Skip to content

Gate OAuth token refresh on credential store writability#1377

Draft
RhysSullivan wants to merge 2 commits into
mainfrom
repro-vault-write-outage
Draft

Gate OAuth token refresh on credential store writability#1377
RhysSullivan wants to merge 2 commits into
mainfrom
repro-vault-write-outage

Conversation

@RhysSullivan

Copy link
Copy Markdown
Collaborator

A secret-store write failure while persisting a refreshed OAuth token could permanently invalidate the connection: the refresh grant had already consumed the single-use refresh token at the authorization server, so the rotated replacement was lost and the next refresh was rejected with invalid_grant, forcing a reconnect over what was only a transient storage error.

The refresh path now rewrites the stored refresh token in place before consuming it, so a store outage fails the request before the grant and the connection recovers once the store does. Includes an e2e scenario that stages the outage against the WorkOS emulator's vault and pins both the surfaced error and the recovery contract.

A vault write failure while persisting a refreshed OAuth token lost the
rotated refresh token: the grant had already consumed the single-use stored
token at the authorization server, so once the vault recovered the next
refresh replayed the revoked token, got invalid_grant, and the connection
demanded a re-auth over what was only a storage blip.

Before consuming the refresh token, rewrite the stored value in place as a
writability probe. A store outage now fails the resolve before the grant,
leaving the stored token valid so the connection recovers with the store.
@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
executor-marketing 8a89dd5 Commit Preview URL

Branch Preview URL
Jul 09 2026, 02:57 AM

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Cloudflare preview

Console https://executor-preview-pr-1377.executor-e2e.workers.dev
MCP https://executor-preview-pr-1377.executor-e2e.workers.dev/mcp
Deployed commit 8a89dd5

Sign-in is Cloudflare Access (one-time PIN to an allowed email). The preview has its own database and encryption key; it is destroyed when this PR closes.

@pkg-pr-new

pkg-pr-new Bot commented Jul 9, 2026

Copy link
Copy Markdown

Open in StackBlitz

@executor-js/cli

npm i https://pkg.pr.new/@executor-js/cli@1377

@executor-js/config

npm i https://pkg.pr.new/@executor-js/config@1377

@executor-js/execution

npm i https://pkg.pr.new/@executor-js/execution@1377

@executor-js/sdk

npm i https://pkg.pr.new/@executor-js/sdk@1377

@executor-js/codemode-core

npm i https://pkg.pr.new/@executor-js/codemode-core@1377

@executor-js/runtime-quickjs

npm i https://pkg.pr.new/@executor-js/runtime-quickjs@1377

@executor-js/plugin-file-secrets

npm i https://pkg.pr.new/@executor-js/plugin-file-secrets@1377

@executor-js/plugin-graphql

npm i https://pkg.pr.new/@executor-js/plugin-graphql@1377

@executor-js/plugin-keychain

npm i https://pkg.pr.new/@executor-js/plugin-keychain@1377

@executor-js/plugin-mcp

npm i https://pkg.pr.new/@executor-js/plugin-mcp@1377

@executor-js/plugin-onepassword

npm i https://pkg.pr.new/@executor-js/plugin-onepassword@1377

@executor-js/plugin-openapi

npm i https://pkg.pr.new/@executor-js/plugin-openapi@1377

executor

npm i https://pkg.pr.new/executor@1377

commit: 8a89dd5

@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs
executor-cloud 8a89dd5 Jul 09 2026, 03:00 AM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant