fix(swift): remove .convertToSnakeCase encoder + fix 7 session retry bugs across all SDKs

Critical: AuthonAPI encoder was converting camelCase keys to snake_case
(refreshToken → refresh_token), causing token refresh and all multi-word
body fields (displayName, mfaToken, walletType, etc.) to silently fail.

SessionManager rewritten:
- Replace isPerformingRefresh + recursive calls with retryTask + while loop
- Add sessionGeneration counter to invalidate stale retry chains on new login
- setTokens() cancels retryTask, resets retryCount, bumps generation
- scheduleRefresh() cancels retryTask alongside refreshWorkItem
- Task.sleep CancellationError properly caught (cancelled retry exits)
- onExpired() checks sessionGeneration before killing session
- destroy() cancels retryTask and bumps generation

JS SDK: setSession() now resets refreshRetryCount
RN SDK: added 3x retry with backoff (was missing entirely), scheduleRefresh resets retryCount

Author: mikusnuz

packages/js/dist/index.cjs

@@ -2555,6 +2555,7 @@ var SessionManager = class _SessionManager {
     this.accessToken = tokens.accessToken;
     this.refreshToken = tokens.refreshToken;
     this.user = tokens.user;
+    this.refreshRetryCount = 0;
     this.persistToStorage();
     if (tokens.expiresIn && tokens.expiresIn > 0) {
       this.scheduleRefresh(tokens.expiresIn);

packages/js/dist/index.cjs.map

@@ -75,6 +75,7 @@ export class SessionManager {
     this.accessToken = tokens.accessToken;
     this.refreshToken = tokens.refreshToken;
     this.user = tokens.user;
+    this.refreshRetryCount = 0;
     this.persistToStorage();
     if (tokens.expiresIn && tokens.expiresIn > 0) {
       this.scheduleRefresh(tokens.expiresIn);

packages/js/dist/index.js

@@ -49,6 +49,9 @@ export class AuthonMobileClient {
   private storage: TokenStorage | null = null;
   private refreshInFlight: Promise<TokenPair | null> | null = null;
   private refreshTimer: ReturnType<typeof setTimeout> | null = null;
+  private refreshRetryCount = 0;
+  private static readonly MAX_REFRESH_RETRIES = 3;
+  private static readonly RETRY_DELAYS = [3, 10, 30]; // seconds
   private listeners: Map<string, Set<(...args: unknown[]) => void>> = new Map();
 
   // Cached provider/branding data
@@ -206,7 +209,6 @@ export class AuthonMobileClient {
   }
 
   private async _doRefresh(token: string): Promise<TokenPair | null> {
-
     try {
       const res = await fetch(`${this.apiUrl}/v1/auth/token/refresh`, {
         method: 'POST',
@@ -220,25 +222,48 @@ export class AuthonMobileClient {
       if (!res.ok) {
         // 401 = refresh token permanently invalid
         if (res.status === 401) {
+          this.refreshRetryCount = 0;
           this.clearSession();
+          this.emit('signedOut');
+          return null;
         }
-        // Other errors (500, network) — preserve tokens for retry
+        // Other errors (500, network) — retry with backoff
+        this.retryRefresh();
         return null;
       }
 
       const data = (await res.json()) as ApiAuthResponse;
+      this.refreshRetryCount = 0;
       this.tokens = this.toTokenPair(data);
       this.user = data.user;
       await this.persistTokens();
       this.scheduleRefresh(this.tokens.expiresAt);
       this.emit('tokenRefreshed');
       return this.tokens;
     } catch {
-      // Network error — do NOT clear session
+      // Network error — retry with backoff, do NOT clear session
+      this.retryRefresh();
       return null;
     }
   }
 
+  private retryRefresh(): void {
+    if (this.refreshRetryCount < AuthonMobileClient.MAX_REFRESH_RETRIES) {
+      const delay = AuthonMobileClient.RETRY_DELAYS[
+        Math.min(this.refreshRetryCount, AuthonMobileClient.RETRY_DELAYS.length - 1)
+      ];
+      this.refreshRetryCount++;
+      this.clearRefreshTimer();
+      this.refreshTimer = setTimeout(() => {
+        this.refreshToken().catch(() => {});
+      }, delay * 1000);
+    } else {
+      this.refreshRetryCount = 0;
+      this.clearSession();
+      this.emit('signedOut');
+    }
+  }
+
   getAccessToken(): string | null {
     return this.tokens?.accessToken || null;
   }
@@ -501,6 +526,7 @@ export class AuthonMobileClient {
   /** Schedule auto-refresh 60 seconds before token expiry (like JS SDK) */
   private scheduleRefresh(expiresAt: number): void {
     this.clearRefreshTimer();
+    this.refreshRetryCount = 0;
     const refreshIn = Math.max(expiresAt - Date.now() - 60_000, 30_000);
     this.refreshTimer = setTimeout(() => {
       this.refreshToken().catch(() => {});

