fix(ext-claude): refresh expired OAuth token for usage indicator#127
Closed
neumie wants to merge 1 commit into
Closed
fix(ext-claude): refresh expired OAuth token for usage indicator#127neumie wants to merge 1 commit into
neumie wants to merge 1 commit into
Conversation
neumie
force-pushed
the
fix/claude-usage-token-refresh
branch
from
57a2d5c to
6805c4f
Compare
The usage indicator read the stored accessToken directly and never refreshed it, so once the token expired the API returned 401 and the indicator silently disappeared. Add a refresh flow: - Read creds with Claude Code's precedence (macOS Keychain authoritative, ~/.claude/.credentials.json fallback), parsing refreshToken/expiresAt. - Refresh proactively before expiry and reactively on 401 via the OAuth token endpoint; persist the rotated token atomically (temp + rename, 0600). 403 and other statuses are treated as non-refreshable failures. - Serialize concurrent refreshes (other okena instances and Claude Code) with a proper-lockfile-compatible mkdir directory lock: mtime heartbeat, bounded acquire, and a race-free claim-by-mtime stale steal. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
neumie
force-pushed
the
fix/claude-usage-token-refresh
branch
from
6805c4f to
6749af3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The Claude usage indicator read the stored
accessTokendirectly and never refreshed it. Once the token expired, the usage API returned401 Unauthorizedand the indicator silently disappeared.Change
Add an OAuth refresh flow to
okena-ext-claude:~/.claude/.credentials.jsonotherwise — now parsingrefreshToken/expiresAt.401, via the OAuth token endpoint.403and other statuses are treated as non-refreshable failures (refreshing can't fix scope/permission and would churn the single-use token).rename,0600); a failed persist is treated as a failed refresh so a rotated token is never lost into a stale file.proper-lockfile-compatiblemkdirdirectory lock: mtime heartbeat, bounded non-spinning acquire, and a race-free claim-by-mtime stale steal.Notes
filetimeis declared as a direct dependency but is already in the build tree transitively viagpui, so no new crate is compiled. It's needed to set a directory's mtime cross-platform (std can't on Windows directories).security's argv briefly — documented in-code;security add-generic-passwordhas no stdin input, matching Claude Code's own behavior.Tests
31 unit tests (clip char-boundary, creds parsing/precedence, atomic-write errors, lock acquire/release/steal/heartbeat, stale detection).
cargo test -p okena-ext-claudegreen; clippy clean for the changed code.🤖 Generated with Claude Code