fix: auth refresh (#1314)

packages/tm-core/src/auth/auth-manager.spec.ts

@@ -35,7 +35,7 @@ vi.mock('./credential-store.js', () => {
 			}
 			saveCredentials() {}
 			clearCredentials() {}
-			hasValidCredentials() {
+			hasCredentials() {
 				return false;
 			}
 		}

packages/tm-core/src/auth/auth-manager.ts

@@ -29,8 +29,6 @@ export class AuthManager {
 	private oauthService: OAuthService;
 	private supabaseClient: SupabaseAuthClient;
 	private organizationService?: OrganizationService;
-	private logger = getLogger('AuthManager');
-	private refreshPromise: Promise<AuthCredentials> | null = null;
 
 	private constructor(config?: Partial<AuthConfig>) {
 		this.credentialStore = CredentialStore.getInstance(config);
@@ -83,60 +81,10 @@ export class AuthManager {
 
 	/**
 	 * Get stored authentication credentials
-	 * Automatically refreshes the token if expired
+	 * Returns credentials as-is (even if expired). Refresh must be triggered explicitly
+	 * via refreshToken() or will occur automatically when using the Supabase client for API calls.
 	 */
-	async getCredentials(): Promise<AuthCredentials | null> {
-		const credentials = this.credentialStore.getCredentials({
-			allowExpired: true
-		});
-
-		if (!credentials) {
-			return null;
-		}
-
-		// Check if credentials are expired (with 30-second clock skew buffer)
-		const CLOCK_SKEW_MS = 30_000;
-		const isExpired = credentials.expiresAt
-			? new Date(credentials.expiresAt).getTime() <= Date.now() + CLOCK_SKEW_MS
-			: false;
-
-		// If expired and we have a refresh token, attempt refresh
-		if (isExpired && credentials.refreshToken) {
-			// Return existing refresh promise if one is in progress
-			if (this.refreshPromise) {
-				try {
-					return await this.refreshPromise;
-				} catch {
-					return null;
-				}
-			}
-
-			try {
-				this.logger.info('Token expired, attempting automatic refresh...');
-				this.refreshPromise = this.refreshToken();
-				const result = await this.refreshPromise;
-				return result;
-			} catch (error) {
-				this.logger.warn('Automatic token refresh failed:', error);
-				return null;
-			} finally {
-				this.refreshPromise = null;
-			}
-		}
-
-		// Return null if expired and no refresh token
-		if (isExpired) {
-			return null;
-		}
-
-		return credentials;
-	}
-
-	/**
-	 * Get stored authentication credentials (synchronous version)
-	 * Does not attempt automatic refresh
-	 */
-	getCredentialsSync(): AuthCredentials | null {
+	getCredentials(): AuthCredentials | null {
 		return this.credentialStore.getCredentials();
 	}
 
@@ -219,25 +167,26 @@ export class AuthManager {
 	}
 
 	/**
-	 * Check if authenticated
+	 * Check if authenticated (credentials exist, regardless of expiration)
+	 * @returns true if credentials are stored, including expired credentials
 	 */
 	isAuthenticated(): boolean {
-		return this.credentialStore.hasValidCredentials();
+		return this.credentialStore.hasCredentials();
 	}
 
 	/**
 	 * Get the current user context (org/brief selection)
 	 */
-	async getContext(): Promise<UserContext | null> {
-		const credentials = await this.getCredentials();
+	getContext(): UserContext | null {
+		const credentials = this.getCredentials();
 		return credentials?.selectedContext || null;
 	}
 
 	/**
 	 * Update the user context (org/brief selection)
 	 */
-	async updateContext(context: Partial<UserContext>): Promise<void> {
-		const credentials = await this.getCredentials();
+	updateContext(context: Partial<UserContext>): void {
+		const credentials = this.getCredentials();
 		if (!credentials) {
 			throw new AuthenticationError('Not authenticated', 'NOT_AUTHENTICATED');
 		}
@@ -262,8 +211,8 @@ export class AuthManager {
 	/**
 	 * Clear the user context
 	 */
-	async clearContext(): Promise<void> {
-		const credentials = await this.getCredentials();
+	clearContext(): void {
+		const credentials = this.getCredentials();
 		if (!credentials) {
 			throw new AuthenticationError('Not authenticated', 'NOT_AUTHENTICATED');
 		}
@@ -280,7 +229,7 @@ export class AuthManager {
 	private async getOrganizationService(): Promise<OrganizationService> {
 		if (!this.organizationService) {
 			// First check if we have credentials with a token
-			const credentials = await this.getCredentials();
+			const credentials = this.getCredentials();
 			if (!credentials || !credentials.token) {
 				throw new AuthenticationError('Not authenticated', 'NOT_AUTHENTICATED');
 			}

packages/tm-core/src/auth/credential-store.spec.ts

@@ -52,7 +52,7 @@ describe('CredentialStore - Token Expiration', () => {
 
 			credentialStore.saveCredentials(expiredCredentials);
 
