Skip to content

fix: auto-retry on 403 bearer-invalid after idle#111

Open
leecoder wants to merge 1 commit into
tickernelz:masterfrom
leecoder:fix/403-bearer-retry
Open

fix: auto-retry on 403 bearer-invalid after idle#111
leecoder wants to merge 1 commit into
tickernelz:masterfrom
leecoder:fix/403-bearer-retry

Conversation

@leecoder

@leecoder leecoder commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Problem

After a period of inactivity, the first API request fails with:

Kiro Error: 403 - The bearer token included in the request is invalid.

The token in the plugin DB matches the kiro-cli token, is not expired, and kiro-cli whoami succeeds. This is a server-side bearer invalidation that resolves on the next attempt. Users currently have to manually retry or do a full logout/login cycle.

Related: #82

Solution

On the first encounter of a 403 with "bearer token included in the request is invalid", the plugin now:

  1. Forces a token refresh (kiro-cli sync -> if newer token available, use it; otherwise OIDC refresh)
  2. Retries the same request transparently (user sees no error)

If the retry also fails with bearer-invalid, the existing permanent-failure classification applies unchanged.

Changes

  • src/core/request/request-handler.ts: Added inline bearer-invalid detection before the error-handler, with a one-shot forceRefresh + continue
  • src/core/auth/token-refresher.ts: Added forceRefresh() method that attempts CLI sync first, then falls back to OIDC refresh
  • src/core/request/error-handler.ts: Added bearerRetried context flag and forceRefresh return field for defense-in-depth (error-handler path)

Testing

  • Reproduced on v1.11.2 with IAM Identity Center auth after ~2-10 hour idle periods
  • After patch: 403 is silently retried and succeeds on second attempt without user intervention
  • No behavioral change for other error types (429, 400, 500, permanent 403s like suspended accounts)

When the server invalidates the bearer token after an idle period,
the first request fails with 403 'The bearer token included in the
request is invalid'. Previously this was immediately classified as
a permanent auth failure.

Now on the first 403 bearer-invalid, the plugin:
1. Forces a token refresh (CLI sync or OIDC refresh)
2. Retries the same request transparently

If the retry also fails, existing permanent-failure handling applies.

Fixes tickernelz#82
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant