refactor reconnect account logic

[neo773]

No description provided.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR refactors the OAuth token refresh logic for connected accounts to use a timestamp-based validation approach instead of JWT decoding. It introduces a new lastCredentialsRefreshedAt field to track when tokens were last refreshed, eliminating the need to decode Microsoft JWT tokens.

Key Changes:

• Replaced JWT-based token expiration checking with timestamp-based validation using lastCredentialsRefreshedAt field
• Added comprehensive error handling for invalid_grant OAuth errors from both Google and Microsoft providers
• Introduced automated retry mechanism via cron jobs that run every 30 minutes to relaunch failed calendar and message channels
• Updated reconnection alert logic to only trigger for insufficient permissions failures (not all failures)
• Removed the is-access-token-expired-or-invalid.util.ts file as it's no longer needed
• Added comprehensive test coverage for the new token validation logic

Impact:

• More efficient token management by avoiding network calls to validate Google tokens
• Better error categorization between revoked tokens and temporary network issues
• Automatic recovery for transiently failed sync channels
• Improved user experience by automatically clearing reconnection alerts when channels recover

Confidence Score: 4/5

• This PR is generally safe to merge with well-tested changes and improved error handling
• The refactor is well-designed with comprehensive test coverage (203 lines of tests added). The timestamp-based approach is simpler and more maintainable than JWT decoding. However, there are minor concerns: (1) using the same 60-minute expiration constant for both Google and Microsoft tokens when their actual lifetimes may differ, and (2) raw SQL queries in cron jobs instead of ORM usage. These are style/maintainability issues rather than critical bugs.
• No files require special attention - the changes are well-implemented with good test coverage

Important Files Changed

File Analysis

Filename	Score	Overview
packages/twenty-server/src/modules/connected-account/standard-objects/connected-account.workspace-entity.ts	5/5	Adds new lastCredentialsRefreshedAt timestamp field to track when OAuth tokens were last refreshed
packages/twenty-server/src/modules/connected-account/refresh-tokens-manager/services/connected-account-refresh-tokens.service.ts	4/5	Refactors token validation to use timestamp-based approach instead of JWT decoding, updates lastCredentialsRefreshedAt on refresh, simplifies error handling
packages/twenty-server/src/modules/calendar/calendar-event-import-manager/crons/jobs/calendar-relaunch-failed-calendar-channels.cron.job.ts	5/5	New cron job that runs every 30 minutes to identify and queue failed calendar channels for retry
packages/twenty-server/src/modules/calendar/calendar-event-import-manager/jobs/calendar-relaunch-failed-calendar-channel.job.ts	5/5	New job that resets failed calendar channels to pending state and removes reconnection alerts
packages/twenty-server/src/modules/messaging/message-import-manager/crons/jobs/messaging-relaunch-failed-message-channels.cron.job.ts	5/5	New cron job that runs every 30 minutes to identify and queue failed message channels for retry
packages/twenty-server/src/modules/messaging/message-import-manager/jobs/messaging-relaunch-failed-message-channel.job.ts	5/5	New job that resets failed message channels to pending state and removes reconnection alerts
packages/twenty-server/src/modules/messaging/common/services/message-channel-sync-status.service.ts	5/5	Updates reconnection logic to only trigger for insufficient permissions failures, not all failures

Sequence Diagram

sequenceDiagram
    participant Cron as Cron Job (30 min)
    participant Queue as Message Queue
    participant Job as Relaunch Job
    participant DB as Database
    participant TokenSvc as Token Service
    participant Provider as OAuth Provider
    participant AcctSvc as Accounts Service

    Note over Cron: Every 30 minutes
    Cron->>DB: Query failed channels
    DB-->>Cron: Return failed channels
    loop For each failed channel
        Cron->>Queue: Add relaunch job
    end

    Queue->>Job: Process relaunch job
    Job->>DB: Fetch channel with relations
    alt Channel still in FAILED state
        Job->>DB: Update syncStage to PENDING
        Job->>DB: Update syncStatus to ACTIVE
        Job->>AcctSvc: Remove reconnect alert
    end

    Note over TokenSvc: When channel syncs again
    TokenSvc->>TokenSvc: Check lastCredentialsRefreshedAt
    alt Token still valid (< 55 min old)
        TokenSvc-->>TokenSvc: Reuse existing token
    else Token expired or null
        TokenSvc->>Provider: Refresh OAuth tokens
        alt Success
            Provider-->>TokenSvc: New tokens
            TokenSvc->>DB: Update tokens + timestamp
        else invalid_grant error
            Provider-->>TokenSvc: Invalid refresh token
            TokenSvc->>DB: Mark authFailedAt
            TokenSvc->>AcctSvc: Add to reconnect list
        end
    end

Loading

_{20 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}

[github-actions]

🚀 Preview Environment Ready!

Your preview environment is available at: http://bore.pub:18746

This environment will automatically shut down when the PR is closed or after 5 hours.

[charlesBochet]

LGTM, left a minor comment

[github-actions]

Thanks @neo773 for your contribution!
This marks your 52nd PR on the repo. You're top 1% of all our contributors 🎉
See contributor page - Share on LinkedIn - Share on Twitter