Skip to content

Clear cookies if failed to refresh the token #4153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hlbmtc merged 2 commits into from
Jan 23, 2026
Merged

Clear cookies if failed to refresh the token #4153

hlbmtc merged 2 commits into from
Jan 23, 2026

Conversation

@hlbmtc
Copy link
Contributor

@hlbmtc hlbmtc commented Jan 23, 2026
edited by coderabbitai bot
Loading

Fixed permanent "Authentication credentials were not provided." error

Summary by CodeRabbit

  • Bug Fixes
    • Improved authentication token handling to more reliably manage token refresh and verification, preventing unnecessary checks and ensuring invalid tokens are properly cleared.

✏️ Tip: You can customize this high-level summary in your review settings.

@hlbmtc hlbmtc requested a review from cemreinanc January 23, 2026 17:41
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 23, 2026
edited
Loading

📝 Walkthrough

Walkthrough

The middleware authentication logic was updated to conditionally verify tokens based on refresh status. If token refresh fails and no access token exists, the invalid refresh token is now explicitly cleared rather than proceeding to unnecessary verification.

Changes

Cohort / File(s) Summary
Token Verification Logic
front_end/src/middleware.ts		 Modified conditional flow to only call verifyToken when an access token is present after failed refresh attempts; added explicit token clearing via responseAuth.clearAuthTokens() when refresh fails and no access token exists

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A token once lost, now found its way,
Through refreshed gates, come what may,
When access fades and refresh does fail,
We clear the path without avail,
Conditional logic, crisp and clean! 🔐

🚥 Pre-merge checks | ✅ 2
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The pull request title 'Clear cookies if failed to refresh the token' directly matches the main objective and the specific change in middleware.ts where invalid refresh tokens are cleared by calling responseAuth.clearAuthTokens().

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings
📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bac7031 and 2b194c7.

📒 Files selected for processing (1)
  • front_end/src/middleware.ts
🧰 Additional context used
🧬 Code graph analysis (1)
front_end/src/middleware.ts (1)
front_end/src/services/api/auth/auth.server.ts (1)
  • verifyToken (54-56)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
  • GitHub Check: build / Build Docker Image
  • GitHub Check: Build Docker Image / Build Docker Image
  • GitHub Check: Backend Checks
  • GitHub Check: integration-tests
🔇 Additional comments (1)
front_end/src/middleware.ts (1)

114-121: Good fix for breaking the authentication error loop.

The logic correctly handles the case where a refresh token exists but is invalid (refresh failed) and there's no access token to verify. Clearing the tokens allows users to start fresh instead of being stuck with the persistent "Authentication credentials were not provided." error.

Consider adding a log statement for observability, consistent with the logging in verifyToken:

[approve_code_changes, suggest_optional_refactor]

💡 Optional: Add logging for consistency 
     if (!tokensRefreshed) {
       if (requestAuth.getAccessToken()) {
         await verifyToken(responseAuth);
       } else {
         // No access token and refresh failed - clear the invalid refresh token
+        console.error("No access token after failed refresh, clearing auth cookies");
         responseAuth.clearAuthTokens();
       }
     }

✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 23, 2026
edited
Loading

🧹 Preview Environment Cleaned Up

The preview environment for this PR has been destroyed.

Resource Status
🌐 Preview App ✅ Deleted
🗄️ PostgreSQL Branch ✅ Deleted
⚡ Redis Database ✅ Deleted
🔧 GitHub Deployments ✅ Removed
📦 Docker Image ⚠️ Retained (auto-cleanup via GHCR policies)

Cleanup triggered by PR close at 2026-01-23T18:08:14Z

cemreinanc
cemreinanc approved these changes Jan 23, 2026
View reviewed changes
Copy link
Contributor

@cemreinanc cemreinanc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hlbmtc hlbmtc merged commit c2c0e37 into main Jan 23, 2026
17 checks passed
@hlbmtc hlbmtc deleted the fix/incorrect-refresh-token-logout branch January 23, 2026 18:08
@hlbmtc hlbmtc mentioned this pull request Jan 27, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cemreinanc cemreinanc cemreinanc approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hlbmtc @cemreinanc