Add authentication error recovery to web command

claude · claude · commit 07a00db9f03a · 2026-01-02T18:03:06.000Z
When the web command encounters a 401 authentication error, it now: 1. Automatically runs `claude -p hi` to refresh the OAuth token 2. Retries the failed API request with the refreshed credentials 3. Only attempts recovery once to prevent infinite loops This eliminates the need for users to manually refresh their token when it expires during operation. Closes #40
diff --git a/src/claude_code_transcripts/__init__.py b/src/claude_code_transcripts/__init__.py
@@ -565,6 +565,18 @@ def get_api_headers(token, org_uuid):
     }
 
 
+def refresh_token():
+    """Refresh the Claude API token by running claude -p prompt.
+
+    This triggers Claude Code to refresh the OAuth token stored in the keychain.
+    """
+    subprocess.run(
+        ["claude", "-p", "hi"],
+        capture_output=True,
+        timeout=60,
+    )
+
+
 def fetch_sessions(token, org_uuid):
     """Fetch list of sessions from the API.
 
@@ -1900,6 +1912,9 @@ def web_cmd(
 
     If SESSION_ID is not provided, displays an interactive picker to select a session.
     """
+    # Track if we've already attempted token refresh (to prevent infinite loops)
+    token_refreshed = False
+
     try:
         token, org_uuid = resolve_credentials(token, org_uuid)
     except click.ClickException:
@@ -1910,9 +1925,26 @@ def web_cmd(
         try:
             sessions_data = fetch_sessions(token, org_uuid)
         except httpx.HTTPStatusError as e:
-            raise click.ClickException(
-                f"API request failed: {e.response.status_code} {e.response.text}"
-            )
+            if e.response.status_code == 401 and not token_refreshed:
+                click.echo("Authentication failed, refreshing token...")
+                refresh_token()
+                token_refreshed = True
+                # Re-fetch token from keychain if we auto-detected it
+                new_token = get_access_token_from_keychain()
+                if new_token:
+                    token = new_token
+                try:
+                    sessions_data = fetch_sessions(token, org_uuid)
+                except httpx.HTTPStatusError as e2:
+                    raise click.ClickException(
+                        f"API request failed: {e2.response.status_code} {e2.response.text}"
+                    )
+                except httpx.RequestError as e2:
+                    raise click.ClickException(f"Network error: {e2}")
+            else:
+                raise click.ClickException(
+                    f"API request failed: {e.response.status_code} {e.response.text}"
+                )
         except httpx.RequestError as e:
             raise click.ClickException(f"Network error: {e}")
 
@@ -1948,9 +1980,26 @@ def web_cmd(
     try:
         session_data = fetch_session(token, org_uuid, session_id)
     except httpx.HTTPStatusError as e:
-        raise click.ClickException(
-            f"API request failed: {e.response.status_code} {e.response.text}"
-        )
+        if e.response.status_code == 401 and not token_refreshed:
+            click.echo("Authentication failed, refreshing token...")
+            refresh_token()
+            token_refreshed = True
+            # Re-fetch token from keychain if we auto-detected it
+            new_token = get_access_token_from_keychain()
+            if new_token:
+                token = new_token
+            try:
+                session_data = fetch_session(token, org_uuid, session_id)
+            except httpx.HTTPStatusError as e2:
+                raise click.ClickException(
+                    f"API request failed: {e2.response.status_code} {e2.response.text}"
+                )
+            except httpx.RequestError as e2:
+                raise click.ClickException(f"Network error: {e2}")
+        else:
+            raise click.ClickException(
+                f"API request failed: {e.response.status_code} {e.response.text}"
+            )
     except httpx.RequestError as e:
         raise click.ClickException(f"Network error: {e}")
 
diff --git a/tests/test_generate_html.py b/tests/test_generate_html.py
@@ -1574,3 +1574,218 @@ def test_search_total_pages_available(self, output_dir):
 
