Skip to content

fix(sdk): add automatic 401 retry with token refresh to openapi-fetch middleware#103

Merged
clavery merged 2 commits intomainfrom
bugfix/refresh
Feb 3, 2026
Merged

fix(sdk): add automatic 401 retry with token refresh to openapi-fetch middleware#103
clavery merged 2 commits intomainfrom
bugfix/refresh

Conversation

@clavery
Copy link
Collaborator

@clavery clavery commented Feb 1, 2026
edited
Loading

Summary

  • Add automatic 401 retry with token refresh to createAuthMiddleware() for openapi-fetch clients
  • Ensures long-running operations (OCAPI, SLAS, SCAPI, etc.) correctly handle token expiration mid-operation
  • Add invalidateToken?(): void to AuthStrategy interface

Problem

The SDK had automatic token refresh for auth.fetch() calls (used by WebDAV), but openapi-fetch clients did NOT retry on 401. For long-running operations (e.g., 60-minute job polls), if a token expired or was revoked mid-operation, API calls would fail.

Solution

Add an onResponse handler to createAuthMiddleware() that:

  1. Detects 401 responses
  2. Invalidates the cached token via auth.invalidateToken()
  3. Gets a fresh token via auth.getAuthorizationHeader()
  4. Retries the request once with the new token

Uses WeakSet to track retried requests (prevents infinite loops) and WeakMap to store cloned request bodies for retry.

Test plan

  • Unit tests for 401 retry behavior
  • Unit tests for preventing infinite retry loops
  • Unit tests for preserving request body on retry
  • Manual testing with long-running job poll

@clavery
fix(sdk): add automatic 401 retry with token refresh to openapi-fetch…
6ce3a47 
… middleware

The SDK had automatic token refresh for auth.fetch() calls (WebDAV), but
openapi-fetch clients (OCAPI, SLAS, SCAPI, etc.) did not retry on 401.
For long-running operations, if a token expires mid-operation, API calls
would fail.

This adds an onResponse handler to createAuthMiddleware() that:
- Detects 401 responses
- Invalidates the cached token via auth.invalidateToken()
- Gets a fresh token via auth.getAuthorizationHeader()
- Retries the request once with the new token

Uses WeakSet/WeakMap to track retried requests and preserve request bodies.
@clavery
chore(sdk): add token refresh test script
f7ce177 
Utility script for manually testing 401 retry behavior during long-running
operations. Polls active code version every 10 seconds.
@clavery clavery merged commit 7a3015f into main Feb 3, 2026
3 checks passed
@github-actions github-actions bot mentioned this pull request Feb 3, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yhsieh1 yhsieh1 Awaiting requested review from yhsieh1

@charithaT07 charithaT07 Awaiting requested review from charithaT07

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@clavery