-			const retrieved = credentialStore.getCredentials();
+			const retrieved = credentialStore.getCredentials({ allowExpired: false });
 
 			expect(retrieved).toBeNull();
 		});
@@ -69,7 +69,7 @@ describe('CredentialStore - Token Expiration', () => {
 
 			credentialStore.saveCredentials(validCredentials);
 
-			const retrieved = credentialStore.getCredentials();
+			const retrieved = credentialStore.getCredentials({ allowExpired: false });
 
 			expect(retrieved).not.toBeNull();
 			expect(retrieved?.token).toBe('valid-token');
@@ -92,6 +92,25 @@ describe('CredentialStore - Token Expiration', () => {
 			expect(retrieved).not.toBeNull();
 			expect(retrieved?.token).toBe('expired-token');
 		});
+
+		it('should return expired token by default (allowExpired defaults to true)', () => {
+			const expiredCredentials: AuthCredentials = {
+				token: 'expired-token-default',
+				refreshToken: 'refresh-token',
+				userId: 'test-user',
+				email: 'test@example.com',
+				expiresAt: new Date(Date.now() - 60000).toISOString(),
+				savedAt: new Date().toISOString()
+			};
+
+			credentialStore.saveCredentials(expiredCredentials);
+
+			// Call without options - should default to allowExpired: true
+			const retrieved = credentialStore.getCredentials();
+
+			expect(retrieved).not.toBeNull();
+			expect(retrieved?.token).toBe('expired-token-default');
+		});
 	});
 
 	describe('Clock Skew Tolerance', () => {
@@ -108,7 +127,7 @@ describe('CredentialStore - Token Expiration', () => {
 
 			credentialStore.saveCredentials(almostExpiredCredentials);
 
-			const retrieved = credentialStore.getCredentials();
+			const retrieved = credentialStore.getCredentials({ allowExpired: false });
 
 			expect(retrieved).toBeNull();
 		});
@@ -126,7 +145,7 @@ describe('CredentialStore - Token Expiration', () => {
 
 			credentialStore.saveCredentials(validCredentials);
 
-			const retrieved = credentialStore.getCredentials();
+			const retrieved = credentialStore.getCredentials({ allowExpired: false });
 
 			expect(retrieved).not.toBeNull();
 			expect(retrieved?.token).toBe('valid-token');
@@ -146,7 +165,7 @@ describe('CredentialStore - Token Expiration', () => {
 
 			credentialStore.saveCredentials(credentials);
 
-			const retrieved = credentialStore.getCredentials();
+			const retrieved = credentialStore.getCredentials({ allowExpired: false });
 
 			expect(retrieved).not.toBeNull();
 			expect(typeof retrieved?.expiresAt).toBe('number'); // Normalized to number
@@ -164,7 +183,7 @@ describe('CredentialStore - Token Expiration', () => {
 
 			credentialStore.saveCredentials(credentials);
 
-			const retrieved = credentialStore.getCredentials();
+			const retrieved = credentialStore.getCredentials({ allowExpired: false });
 
 			expect(retrieved).not.toBeNull();
 			expect(typeof retrieved?.expiresAt).toBe('number');
@@ -185,7 +204,7 @@ describe('CredentialStore - Token Expiration', () => {
 				mode: 0o600
 			});
 
-			const retrieved = credentialStore.getCredentials();
+			const retrieved = credentialStore.getCredentials({ allowExpired: false });
 
 			expect(retrieved).toBeNull();
 		});
@@ -203,7 +222,7 @@ describe('CredentialStore - Token Expiration', () => {
 				mode: 0o600
 			});
 
-			const retrieved = credentialStore.getCredentials();
+			const retrieved = credentialStore.getCredentials({ allowExpired: false });
 
 			expect(retrieved).toBeNull();
 		});
@@ -244,15 +263,15 @@ describe('CredentialStore - Token Expiration', () => {
 
 			credentialStore.saveCredentials(credentials);
 
