CS-544 [BUG] - refresh OAuth token issue#3239
Open
github-actions[bot] wants to merge 3 commits into
Open
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
chasprowebdev
changed the title
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
1 issue found across 1 file
Confidence score: 3/5
- In
apps/api/src/trigger/integration-platform/refresh-expiring-tokens-schedule.ts, the connection filter usescredentials.some(...), which can match older credential rows even though only the latest credential is returned; this can select the wrong connections for token refresh and lead to missed or incorrect refresh behavior in production. Update the query/filter to explicitly target the latest credential version (or constrain the relation used bysome) and add a test that reproduces the version-mismatch case before merging.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="apps/api/src/trigger/integration-platform/refresh-expiring-tokens-schedule.ts">
<violation number="1" location="apps/api/src/trigger/integration-platform/refresh-expiring-tokens-schedule.ts:36">
P2: Connection selection logic uses `credentials.some(...)` which can match non-latest credential versions, while `include.credentials` with `orderBy version desc / take: 1` only affects returned data. This causes unnecessary force-refreshes when an older credential version is within the expiry window but the latest version is fine.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
Linked issue analysis
Linked issue: CS-544: [BUG] - refresh OAuth token issue
| Status | Acceptance criteria | Notes |
|---|---|---|
| ✅ | Add a daily scheduled task that runs at 05:00 UTC to proactively refresh tokens | schedules.task is defined with cron '0 5 * * *' and an explanatory comment about running 1 hour before integration checks. |
| ✅ | Refresh tokens that will expire within the next 24 hours (24h lookahead) | REFRESH_LOOKAHEAD_HOURS = 24 and expiryThreshold is computed from now + lookahead; filter selects connections whose latest expiresAt is <= threshold and > now. |
| ✅ | Consider only the latest credential version when deciding which connections to refresh | DB query includes credentialVersions ordered by version desc with take: 1, and the filter checks connection.credentialVersions[0].expiresAt to decide expiry. |
| ✅ | Call requestValidCredentials(...) with forceRefresh: true for each expiring connection | For each selected connection the code calls requestValidCredentials with forceRefresh: true; tests assert the call and parameters for the expiring connection. |
| ✅ | Return and log summary counts (refreshed/failed/skipped/total) and handle missing API_URL | Function logs start/complete messages, returns an object with refreshed/failed/skipped/total, and checks API_URL, logging an error and returning zero counts if unset. |
| Log minutes-until-expiry for each connection correctly | The code computes minutesUntilExpiry and logs it, but it reads expiresAt from connection.credentials[0] while earlier logic and the DB select use connection.credentialVersions[0]. This mismatch may make minutesUntilExpiry null/incorrect even when filtering selected the connection based on credentialVersions. |
…ing-tokens-schedule
Contributor
|
@cubic-dev-ai please review this . |
Contributor
@chasprowebdev I have started the AI code review. It will take a few minutes to complete. |
Contributor
There was a problem hiding this comment.
cubic analysis
1 issue found across 2 files
Confidence score: 2/5
- In
apps/api/src/trigger/integration-platform/refresh-expiring-tokens-schedule.ts, the scheduler readsconnection.credentials[0]even though the Prisma query loadscredentialVersions, so this can throw a runtime TypeError and stop the token-refresh schedule from running; align the accessed relation with the queried include (or update the query) and add a quick schedule-path test before merging.
Linked issue analysis
Linked issue: CS-544: [BUG] - refresh OAuth token issue
| Status | Acceptance criteria | Notes |
|---|---|---|
| ✅ | Add a daily scheduled task that runs at 05:00 UTC to proactively refresh tokens | schedules.task is defined with cron '0 5 * * *' and an explanatory comment about running 1 hour before integration checks. |
| ✅ | Refresh tokens that will expire within the next 24 hours (24h lookahead) | REFRESH_LOOKAHEAD_HOURS = 24 and expiryThreshold is computed from now + lookahead; filter selects connections whose latest expiresAt is <= threshold and > now. |
| ✅ | Consider only the latest credential version when deciding which connections to refresh | DB query includes credentialVersions ordered by version desc with take: 1, and the filter checks connection.credentialVersions[0].expiresAt to decide expiry. |
| ✅ | Call requestValidCredentials(...) with forceRefresh: true for each expiring connection | For each selected connection the code calls requestValidCredentials with forceRefresh: true; tests assert the call and parameters for the expiring connection. |
| ✅ | Return and log summary counts (refreshed/failed/skipped/total) and handle missing API_URL | Function logs start/complete messages, returns an object with refreshed/failed/skipped/total, and checks API_URL, logging an error and returning zero counts if unset. |
| Log minutes-until-expiry for each connection correctly | The code computes minutesUntilExpiry and logs it, but it reads expiresAt from connection.credentials[0] while earlier logic and the DB select use connection.credentialVersions[0]. This mismatch may make minutesUntilExpiry null/incorrect even when filtering selected the connection based on credentialVersions. |
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to merge chas/cs-544-refresh-token into dev.
It was created by the [Auto Pull Request] action.
Summary by cubic
Adds a daily 05:00 UTC cron to proactively refresh OAuth tokens expiring within 24 hours, preventing “token expired” disconnects during integration checks (CS-544).
New Features
refresh-expiring-tokens-scheduleusing@trigger.dev/sdk(runs 1 hour before daily checks).API_URLand@db; logs results, returns summary counts, and includes tests for latest-version filtering.Bug Fixes
Written for commit 9d30b3e. Summary will update on new commits.