mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
d047c33a1b
## Why Remote-control websocket reconnects and pairing requests proactively refresh their server token. When `/server/refresh` returns a transient error such as `502`, the still-valid token was discarded as a usable connection path, causing reconnect failures and repeated refresh attempts that could amplify an upstream incident. ## What Changed - Start proactive refresh five minutes before token expiry and distinguish it from a required refresh for missing or expired tokens. - Continue websocket and pairing operations with the existing valid token after `429`, `5xx`, or timeout failures. - Share an in-memory `next_refresh_at` throttle across websocket and pairing callers, honoring both `Retry-After` formats and otherwise using a jittered 24–36 second delay. - Keep required refreshes strict, preserve `404` enrollment replacement, and clear token/throttle state for `401` and `403` auth recovery. - Preserve refresh response metadata internally and add focused wire-level and integration coverage. ## Verification Added behavioral coverage proving that: - a valid near-expiry token still completes websocket and pairing requests after transient refresh failures; - `Retry-After` suppresses a subsequent refresh across websocket and pairing callers; - request and response-body timeouts are classified as transient; - an expired token, including one that expires during refresh, cannot proceed to websocket connection; - auth failures clear the attempted token without overwriting a concurrently rotated token.
64 lines
1.8 KiB
TOML
64 lines
1.8 KiB
TOML
[package]
|
|
name = "codex-app-server-transport"
|
|
version.workspace = true
|
|
edition.workspace = true
|
|
license.workspace = true
|
|
|
|
[lib]
|
|
name = "codex_app_server_transport"
|
|
path = "src/lib.rs"
|
|
doctest = false
|
|
|
|
[lints]
|
|
workspace = true
|
|
|
|
[dependencies]
|
|
anyhow = { workspace = true }
|
|
axum = { workspace = true, default-features = false, features = [
|
|
"http1",
|
|
"json",
|
|
"tokio",
|
|
"ws",
|
|
] }
|
|
base64 = { workspace = true }
|
|
clap = { workspace = true, features = ["derive"] }
|
|
codex-api = { workspace = true }
|
|
codex-app-server-protocol = { workspace = true }
|
|
codex-core = { workspace = true }
|
|
codex-login = { workspace = true }
|
|
codex-model-provider = { workspace = true }
|
|
codex-state = { workspace = true }
|
|
codex-uds = { workspace = true }
|
|
codex-utils-absolute-path = { workspace = true }
|
|
codex-utils-rustls-provider = { workspace = true }
|
|
constant_time_eq = { workspace = true }
|
|
futures = { workspace = true }
|
|
gethostname = { workspace = true }
|
|
hmac = { workspace = true }
|
|
httpdate = { workspace = true }
|
|
jsonwebtoken = { workspace = true }
|
|
owo-colors = { workspace = true, features = ["supports-colors"] }
|
|
rand = { workspace = true }
|
|
serde = { workspace = true, features = ["derive"] }
|
|
serde_json = { workspace = true }
|
|
sha2 = { workspace = true }
|
|
time = { workspace = true }
|
|
tokio = { workspace = true, features = [
|
|
"io-std",
|
|
"macros",
|
|
"rt-multi-thread",
|
|
] }
|
|
tokio-tungstenite = { workspace = true }
|
|
tokio-util = { workspace = true }
|
|
tracing = { workspace = true, features = ["log"] }
|
|
url = { workspace = true }
|
|
uuid = { workspace = true, features = ["serde", "v7"] }
|
|
|
|
[dev-dependencies]
|
|
chrono = { workspace = true }
|
|
codex-config = { workspace = true }
|
|
codex-protocol = { workspace = true }
|
|
pretty_assertions = { workspace = true }
|
|
tempfile = { workspace = true }
|
|
tokio = { workspace = true, features = ["test-util"] }
|