-			const retrieved = credentialStore.getCredentials();
+			const retrieved = credentialStore.getCredentials({ allowExpired: false });
 
 			// Should be normalized to number for runtime use
 			expect(typeof retrieved?.expiresAt).toBe('number');
 		});
 	});
 
-	describe('hasValidCredentials', () => {
-		it('should return false for expired credentials', () => {
+	describe('hasCredentials', () => {
+		it('should return true for expired credentials', () => {
 			const expiredCredentials: AuthCredentials = {
 				token: 'expired-token',
 				refreshToken: 'refresh-token',
@@ -264,7 +283,7 @@ describe('CredentialStore - Token Expiration', () => {
 
 			credentialStore.saveCredentials(expiredCredentials);
 
-			expect(credentialStore.hasValidCredentials()).toBe(false);
+			expect(credentialStore.hasCredentials()).toBe(true);
 		});
 
 		it('should return true for valid credentials', () => {
@@ -279,11 +298,11 @@ describe('CredentialStore - Token Expiration', () => {
 
 			credentialStore.saveCredentials(validCredentials);
 
-			expect(credentialStore.hasValidCredentials()).toBe(true);
+			expect(credentialStore.hasCredentials()).toBe(true);
 		});
 
 		it('should return false when no credentials exist', () => {
-			expect(credentialStore.hasValidCredentials()).toBe(false);
+			expect(credentialStore.hasCredentials()).toBe(false);
 		});
 	});
 });

packages/tm-core/src/auth/credential-store.test.ts

@@ -197,7 +197,7 @@ describe('CredentialStore', () => {
 				JSON.stringify(mockCredentials)
 			);
 
-			const result = store.getCredentials();
+			const result = store.getCredentials({ allowExpired: false });
 
 			expect(result).toBeNull();
 			expect(mockLogger.warn).toHaveBeenCalledWith(
@@ -226,6 +226,31 @@ describe('CredentialStore', () => {
 			expect(result).not.toBeNull();
 			expect(result?.token).toBe('expired-token');
 		});
+
+		it('should return expired tokens by default (allowExpired defaults to true)', () => {
+			const expiredTimestamp = Date.now() - 3600000; // 1 hour ago
+			const mockCredentials = {
+				token: 'expired-token-default',
+				userId: 'user-expired',
+				expiresAt: expiredTimestamp,
+				tokenType: 'standard',
+				savedAt: new Date().toISOString()
+			};
+
+			vi.mocked(fs.existsSync).mockReturnValue(true);
+			vi.mocked(fs.readFileSync).mockReturnValue(
+				JSON.stringify(mockCredentials)
+			);
+
+			// Call without options - should default to allowExpired: true
+			const result = store.getCredentials();
+
+			expect(result).not.toBeNull();
+			expect(result?.token).toBe('expired-token-default');
+			expect(mockLogger.warn).not.toHaveBeenCalledWith(
+				expect.stringContaining('Authentication token has expired')
+			);
+		});
 	});
 
 	describe('saveCredentials with timestamp normalization', () => {
@@ -451,7 +476,7 @@ describe('CredentialStore', () => {
 		});
 	});
 
-	describe('hasValidCredentials', () => {
+	describe('hasCredentials', () => {
 		it('should return true when valid unexpired credentials exist', () => {
 			const futureDate = new Date(Date.now() + 3600000); // 1 hour from now
 			const credentials = {
@@ -465,10 +490,10 @@ describe('CredentialStore', () => {
 			vi.mocked(fs.existsSync).mockReturnValue(true);
 			vi.mocked(fs.readFileSync).mockReturnValue(JSON.stringify(credentials));
 
-			expect(store.hasValidCredentials()).toBe(true);
+			expect(store.hasCredentials()).toBe(true);
 		});
 
-		it('should return false when credentials are expired', () => {
+		it('should return true when credentials are expired', () => {
 			const pastDate = new Date(Date.now() - 3600000); // 1 hour ago
 			const credentials = {
 				token: 'expired-token',
@@ -481,13 +506,13 @@ describe('CredentialStore', () => {
 			vi.mocked(fs.existsSync).mockReturnValue(true);
 			vi.mocked(fs.readFileSync).mockReturnValue(JSON.stringify(credentials));
 
-			expect(store.hasValidCredentials()).toBe(false);
+			expect(store.hasCredentials()).toBe(true);
 		});
 
 		it('should return false when no credentials exist', () => {
 			vi.mocked(fs.existsSync).mockReturnValue(false);
 