         # Total pages should be embedded for JS to know how many pages to fetch
         assert "totalPages" in index_html or "total_pages" in index_html
+
+
+class TestAuthenticationErrorRecovery:
+    """Tests for 401 authentication error recovery in web command."""
+
+    def test_web_retries_after_401_on_fetch_sessions(
+        self, httpx_mock, monkeypatch, output_dir
+    ):
+        """Test that web command retries after 401 error when listing sessions."""
+        from click.testing import CliRunner
+        from claude_code_transcripts import cli
+
+        # Load sample session to mock API response
+        fixture_path = Path(__file__).parent / "sample_session.json"
+        with open(fixture_path) as f:
+            session_data = json.load(f)
+
+        # First call to /sessions returns 401, second call succeeds
+        httpx_mock.add_response(
+            url="https://api.anthropic.com/v1/sessions",
+            status_code=401,
+            json={
+                "type": "error",
+                "error": {
+                    "type": "authentication_error",
+                    "message": "Authentication failed",
+                },
+            },
+        )
+        httpx_mock.add_response(
+            url="https://api.anthropic.com/v1/sessions",
+            json={
+                "data": [
+                    {
+                        "id": "test-session-id",
+                        "title": "Test Session",
+                        "created_at": "2025-01-01T00:00:00Z",
+                    }
+                ]
+            },
+        )
+        httpx_mock.add_response(
+            url="https://api.anthropic.com/v1/session_ingress/session/test-session-id",
+            json=session_data,
+        )
+
+        # Track if refresh_token was called
+        refresh_called = []
+
+        def mock_refresh_token():
+            refresh_called.append(True)
+
+        monkeypatch.setattr("claude_code_transcripts.refresh_token", mock_refresh_token)
+
+        # Mock questionary.select to auto-select the first session
+        class MockSelect:
+            def __init__(self, *args, **kwargs):
+                pass
+
+            def ask(self):
+                return "test-session-id"
+
+        monkeypatch.setattr("questionary.select", MockSelect)
+
+        runner = CliRunner()
+        # NOTE: No session_id provided, so it will call fetch_sessions first
+        result = runner.invoke(
+            cli,
+            [
+                "web",
+                "--token",
+                "test-token",
+                "--org-uuid",
+                "test-org",
+                "-o",
+                str(output_dir),
+            ],
+        )
+
+        assert result.exit_code == 0, f"Command failed: {result.output}"
+        assert len(refresh_called) == 1, "refresh_token should be called exactly once"
+
+    def test_web_retries_after_401_on_fetch_session(
+        self, httpx_mock, monkeypatch, output_dir
+    ):
+        """Test that web command retries after 401 error when fetching session."""
+        from click.testing import CliRunner
+        from claude_code_transcripts import cli
+
+        # Load sample session to mock API response
+        fixture_path = Path(__file__).parent / "sample_session.json"
+        with open(fixture_path) as f:
+            session_data = json.load(f)
+
+        # First call returns 401, second call succeeds
+        httpx_mock.add_response(
+            url="https://api.anthropic.com/v1/session_ingress/session/test-session-id",
+            status_code=401,
+            json={
+                "type": "error",
+                "error": {
+                    "type": "authentication_error",
+                    "message": "Authentication failed",
+                },
+            },
+        )
+        httpx_mock.add_response(
+            url="https://api.anthropic.com/v1/session_ingress/session/test-session-id",
+            json=session_data,
+        )
+
+        # Track if refresh_token was called
+        refresh_called = []
+
+        def mock_refresh_token():
+            refresh_called.append(True)
+
+        monkeypatch.setattr("claude_code_transcripts.refresh_token", mock_refresh_token)
+
+        runner = CliRunner()
+        result = runner.invoke(
+            cli,
+            [
+                "web",
+                "test-session-id",
+                "--token",
+                "test-token",
+                "--org-uuid",
+                "test-org",
+                "-o",
+                str(output_dir),
+            ],
+        )
+
+        assert result.exit_code == 0, f"Command failed: {result.output}"
+        assert len(refresh_called) == 1, "refresh_token should be called exactly once"
+
+    def test_web_only_retries_once_after_401(self, httpx_mock, monkeypatch, output_dir):
+        """Test that web command only retries once to prevent infinite loops."""
+        from click.testing import CliRunner
+        from claude_code_transcripts import cli
+
+        # Both calls return 401 - second 401 should not trigger another retry
+        httpx_mock.add_response(
+            url="https://api.anthropic.com/v1/session_ingress/session/test-session-id",
+            status_code=401,
+            json={
+                "type": "error",
+                "error": {
+                    "type": "authentication_error",
+                    "message": "Authentication failed",
+                },
+            },
+        )
+        httpx_mock.add_response(
+            url="https://api.anthropic.com/v1/session_ingress/session/test-session-id",
+            status_code=401,
+            json={
+                "type": "error",
+                "error": {
+                    "type": "authentication_error",
+                    "message": "Authentication failed",
+                },
+            },
+        )
+
+        # Track if refresh_token was called
+        refresh_called = []
+
+        def mock_refresh_token():
+            refresh_called.append(True)
+
+        monkeypatch.setattr("claude_code_transcripts.refresh_token", mock_refresh_token)
+
+        runner = CliRunner()
+        result = runner.invoke(
+            cli,
+            [
+                "web",
+                "test-session-id",
+                "--token",
+                "test-token",
+                "--org-uuid",
+                "test-org",
+                "-o",
+                str(output_dir),
+            ],
+        )
+
+        # Should fail after retry fails
+        assert result.exit_code != 0
+        assert "401" in result.output
+        assert len(refresh_called) == 1, "refresh_token should only be called once"
+
+    def test_refresh_token_runs_claude_command(self, monkeypatch):
+        """Test that refresh_token runs claude -p prompt."""
+        from claude_code_transcripts import refresh_token
+        import subprocess
+
+        # Track the command that was run
+        commands_run = []
+
+        def mock_run(cmd, **kwargs):
+            commands_run.append(cmd)
+            return subprocess.CompletedProcess(
+                args=cmd, returncode=0, stdout="", stderr=""
+            )
+
+        monkeypatch.setattr(subprocess, "run", mock_run)
+
+        refresh_token()
+
+        assert len(commands_run) == 1
+        assert commands_run[0][0] == "claude"
+        assert "-p" in commands_run[0]
