omp: add fix auth patch (to test)

2026-04-08 13:08:30 -04:00
parent 0f0429b4b2
commit 3627cb19c6
2 changed files with 296 additions and 1 deletions
--- a/home-manager/progs/pi.nix
+++ b/home-manager/progs/pi.nix
@@ -37,7 +37,9 @@ let
 in
 {
  home.packages = [
-    inputs.llm-agents.packages.${pkgs.stdenv.hostPlatform.system}.omp
+    (inputs.llm-agents.packages.${pkgs.stdenv.hostPlatform.system}.omp.overrideAttrs (old: {
+      patches = (old.patches or [ ]) ++ [ ../../patches/omp-fix-auth.patch ];
+    }))
  ];

  # main settings: ~/.omp/agent/config.yml (JSON is valid YAML)
--- a/patches/omp-fix-auth.patch
+++ b/patches/omp-fix-auth.patch
@@ -0,0 +1,293 @@
+commit 31d537735d3c5e25a2b620d63ebbfea4cf84f57e
+Author: Simon Gardling <titaniumtown@proton.me>
+Date:   Wed Apr 8 13:05:09 2026 -0400
+
+    Fix key reauth with parallel sessions
+
+diff --git a/packages/ai/CHANGELOG.md b/packages/ai/CHANGELOG.md
+index 3f50b7bd4..248dacbff 100644
+--- a/packages/ai/CHANGELOG.md
+++ b/packages/ai/CHANGELOG.md
+@@ -5,6 +5,10 @@
+ 
+ - Removed `coerceNullStrings` function and its automatic null-string coercion behavior from JSON parsing
+ 
+### Fixed
+
+- Fixed concurrent OAuth refresh token rotation race: when multiple instances share the same credential DB, one instance refreshing a token no longer causes other instances to permanently disable the credential on `invalid_grant` ([#607](https://github.com/can1357/oh-my-pi/issues/607))
+
+ ## [13.19.0] - 2026-04-05
+ 
+ ### Fixed
+diff --git a/packages/ai/src/auth-storage.ts b/packages/ai/src/auth-storage.ts
+index 9fdb4473b..fac936dad 100644
+--- a/packages/ai/src/auth-storage.ts
+++ b/packages/ai/src/auth-storage.ts
+@@ -1865,7 +1865,30 @@ export class AuthStorage {
+ 			});
+ 
+ 			if (isDefinitiveFailure) {
+-				// Permanently disable invalid credentials with an explicit cause for inspection/debugging
+				// Before permanently disabling, check if another instance already refreshed
+				// the token in the shared DB. Concurrent instances hold stale in-memory
+				// copies; refresh token rotation by one instance invalidates the token
+				// that other instances still hold. Re-read from DB before giving up.
+				if (/invalid_grant/i.test(errorMsg)) {
+					const entries = this.#getStoredCredentials(provider);
+					const entry = entries[selection.index];
+					if (entry) {
+						const dbCredentials = this.#store.listAuthCredentials(provider);
+						const dbEntry = dbCredentials.find(row => row.id === entry.id);
+						if (
+							dbEntry?.credential.type === "oauth" &&
+							dbEntry.credential.refresh !== selection.credential.refresh
+						) {
+							// DB has a newer refresh token — another instance refreshed.
+							// Update in-memory state and retry with the fresh credential.
+							const updated = [...entries];
+							updated[selection.index] = { id: entry.id, credential: dbEntry.credential };
+							this.#setStoredCredentials(provider, updated);
+							return this.getApiKey(provider, sessionId, options);
+						}
+					}
+				}
+				// Genuinely invalid — disable the credential
+ 				this.#disableCredentialAt(provider, selection.index, `oauth refresh failed: ${errorMsg}`);
+ 				if (this.#getCredentialsForProvider(provider).some(credential => credential.type === "oauth")) {
+ 					return this.getApiKey(provider, sessionId, options);
+diff --git a/packages/ai/test/auth-storage-refresh-race.test.ts b/packages/ai/test/auth-storage-refresh-race.test.ts
+new file mode 100644
+index 000000000..5a8098a18
+--- /dev/null
+++ b/packages/ai/test/auth-storage-refresh-race.test.ts
+@@ -0,0 +1,230 @@
+import { Database } from "bun:sqlite";
+import { afterEach, beforeEach, describe, expect, test, vi } from "bun:test";
+import * as fs from "node:fs/promises";
+import * as os from "node:os";
+import * as path from "node:path";
+import { AuthCredentialStore, AuthStorage, type OAuthCredential } from "../src/auth-storage";
+import * as oauthUtils from "../src/utils/oauth";
+import type { OAuthCredentials } from "../src/utils/oauth/types";
+
+/**
+ * Tests for the concurrent OAuth refresh token rotation race condition.