-			expect(store.hasValidCredentials()).toBe(false);
+			expect(store.hasCredentials()).toBe(false);
 		});
 
 		it('should return false when file contains invalid JSON', () => {
@@ -495,7 +520,7 @@ describe('CredentialStore', () => {
 			vi.mocked(fs.readFileSync).mockReturnValue('invalid json {');
 			vi.mocked(fs.renameSync).mockImplementation(() => undefined);
 
-			expect(store.hasValidCredentials()).toBe(false);
+			expect(store.hasCredentials()).toBe(false);
 		});
 
 		it('should return false for credentials without expiry', () => {
@@ -510,7 +535,7 @@ describe('CredentialStore', () => {
 			vi.mocked(fs.readFileSync).mockReturnValue(JSON.stringify(credentials));
 
 			// Credentials without expiry are considered invalid
-			expect(store.hasValidCredentials()).toBe(false);
+			expect(store.hasCredentials()).toBe(false);
 
 			// Should log warning about missing expiration
 			expect(mockLogger.warn).toHaveBeenCalledWith(
@@ -518,14 +543,14 @@ describe('CredentialStore', () => {
 			);
 		});
 
-		it('should use allowExpired=false by default', () => {
+		it('should use allowExpired=true', () => {
 			// Spy on getCredentials to verify it's called with correct params
 			const getCredentialsSpy = vi.spyOn(store, 'getCredentials');
 
 			vi.mocked(fs.existsSync).mockReturnValue(false);
-			store.hasValidCredentials();
+			store.hasCredentials();
 
-			expect(getCredentialsSpy).toHaveBeenCalledWith({ allowExpired: false });
+			expect(getCredentialsSpy).toHaveBeenCalledWith({ allowExpired: true });
 		});
 	});
 

packages/tm-core/src/auth/credential-store.ts

@@ -54,9 +54,12 @@ export class CredentialStore {
 
 	/**
 	 * Get stored authentication credentials
+	 * @param options.allowExpired - Whether to return expired credentials (default: true)
 	 * @returns AuthCredentials with expiresAt as number (milliseconds) for runtime use
 	 */
-	getCredentials(options?: { allowExpired?: boolean }): AuthCredentials | null {
+	getCredentials({
+		allowExpired = true
+	}: { allowExpired?: boolean } = {}): AuthCredentials | null {
 		try {
 			if (!fs.existsSync(this.config.configFile)) {
 				return null;
@@ -90,7 +93,6 @@ export class CredentialStore {
 
 			// Check if the token has expired (with clock skew tolerance)
 			const now = Date.now();
-			const allowExpired = options?.allowExpired ?? false;
 			if (now >= expiresAtMs - this.CLOCK_SKEW_MS && !allowExpired) {
 				this.logger.warn(
 					'Authentication token has expired or is about to expire',
@@ -103,7 +105,7 @@ export class CredentialStore {
 				return null;
 			}
 
-			// Return valid token
+			// Return credentials (even if expired) to enable refresh flows
 			return authData;
 		} catch (error) {
 			this.logger.error(
@@ -199,10 +201,11 @@ export class CredentialStore {
 	}
 
 	/**
-	 * Check if credentials exist and are valid
+	 * Check if credentials exist (regardless of expiration status)
+	 * @returns true if credentials are stored, including expired credentials
 	 */
-	hasValidCredentials(): boolean {
-		const credentials = this.getCredentials({ allowExpired: false });
+	hasCredentials(): boolean {
+		const credentials = this.getCredentials({ allowExpired: true });
 		return credentials !== null;
 	}
 

packages/tm-core/src/auth/oauth-service.ts

@@ -281,15 +281,26 @@ export class OAuthService {
 				// Exchange code for session using PKCE
 				const session = await this.supabaseClient.exchangeCodeForSession(code);
 