packages/js/dist/index.js.map

@@ -647,7 +647,6 @@ public final class Authon: ObservableObject {
 
         if let body {
             let encoder = JSONEncoder()
-            encoder.keyEncodingStrategy = .convertToSnakeCase
             req.httpBody = try encoder.encode(AnyEncodableBox(body))
         }
 

packages/js/src/session.ts

@@ -15,7 +15,6 @@ final class AuthonAPI: Sendable {
         dec.keyDecodingStrategy = .convertFromSnakeCase
         self.decoder = dec
         let enc = JSONEncoder()
-        enc.keyEncodingStrategy = .convertToSnakeCase
         self.encoder = enc
     }
 

packages/react-native/src/client.ts

@@ -19,8 +19,9 @@ final class SessionManager {
     private static let maxRefreshRetries = 3
     private static let retryDelays: [TimeInterval] = [3, 10, 30]
     private var refreshInFlight: Task<RefreshResult?, Never>?
-    private var isPerformingRefresh = false
+    private var retryTask: Task<Void, Never>?
     private let onExpired: () -> Void
+    private var sessionGeneration: UInt64 = 0
 
     init(publishableKey: String, api: AuthonAPI, onRefreshed: @escaping (TokenPair, AuthonUser) -> Void, onExpired: @escaping () -> Void) {
         self.keychainService = "dev.authon.sdk"
@@ -95,6 +96,10 @@ final class SessionManager {
     // MARK: - Token Management
 
     func setTokens(_ pair: TokenPair) {
+        retryTask?.cancel()
+        retryTask = nil
+        refreshRetryCount = 0
+        sessionGeneration &+= 1
         tokens = pair
         saveToKeychain(pair)
         scheduleRefresh()
@@ -160,6 +165,8 @@ final class SessionManager {
     func scheduleRefresh() {
         refreshWorkItem?.cancel()
         refreshWorkItem = nil
+        retryTask?.cancel()
+        retryTask = nil
 
         guard let tokens else { return }
 
@@ -183,29 +190,39 @@ final class SessionManager {
     }
 
     private func performRefresh() {
-        guard !isPerformingRefresh else { return }
-        isPerformingRefresh = true
+        retryTask?.cancel()
+        let generation = sessionGeneration
 
-        Task { [weak self] in
+        retryTask = Task { [weak self] in
             guard let self else { return }
-            defer { self.isPerformingRefresh = false }
-
-            if let result = await self.refresh() {
-                self.refreshRetryCount = 0
-                self.scheduleRefresh()
-                self.onRefreshed(result.pair, result.user)
-            } else {
-                if self.refreshRetryCount < Self.maxRefreshRetries {
-                    let delay = Self.retryDelays[min(self.refreshRetryCount, Self.retryDelays.count - 1)]
-                    self.refreshRetryCount += 1
-                    try? await Task.sleep(nanoseconds: UInt64(delay * 1_000_000_000))
-                    self.isPerformingRefresh = false
-                    self.performRefresh()
-                } else {
+
+            while !Task.isCancelled, self.sessionGeneration == generation {
+                if let result = await self.refresh() {
+                    guard !Task.isCancelled, self.sessionGeneration == generation else { return }
+                    self.refreshRetryCount = 0
+                    self.scheduleRefresh()
+                    self.onRefreshed(result.pair, result.user)
+                    return
+                }
+
+                guard !Task.isCancelled, self.sessionGeneration == generation else { return }
+
+                if self.refreshRetryCount >= Self.maxRefreshRetries {
                     self.refreshRetryCount = 0
                     self.refreshWorkItem?.cancel()
                     self.refreshWorkItem = nil
+                    guard self.sessionGeneration == generation else { return }
                     self.onExpired()
+                    return
+                }
+
+                let delay = Self.retryDelays[min(self.refreshRetryCount, Self.retryDelays.count - 1)]
+                self.refreshRetryCount += 1
+
+                do {
+                    try await Task.sleep(nanoseconds: UInt64(delay * 1_000_000_000))
+                } catch {
+                    return
                 }
             }
         }
@@ -258,6 +275,9 @@ final class SessionManager {
     func destroy() {
         refreshWorkItem?.cancel()
         refreshWorkItem = nil
+        retryTask?.cancel()
+        retryTask = nil
+        sessionGeneration &+= 1
         tokens = nil
         NotificationCenter.default.removeObserver(self)
     }