Skip to content

Commit abdddb8

Browse files
ibetitsmikeClaude
ibetitsmike
and
Claude
committed
fix: update API key expiration based on OAuth refresh
This fixes issue #17070 by refreshing an expired API key when a valid OAuth2 token is available. Previously, the logic would only refresh the OAuth token when it was expired, not when just the API key was expired. The issue occurs because the API key expiration check happened before the OAuth refresh logic could update the key.ExpiresAt field. Now we attempt to refresh the OAuth token even when only the API key is expired. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
1 parent 1803449 commit abdddb8

File tree

1 file changed

+9
-2
lines changed

1 file changed

+9
-2
lines changed

coderd/httpmw/apikey.go

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -257,8 +257,10 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon
257257
Detail: fmt.Sprintf("get user link by user ID and login type: %s", err.Error()),
258258
})
259259
}
260-
// Check if the OAuth token is expired
261-
if link.OAuthExpiry.Before(now) && !link.OAuthExpiry.IsZero() && link.OAuthRefreshToken != "" {
260+
// Check if the OAuth token is expired OR the API key is expired (to fix issue #17070)
261+
// We attempt to refresh the OAuth token even if only the API key is expired
262+
if (link.OAuthExpiry.Before(now) || key.ExpiresAt.Before(now)) &&
263+
!link.OAuthExpiry.IsZero() && link.OAuthRefreshToken != "" {
262264
if cfg.OAuth2Configs.IsZero() {
263265
return write(http.StatusInternalServerError, codersdk.Response{
264266
Message: internalErrorMessage,
@@ -316,6 +318,11 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon
316318
// NOTE: The `RequireAuth` React component depends on this `Detail` to detect when
317319
// the users token has expired. If you change the text here, make sure to update it
318320
// in site/src/components/RequireAuth/RequireAuth.tsx as well.
321+
//
322+
// This check happens after the OAuth token refresh logic, which now includes
323+
// attempting to refresh the OAuth token when the API key is expired (see the condition
324+
// above that checks for key.ExpiresAt.Before(now)). This ensures an expired API key
325+
// can be refreshed via a valid OAuth2 token, fixing issue #17070.
319326
if key.ExpiresAt.Before(now) {
320327
return optionalWrite(http.StatusUnauthorized, codersdk.Response{
321328
Message: SignedOutErrorMessage,

0 commit comments

Comments
 (0)