feat(server): conditional token refresh#5516
Conversation
hassan254-prog
force-pushed
the
wari/conditional-refresh-token
branch
from
612b50d to
df69524
Compare
![propel-code-bot[bot]](https://avatars.githubusercontent.com/in/1179004?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
hassan254-prog
force-pushed
the
wari/conditional-refresh-token
branch
from
df69524 to
32d5583
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
hassan254-prog
force-pushed
the
wari/conditional-refresh-token
branch
from
32d5583 to
8342f6f
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
hassan254-prog
force-pushed
the
wari/conditional-refresh-token
branch
from
8342f6f to
dadd707
Compare
There was a problem hiding this comment.
No issues were identified; the conditional token refresh implementation appears solid and ready to merge.
Status: No Issues Found | Risk: Low
Review Details
📁 15 files reviewed | 💬 0 comments
Instruction Files
├── .claude/
│ ├── agents/
│ │ └── nango-docs-migrator.md
│ └── skills/
│ ├── agent-builder-skill/
│ │ ├── EXAMPLES.md
│ │ └── SKILL.md
│ ├── creating-integration-docs/
│ │ └── SKILL.md
│ └── creating-skills-skill/
│ └── SKILL.md
├── AGENTS.md
└── GEMINI.md
|
|
||
| import { networkError } from '@nangohq/utils'; | ||
|
|
||
| import { REFRESHABLE_AUTH_MODES } from '../../constants.js'; |
There was a problem hiding this comment.
Does this need to have a .js suffix? Also, once we are in double .. territory, it's worth just importing it with an absolute path
There was a problem hiding this comment.
Yes, it does, when using node16 module resolution, relative imports must include the file extension, using an absolute path would mean we will need to add the package shared as its own dependency.
| let refreshTokenAttempts = 0; | ||
|
|
||
| const minRetriesForRefresh = this.config.refreshTokenOn?.length && this.onRefreshToken ? MAX_REFRESH_TOKEN_ATTEMPTS + 1 : 0; | ||
| const maxRetries = Math.max(this.config.retries ?? 0, minRetriesForRefresh); |
There was a problem hiding this comment.
Could you explain this block? Why are we assigning a MAX+1 to a variable with minimum in the name, and then assigning a min to a max again? They all have retry and/or refresh in the name, it's confusing :/
There was a problem hiding this comment.
I’ve updated this with clearer naming. The +1 ensures there are enough attempt slots to handle the two token refreshes.
|
@hassan254-prog I haven't follow the discussion about this feature. Can you explain why do we need it? |
We are addressing a performance issue with salesforce-related provider's proxy calls. Currently, every time we call |
marcindobry
left a comment
marcindobry
left a comment
There was a problem hiding this comment.
LGTM but this seems like it could break something by accident and would love someone with more knowledge about the code to also have a look. I haven't worked with the proxy and retry logic yet
why are we always introspecting and not checking the |
No, we don’t have that info stored for salesforce, they don't return it. Their token also doesn’t include expiry details, since it includes opaque strings and not a regular jwt, which is why we need to introspect it to determine whether it has expired. |
I can see plenty of salesforce connections with a set |
Can we set the real |
3 participants
Describe the problem and your solution
Add conditional refresh-token retries in proxy flow
This PR introduces configurable conditional token refresh for proxy requests, allowing retries to trigger a credential refresh based on specific HTTP status codes. The new
refreshTokenOnoption flows from provider metadata and SDK configuration through proxy config building, retry logic, and the server controller to call credential refresh before retrying, with expanded unit tests and documentation updates.Key Changes
• Added
refreshTokenOnsupport to proxy configuration types and builder inpackages/types/lib/proxy/api.tsandpackages/shared/lib/services/proxy/utils.ts• Implemented refresh-triggered retries with
onRefreshToken,MAX_REFRESH_TOKEN_ATTEMPTS, and retry budget adjustments inpackages/shared/lib/services/proxy/request.ts• Updated proxy controller to parse
refresh-token-onheader and invokerefreshOrTestCredentialsbefore retrying inpackages/server/lib/controllers/proxy/allProxy.ts• Centralized refreshable auth modes in
packages/shared/lib/constants.tsand used them inpackages/shared/lib/services/connections/credentials/refresh.tsandpackages/shared/lib/services/proxy/retry.ts• Added tests for refresh-triggered retries and caps in
packages/shared/lib/services/proxy/request.unit.test.tsandpackages/shared/lib/services/proxy/retry.unit.test.ts, plus docs updates indocs/spec.yaml,docs/reference/functions.mdx, anddocs/reference/sdks/node.mdxPossible Issues
• Refresh failures from
refreshOrTestCredentialsare currently ignored inpackages/server/lib/controllers/proxy/allProxy.ts, potentially causing wasted retries with stale credentials.• Documentation grammar for “status codes that triggers” appears in multiple docs sections and may need correction.
This summary was automatically generated by @propel-code-bot