+ *
+ * When multiple omp instances share the same SQLite credential DB but hold
+ * independent in-memory caches, refresh token rotation by one instance
+ * invalidates the token that other instances still hold. Without the fix,
+ * the stale instance permanently disables the credential on `invalid_grant`
+ * even though a valid refresh token exists in the DB.
+ */
+
+function readDisabledCauses(dbPath: string, provider: string): string[] {
+	const db = new Database(dbPath, { readonly: true });
+	try {
+		const rows = db
+			.prepare(
+				"SELECT disabled_cause FROM auth_credentials WHERE provider = ? AND disabled_cause IS NOT NULL ORDER BY id ASC",
+			)
+			.all(provider) as Array<{ disabled_cause?: string | null }>;
+		return rows.flatMap(row => (typeof row.disabled_cause === "string" ? [row.disabled_cause] : []));
+	} finally {
+		db.close();
+	}
+}
+
+function countActiveCredentials(dbPath: string, provider: string): number {
+	const db = new Database(dbPath, { readonly: true });
+	try {
+		const row = db
+			.prepare("SELECT COUNT(*) AS count FROM auth_credentials WHERE provider = ? AND disabled_cause IS NULL")
+			.get(provider) as { count?: number } | undefined;
+		return row?.count ?? 0;
+	} finally {
+		db.close();
+	}
+}
+
+const EXPIRED_TOKEN_EXPIRES = Date.now() - 60_000;
+const FRESH_TOKEN_EXPIRES = Date.now() + 3_600_000;
+
+function makeOAuthCredential(suffix: string, opts?: { expires?: number }): OAuthCredential {
+	return {
+		type: "oauth",
+		access: `access-${suffix}`,
+		refresh: `refresh-${suffix}`,
+		expires: opts?.expires ?? FRESH_TOKEN_EXPIRES,
+		accountId: "acct-shared",
+		email: "user@example.com",
+	};
+}
+
+describe("AuthStorage concurrent OAuth refresh token rotation race", () => {
+	let tempDir = "";
+	let dbPath = "";
+	let storeA: AuthCredentialStore | null = null;
+	let storeB: AuthCredentialStore | null = null;
+	let authStorageA: AuthStorage | null = null;
+	let authStorageB: AuthStorage | null = null;
+
+	beforeEach(async () => {
+		tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "pi-ai-auth-refresh-race-"));
+		dbPath = path.join(tempDir, "agent.db");
+
+		// Both stores point at the same SQLite DB — simulates two omp instances
+		storeA = await AuthCredentialStore.open(dbPath);
+		storeB = await AuthCredentialStore.open(dbPath);
+	});
+
+	afterEach(async () => {
+		vi.restoreAllMocks();
+		storeA?.close();
+		storeB?.close();
+		storeA = null;
+		storeB = null;
+		authStorageA = null;
+		authStorageB = null;
+		if (tempDir) {
+			await fs.rm(tempDir, { recursive: true, force: true });
+			tempDir = "";
+		}
+	});
+
+	test("instance B recovers from invalid_grant when instance A already refreshed", async () => {
+		if (!storeA || !storeB) throw new Error("test setup failed");
+
+		// Store an expired OAuth credential — both instances will need to refresh
+		const staleCredential = makeOAuthCredential("v1", { expires: EXPIRED_TOKEN_EXPIRES });
+		authStorageA = new AuthStorage(storeA);
+		await authStorageA.set("anthropic", [staleCredential]);
+
+		// Instance B loads same credential from DB into its own in-memory cache
+		authStorageB = new AuthStorage(storeB);
+		await authStorageB.reload();
+
+		// The refreshed credential that instance A will produce
+		const refreshedCredential: OAuthCredentials = {
+			access: "access-v2",
+			refresh: "refresh-v2",
+			expires: FRESH_TOKEN_EXPIRES,
+			accountId: "acct-shared",
+			email: "user@example.com",
+		};
+
+		// Mock both refresh paths:
+		// - refreshOAuthToken: called by pre-refresh in #resolveOAuthApiKey for expired tokens
+		// - getOAuthApiKey: called by #tryOAuthCredential for the actual token exchange
+		const refreshSpy = vi.spyOn(oauthUtils, "refreshOAuthToken");
+		const getApiKeySpy = vi.spyOn(oauthUtils, "getOAuthApiKey");
+
+		// Step 1: Instance A refreshes successfully
+		refreshSpy.mockImplementation(async (_provider, credential) => {
+			return { ...credential, ...refreshedCredential };
+		});
+		getApiKeySpy.mockImplementation(async (_provider, credentials) => {
+			const cred = credentials.anthropic as OAuthCredentials | undefined;
+			if (!cred) return null;
+			return { newCredentials: refreshedCredential, apiKey: "sk-ant-new-key" };
+		});
+
+		const keyA = await authStorageA.getApiKey("anthropic", "session-a");
+		expect(keyA).toBe("sk-ant-new-key");
+
+		// DB now has refreshed credential from instance A.