+				// Calculate expiration - can be overridden with TM_TOKEN_EXPIRY_MINUTES
+				let expiresAt: string | undefined;
+				const tokenExpiryMinutes = process.env.TM_TOKEN_EXPIRY_MINUTES;
+				if (tokenExpiryMinutes) {
+					const minutes = parseInt(tokenExpiryMinutes);
+					expiresAt = new Date(Date.now() + minutes * 60 * 1000).toISOString();
+					this.logger.warn(`Token expiry overridden to ${minutes} minute(s)`);
+				} else {
+					expiresAt = session.expires_at
+						? new Date(session.expires_at * 1000).toISOString()
+						: undefined;
+				}
+
 				// Save authentication data
 				const authData: AuthCredentials = {
 					token: session.access_token,
 					refreshToken: session.refresh_token,
 					userId: session.user.id,
 					email: session.user.email,
-					expiresAt: session.expires_at
-						? new Date(session.expires_at * 1000).toISOString()
-						: undefined,
+					expiresAt,
 					tokenType: 'standard',
 					savedAt: new Date().toISOString()
 				};
@@ -340,10 +351,18 @@ export class OAuthService {
 				// Get user info from the session
 				const user = await this.supabaseClient.getUser();
 
-				// Calculate expiration time
-				const expiresAt = expiresIn
-					? new Date(Date.now() + parseInt(expiresIn) * 1000).toISOString()
-					: undefined;
+				// Calculate expiration time - can be overridden with TM_TOKEN_EXPIRY_MINUTES
+				let expiresAt: string | undefined;
+				const tokenExpiryMinutes = process.env.TM_TOKEN_EXPIRY_MINUTES;
+				if (tokenExpiryMinutes) {
+					const minutes = parseInt(tokenExpiryMinutes);
+					expiresAt = new Date(Date.now() + minutes * 60 * 1000).toISOString();
+					this.logger.warn(`Token expiry overridden to ${minutes} minute(s)`);
+				} else {
+					expiresAt = expiresIn
+						? new Date(Date.now() + parseInt(expiresIn) * 1000).toISOString()
+						: undefined;
+				}
 
 				// Save authentication data
 				const authData: AuthCredentials = {
@@ -351,7 +370,7 @@ export class OAuthService {
 					refreshToken: refreshToken || undefined,
 					userId: user?.id || 'unknown',
 					email: user?.email,
-					expiresAt: expiresAt,
+					expiresAt,
 					tokenType: 'standard',
 					savedAt: new Date().toISOString()
 				};

packages/tm-core/src/auth/supabase-session-storage.ts

@@ -98,11 +98,11 @@ export class SupabaseSessionStorage implements SupportedStorage {
 		// Only handle Supabase session keys
 		if (key === STORAGE_KEY || key.includes('auth-token')) {
 			try {
+				this.logger.info('Supabase called setItem - storing refreshed session');
+
 				// Parse the session and update our credentials
 				const sessionUpdates = this.parseSessionToCredentials(value);
-				const existingCredentials = this.store.getCredentials({
-					allowExpired: true
-				});
+				const existingCredentials = this.store.getCredentials();
 
 				if (sessionUpdates.token) {
 					const updatedCredentials: AuthCredentials = {
@@ -113,6 +113,9 @@ export class SupabaseSessionStorage implements SupportedStorage {
 					} as AuthCredentials;
 
 					this.store.saveCredentials(updatedCredentials);
+					this.logger.info(
+						'Successfully saved refreshed credentials from Supabase'
+					);
 				}
 			} catch (error) {
 				this.logger.error('Error setting session:', error);

packages/tm-core/src/clients/supabase-client.ts

@@ -17,10 +17,11 @@ export class SupabaseAuthClient {
 	private client: SupabaseJSClient | null = null;
 	private sessionStorage: SupabaseSessionStorage;
 	private logger = getLogger('SupabaseAuthClient');
+	private credentialStore: CredentialStore;
 
 	constructor() {
-		const credentialStore = CredentialStore.getInstance();
-		this.sessionStorage = new SupabaseSessionStorage(credentialStore);
+		this.credentialStore = CredentialStore.getInstance();
+		this.sessionStorage = new SupabaseSessionStorage(this.credentialStore);
 	}
 
 	/**

packages/tm-core/src/storage/storage-factory.ts

@@ -73,7 +73,7 @@ export class StorageFactory {
 						);
 					}
 					// Use auth token from AuthManager (synchronous - no auto-refresh here)
-					const credentials = authManager.getCredentialsSync();
+					const credentials = authManager.getCredentials();
 					if (credentials) {
 						// Merge with existing storage config, ensuring required fields
 						const nextStorage: StorageSettings = {
@@ -103,7 +103,7 @@ export class StorageFactory {
 
 				// Then check if authenticated via AuthManager
 				if (authManager.isAuthenticated()) {
-					const credentials = authManager.getCredentialsSync();
+					const credentials = authManager.getCredentials();
 					if (credentials) {
 						// Configure API storage with auth credentials
 						const nextStorage: StorageSettings = {