow for a fitness tracker provider
    * @param provider - 'fitbit', 'whoop', or 'oura'
    * @returns Promise with authentication result
    */
   const authenticate = useCallback(async (provider: ProviderId): Promise<AuthenticateResult> => {
-    if (!session?.access_token) {
-      setError('Not authenticated');
-      return { success: false, error: 'Not authenticated' };
-    }
-
     setIsAuthenticating(true);
     setError(null);
 
     try {
+      // Get a fresh token — session.access_token may be stale if the Supabase
+      // client auto-refreshed since the hook last rendered. getAccessToken()
+      // reads from SecureStore and refreshes via GoAuth if expired.
+      const accessToken = await getAccessToken();
+      if (!accessToken) {
+        setError('Not authenticated');
+        return { success: false, error: 'Not authenticated' };
+      }
+
       const supabaseUrl = process.env.EXPO_PUBLIC_SUPABASE_URL;
       if (!supabaseUrl) {
         throw new Error('EXPO_PUBLIC_SUPABASE_URL is not configured');
       }
 
-      // Build the auth start URL with the token
-      const authUrl = `${supabaseUrl}/functions/v1/${provider}-auth-start?token=${encodeURIComponent(session.access_token)}`;
+      // Build the auth start URL with the fresh token
+      const authUrl = `${supabaseUrl}/functions/v1/${provider}-auth-start?token=${encodeURIComponent(accessToken)}`;
 
       // Create the redirect URL that the callback will redirect to
       const redirectUrl = Linking.createURL('auth/fitness-tracker');
@@ -138,7 +142,7 @@ export function useTrackerAuth(): UseTrackerAuthReturn {
     } finally {
       setIsAuthenticating(false);
     }
-  }, [session?.access_token, queryClient]);
+  }, [getAccessToken, queryClient]);
 
   /**
    * Clear any error state