+		// Instance B still has stale refresh-v1 in memory.
+
+		// Step 2: Instance B tries to refresh with stale token.
+		// The pre-refresh (refreshOAuthToken) runs first, then #tryOAuthCredential calls getOAuthApiKey.
+		// Both throw invalid_grant for stale tokens. After DB re-read, retry with fresh token succeeds.
+		let getApiKeyCallCount = 0;
+		refreshSpy.mockImplementation(async (_provider, credential) => {
+			if (credential.refresh === "refresh-v1") {
+				throw new Error("invalid_grant: Refresh token not found or invalid");
+			}
+			return { ...credential, ...refreshedCredential };
+		});
+		getApiKeySpy.mockImplementation(async (_provider, credentials) => {
+			const cred = credentials.anthropic as OAuthCredentials | undefined;
+			if (!cred) return null;
+			getApiKeyCallCount++;
+
+			if (cred.refresh === "refresh-v1") {
+				// Stale token — Anthropic would return invalid_grant
+				throw new Error("invalid_grant: Refresh token not found or invalid");
+			}
+			if (cred.refresh === "refresh-v2") {
+				// Fresh token from instance A — success
+				return { newCredentials: refreshedCredential, apiKey: "sk-ant-new-key-b" };
+			}
+			return null;
+		});
+
+		const keyB = await authStorageB.getApiKey("anthropic", "session-b");
+
+		// The credential must NOT be disabled — instance B should have recovered
+		expect(keyB).toBeDefined();
+		expect(typeof keyB).toBe("string");
+
+		// DB should still have exactly 1 active credential, none disabled
+		expect(countActiveCredentials(dbPath, "anthropic")).toBe(1);
+		expect(readDisabledCauses(dbPath, "anthropic")).toEqual([]);
+		// The getOAuthApiKey mock must have been called at least twice: once with stale, once with fresh
+		expect(getApiKeyCallCount).toBeGreaterThanOrEqual(2);
+	});
+
+	test("credential is still disabled when DB has same stale token (genuine failure)", async () => {
+		if (!storeA || !storeB) throw new Error("test setup failed");
+
+		// Store an expired credential — only one instance, no concurrent refresh
+		const staleCredential = makeOAuthCredential("v1", { expires: EXPIRED_TOKEN_EXPIRES });
+		authStorageA = new AuthStorage(storeA);
+		await authStorageA.set("anthropic", [staleCredential]);
+
+		// Mock: always fail with invalid_grant (genuinely revoked token)
+		vi.spyOn(oauthUtils, "refreshOAuthToken").mockImplementation(async () => {
+			throw new Error("invalid_grant: Refresh token not found or invalid");
+		});
+		vi.spyOn(oauthUtils, "getOAuthApiKey").mockImplementation(async () => {
+			throw new Error("invalid_grant: Refresh token not found or invalid");
+		});
+
+		const key = await authStorageA.getApiKey("anthropic", "session-a");
+
+		// Should return undefined — no valid credentials
+		expect(key).toBeUndefined();
+
+		// Credential should be disabled in DB
+		const causes = readDisabledCauses(dbPath, "anthropic");
+		expect(causes.length).toBe(1);
+		expect(causes[0]).toContain("invalid_grant");
+	});
+
+	test("terminates when DB token matches stale token (no concurrent refresh)", async () => {
+		if (!storeA || !storeB) throw new Error("test setup failed");
+
+		// Both instances share the same stale credential — nobody refreshed
+		const staleCredential = makeOAuthCredential("v1", { expires: EXPIRED_TOKEN_EXPIRES });
+		authStorageA = new AuthStorage(storeA);
+		await authStorageA.set("anthropic", [staleCredential]);
+
+		// Instance B loads same stale credential
+		authStorageB = new AuthStorage(storeB);
+		await authStorageB.reload();
+
+		// Mock: always fail — the token is genuinely revoked, nobody refreshed
+		vi.spyOn(oauthUtils, "refreshOAuthToken").mockImplementation(async () => {
+			throw new Error("invalid_grant: Refresh token not found or invalid");
+		});
+		vi.spyOn(oauthUtils, "getOAuthApiKey").mockImplementation(async () => {
+			throw new Error("invalid_grant: Refresh token not found or invalid");
+		});
+
+		// Instance B fails. DB has the same token (nobody refreshed), so the
+		// fix correctly falls through to disable instead of retrying forever.
+		const keyB = await authStorageB.getApiKey("anthropic", "session-b");
+		expect(keyB).toBeUndefined();
+
+		// Credential should be disabled — the fix did not prevent a genuine failure
+		const causes = readDisabledCauses(dbPath, "anthropic");
+		expect(causes.length).toBe(1);
+		expect(causes[0]).toContain("invalid_grant");
+	});
+});