fix: fall through to OAuth when CLI credentials are expired#386
fix: fall through to OAuth when CLI credentials are expired#386
Conversation
When a mission workspace has a .credentials.json from a previous run but the token has expired, the system would still trust it and skip OAuth injection. Claude Code would then fail with "Invalid authentication credentials". Now checks expiry after the copy/refresh attempt. If the token is expired, removes the stale file and sets has_cli_creds=false so the OAuth injection path runs instead.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit d9940c2. Configure here.
| let mut has_cli_creds = looks_like_claude_cli_credentials(&mission_creds_path); | ||
| if let Some((expires_at, has_refresh)) = claude_cli_credentials_info(&mission_creds_path) { | ||
| let now_ms = chrono::Utc::now().timestamp_millis(); | ||
| let is_expired = expires_at < now_ms; |
There was a problem hiding this comment.
Inconsistent expiry buffer leaves near-expiry file undeleted
Medium Severity
The expiry check at is_expired = expires_at < now_ms uses no buffer, but looks_like_claude_cli_credentials uses a 60-second buffer (expires_at < now_ms + 60_000). When a token is within 0–60 seconds of expiry, has_cli_creds becomes false (falls through to OAuth), but is_expired is false so the stale credentials file is not removed. Claude Code can still discover and use the near-expiry file, defeating the fallthrough to OAuth. The is_expired check needs the same 60-second buffer to ensure file removal is consistent with the has_cli_creds decision.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit d9940c2. Configure here.
1 participant
Summary
.credentials.jsonfrom a previous run but the token has expired, the system would still trust it (has_cli_creds=true) and skip OAuth injectionRoot cause
The
needs_copylogic correctly detects expired tokens and tries to re-copy from host credentials. But when no host credentials exist (common when auth is managed via OAuth providers, notclaude login), the copy is skipped and the stale expired token persists. Thehas_cli_credsflag remainstruebecause the file exists, so the OAuth path is never tried.Test plan
9b413dc4had this exact failure patternNote
Medium Risk
Touches credential-selection logic for missions and adds deletion of expired
.credentials.json, which could affect authentication behavior if expiry detection is wrong or filesystem operations fail in edge cases.Overview
Prevents missions from trusting stale Claude CLI credentials: after any copy/refresh attempt, the runner now checks
expires_atfrom the mission.credentials.json, logs anis_expiredflag, and if expired forceshas_cli_creds=false.When expired credentials are detected, it removes the stale credentials file so Claude Code won’t pick it up, allowing the flow to fall through to the existing OAuth token injection/refresh path instead of failing with invalid credentials.
Reviewed by Cursor Bugbot for commit d9940c2. Bugbot is set up for automated code reviews on this repo. Configure here.