Skip to content

Fix auth token refresh #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
turlockmike wants to merge 1 commit into from
Closed

Fix auth token refresh #3

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions src/auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1 @@
function auth() { return true; }
function validate() { return true; }
function auth() { refreshToken(); return true; }
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Do not unconditionally return authenticated state after refresh.

On Line 1, auth() always returns true after calling refreshToken(). This can grant authenticated state even when refresh fails (or signals failure), which is a security/correctness bug.

🔧 Proposed fix 
-function auth() { refreshToken(); return true; }
+async function auth(): Promise<boolean> {
+  try {
+    return (await refreshToken()) === true;
+  } catch {
+    return false;
+  }
+}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@src/auth.ts` at line 1, The auth() function unconditionally returns true
after calling refreshToken(), which can incorrectly grant authentication; update
auth() to call refreshToken() and return a boolean based on its result (or
rethrow/return false on error). Specifically, check the return value of
refreshToken() (await it if it is async), catch any exceptions thrown by
refreshToken(), and only return true when refreshToken() indicates success
(otherwise return false or propagate the failure). Ensure you update the auth()
signature/flow to reflect sync vs async behavior of refreshToken() and reference
the auth() and refreshToken() symbols when making the change.