fix(tampermonkey): preserve refreshed auth tokens

Author: screwys

scripts/tampermonkey/igloo-site-sync.user.js

@@ -1,7 +1,7 @@
 // ==UserScript==
 // @name         Igloo Site Sync
 // @namespace    local.igloo.site.sync
-// @version      8.0.34
+// @version      8.0.35
 // @author       screwys
 // @description  Follow X, TikTok, Instagram, and YouTube channels in Igloo; includes the full X media workflow.
 // @homepageURL  https://github.com/screwys/Igloo
@@ -36,7 +36,7 @@
 
 (function () {
   "use strict";
-  const SCRIPT_VERSION = "8.0.34";
+  const SCRIPT_VERSION = "8.0.35";
 
   const SETTINGS = {
     apiBase: "xsync_api_base",
@@ -476,6 +476,59 @@
     return true;
   }
 
+  function responseErrorCode(resp) {
+    return String(resp?.json?.error_code || "");
+  }
+
+  function responseErrorDetail(resp) {
+    return (
+      resp?.json?.error_message ||
+      resp?.json?.error_code ||
+      resp?.error ||
+      resp?.status ||
+      "error"
+    );
+  }
+
+  function isHTMLAuthRedirect(resp) {
+    return (
+      resp?.status === 303 ||
+      (resp?.ok && resp?.json === null && resp?.text?.includes("<!DOCTYPE"))
+    );
+  }
+
+  function shouldRefreshAuthResponse(resp) {
+    if (!resp) return false;
+    if (isHTMLAuthRedirect(resp)) return true;
+    if (resp.status !== 401) return false;
+    const code = responseErrorCode(resp);
+    if (code === "access_token_expired" || code === "legacy_token_invalid") {
+      return true;
+    }
+    return !code && !!getToken();
+  }
+
+  function authFailureNotice(resp, refreshResp) {
+    const code = responseErrorCode(refreshResp) || responseErrorCode(resp);
+    if (code === "refresh_token_expired" || code === "access_token_expired") {
+      return "Session expired; use Tampermonkey menu \u2192 Log in to server";
+    }
+    if (code === "refresh_token_replayed" || code === "session_revoked") {
+      return "Session revoked; use Tampermonkey menu \u2192 Log in to server";
+    }
+    if (
+      code === "legacy_token_invalid" ||
+      code === "refresh_token_invalid" ||
+      code === "access_token_invalid"
+    ) {
+      return "Saved login was rejected; use Tampermonkey menu \u2192 Log in to server";
+    }
+    if (code === "unauthenticated") {
+      return "Not logged in; use Tampermonkey menu \u2192 Log in to server";
+    }
+    return `Authentication failed (${responseErrorDetail(refreshResp || resp)}); use Tampermonkey menu \u2192 Log in to server`;
+  }
+
   function forgetLegacyDashboardPassword() {
     try {
       if (typeof GM_deleteValue === "function") {
@@ -982,7 +1035,8 @@
 
   async function _refreshToken() {
     const refresh = getRefresh();
-    if (!refresh) return false;
+    const access = getToken();
+    if (!refresh) return { ok: false, response: null };
     const r = await _rawApiRequest(
       "POST",
       "/api/auth/refresh",
@@ -991,33 +1045,33 @@
     );
     if (r.ok && storeAuthTokens(r.json)) {
       console.log("[XSync] token rotated");
-      return true;
+      return { ok: true, response: r };
+    }
+    if (getRefresh() !== refresh && getToken() !== access) {
+      console.log("[XSync] refresh superseded by newer login");
+      return { ok: true, response: r, superseded: true };
     }
     if (r.status === 401) {
-      GM_setValue(SETTINGS.authRefresh, "");
-      GM_setValue(SETTINGS.authToken, "");
+      if (getRefresh() === refresh) GM_setValue(SETTINGS.authRefresh, "");
+      if (getToken() === access) GM_setValue(SETTINGS.authToken, "");
     }
-    return false;
+    return { ok: false, response: r };
   }
 
   async function apiRequest(method, path, body, withAuth = true) {
     const resp = await _rawApiRequest(method, path, body, withAuth);
-    // Detect expired token: 303 redirect to /login, or 401
-    if (
-      withAuth &&
-      (resp.status === 303 ||
-        resp.status === 401 ||
-        (resp.ok && resp.json === null && resp.text.includes("<!DOCTYPE")))
-    ) {
+    if (withAuth && shouldRefreshAuthResponse(resp)) {
       if (!_refreshingToken) {
-        _refreshingToken = _refreshToken().then((ok) => {
+        _refreshingToken = _refreshToken().then((result) => {
           _refreshingToken = null;
-          return ok;
+          return result;
         });
       }
-      const refreshed = await _refreshingToken;
-      if (refreshed) return _rawApiRequest(method, path, body, withAuth);
-      notify("Token expired — use Tampermonkey menu → Log in to server");
+      const refreshResult = await _refreshingToken;
+      if (refreshResult.ok) return _rawApiRequest(method, path, body, withAuth);
+      notify(authFailureNotice(resp, refreshResult.response));
+    } else if (withAuth && resp.status === 401) {
+      notify(authFailureNotice(resp, null));
     }
     return resp;
   }

