Skip to content

401 interceptor races freshly-set provider token cookie #180

Open
Open
401 interceptor races freshly-set provider token cookie#180
Labels
P2-mediumPlan for this monthbugSomething isn't working

Description

@ryota-murakami
ryota-murakami
opened on Apr 29, 2026

Summary

axios 401 interceptor unconditionally clears the GitHub provider token cookie, racing with refresh.

Source

P2 follow-up from /ship adversarial review of PR #176 (silent GitHub token refresh).

Details

src/lib/axios-github.ts:101-110 unconditionally calls deleteGitHubTokenCookie() on any 401. A stale request resolving after refresh completes can nuke the fresh cookie.

Fix

Gate deletion on the in-flight token matching the current cookie value.

Acceptance

  • Stale 401 does not delete fresh cookie
  • Test simulates race between stale request and refresh

Metadata

Metadata

Assignees

No one assigned

    Labels

    P2-mediumPlan for this monthbugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions