Skip to content

fix: never clear existing refresh token during token update#237

Merged
icebear0828 merged 1 commit intomasterfrom
fix/protect-refresh-token
Mar 27, 2026
Merged

fix: never clear existing refresh token during token update#237
icebear0828 merged 1 commit intomasterfrom
fix/protect-refresh-token

Conversation

@icebear0828
Copy link
Owner

@icebear0828 icebear0828 commented Mar 27, 2026

Summary

  • updateToken could overwrite a valid RT with null/undefined when Auth0 refresh response omitted the refresh_token field, causing permanent RT loss
  • Changed updateToken signature to refreshToken?: string (removed | null)
  • Guard: only replace RT with a non-empty string, never clear it
  • Applied same guard to addAccount dedup path
  • Removed oaistb_rt_ special branch that explicitly set RT to null

Test plan

  • All 1378 tests pass
  • Deploy and verify RT persists across multiple token refresh cycles

@icebear0828
fix: never clear existing refresh token during token update
c2468a7 
updateToken could overwrite a valid RT with null/undefined when the
Auth0 refresh response omitted the refresh_token field. This caused
permanent RT loss — accounts became unable to auto-refresh.

- updateToken signature changed to `refreshToken?: string` (no null)
- Guard: only replace RT with a non-empty string value
- addAccount dedup path uses the same guard
- Remove oaistb_rt_ special branch that explicitly set RT to null
@icebear0828 icebear0828 merged commit 2bf79d3 into master Mar 27, 2026
1 check failed
@icebear0828 icebear0828 mentioned this pull request Mar 27, 2026
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@icebear0828