scripts/tampermonkey/igloo-site-sync.user.test.mjs

@@ -181,6 +181,8 @@ function buildHarness({
   unsafeWindow = {},
   userAgent = "Mozilla/5.0 Chrome/120.0.0.0",
   initialValues = {},
+  onRequest = null,
+  responseOverrides = {},
   twitterChannels = [
     {
       channel_id: "twitter_alice",
@@ -323,8 +325,11 @@ function buildHarness({
       });
       const response = responseFor(options.url, {
         data: options.data,
+        headers: options.headers || {},
+        responseOverrides,
         twitterChannels,
       });
+      onRequest?.(requestCalls[requestCalls.length - 1], values);
       queueMicrotask(() => {
         options.onload({
           status: response.status,
@@ -364,7 +369,16 @@ function buildHarness({
   };
 }
 
-function responseFor(url, { data, twitterChannels } = {}) {
+function responseFor(
+  url,
+  { data, headers = {}, responseOverrides = {}, twitterChannels } = {},
+) {
+  const override = responseOverrides[url];
+  if (override) {
+    return typeof override === "function"
+      ? override({ data, headers, twitterChannels })
+      : override;
+  }
   if (url === "http://127.0.0.1:5001/api/health/live") {
     return {
       status: 400,
@@ -763,6 +777,85 @@ test("expired refresh token asks for login without password fallback", async ()
   );
 });
 
+test("failed refresh does not clear tokens replaced by a newer login", async () => {
+  const freshAccess = "fresh-access";
+  const freshRefresh = "fresh-refresh";
+  const harness = buildHarness({
+    initialValues: {
+      xsync_auth_token: "expired-access",
+      xsync_auth_refresh: "expired-refresh",
+    },
+    onRequest(call, values) {
+      if (call.url === "https://localhost:5001/api/auth/refresh") {
+        values.set("xsync_auth_token", freshAccess);
+        values.set("xsync_auth_refresh", freshRefresh);
+      }
+    },
+    responseOverrides: {
+      "https://localhost:5001/api/stats": ({ headers }) => {
+        if (headers.Authorization === `Bearer ${freshAccess}`) {
+          return { status: 200, text: JSON.stringify({ ok: true }) };
+        }
+        return {
+          status: 401,
+          text: JSON.stringify({
+            error_code: "access_token_expired",
+            error_message: "token expired",
+          }),
+        };
+      },
+    },
+  });
+  runScript(harness);
+
+  const testConnection = harness.menu.get("Test connection");
+  await testConnection();
+  await drainMicrotasks();
+
+  assert.ok(
+    harness.requests.includes("https://localhost:5001/api/auth/refresh"),
+    `expected refresh request, got ${harness.requests.join(", ")}`,
+  );
+  assert.equal(harness.values.get("xsync_auth_token"), freshAccess);
+  assert.equal(harness.values.get("xsync_auth_refresh"), freshRefresh);
+  assert.ok(
+    harness.toasts.some((message) => message.includes("Server connection OK")),
+    `expected successful retry toast, got ${harness.toasts.join(", ")}`,
+  );
+});
+
+test("unauthenticated API response does not claim token expiry", async () => {
+  const harness = buildHarness({
+    responseOverrides: {
+      "https://localhost:5001/api/stats": {
+        status: 401,
+        text: JSON.stringify({
+          error_code: "unauthenticated",
+          error_message: "Authentication required",
+        }),
+      },
+    },
+  });
+  runScript(harness);
+
+  const testConnection = harness.menu.get("Test connection");
+  await testConnection();
+  await drainMicrotasks();
+
+  assert.equal(
+    harness.requests.includes("https://localhost:5001/api/auth/refresh"),
+    false,
+  );
+  assert.equal(
+    harness.toasts.some((message) => message.includes("Token expired")),
+    false,
+  );
+  assert.ok(
+    harness.toasts.some((message) => message.includes("Not logged in")),
+    `expected login guidance, got ${harness.toasts.join(", ")}`,
+  );
+});
+
 test("stays idle on X auth routes", async () => {
   class FakeXMLHttpRequest {
     open() {}