fix: auto re-authenticate when token refresh fails

[tonychang04]

Summary

• When a token refresh fails in interactive mode, the CLI now automatically opens the OAuth login flow instead of throwing an error
• Non-TTY environments still get the explicit "Run insforge login again" message
• Fixes the UX issue where npx @insforge/cli create with expired credentials would just error out instead of prompting login

Test plan

• Run insforge create with expired/invalid credentials — should auto-prompt OAuth login
• Run in non-TTY (e.g. piped) — should still throw the error message
• Run with valid credentials — no change in behavior

🤖 Generated with Claude Code

Note

Re-authenticate interactively when token refresh fails in refreshAccessToken

When a token refresh fails in an interactive TTY session, credentials.ts now warns the user via clack.log.warn and triggers an OAuth login flow instead of throwing an AuthError. Non-TTY environments preserve the existing behavior of throwing immediately.

^{Macroscope summarized 8e6e338.}

Summary by CodeRabbit

• Bug Fixes
  • Improved authentication session handling in interactive environments. When a session expires during an interactive session, the application now prompts for re-authentication instead of throwing an error.

[coderabbitai]

Walkthrough

The refreshAccessToken function in src/lib/credentials.ts now attempts interactive re-authentication when token refresh fails in a TTY environment, logging a session expiration warning and calling performOAuthLogin instead of immediately throwing an error.

Changes

Cohort / File(s)	Summary
Authentication Token Refresh src/lib/credentials.ts	Modified refreshAccessToken to conditionally trigger interactive OAuth login on refresh failure when process.stdout.isTTY is true; otherwise throws error as before.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• feat: add interactive menu when run with no args #8: Adds similar TTY-driven interactive re-authentication retry logic in requireAuth function within the same credentials module, complementing this PR's token refresh enhancement.

Suggested reviewers

• jwfing

Poem

🐰 A token expired, oh what a plight,
But fear not, dear user, we'll make it right!
With a prompt and a login, TTY in hand,
Authentication flows as the carrot-devs planned! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately describes the main change: adding automatic re-authentication when token refresh fails, which aligns with the primary objective of improving UX by prompting login instead of erroring.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/auto-reauth-on-token-refresh-failure

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/lib/credentials.ts`:
- Around line 70-76: The catch block around the token refresh in credentials.ts
is treating all errors as auth expiration and forcing interactive login; change
it to only trigger performOAuthLogin(apiUrl) when the error indicates an
authentication failure (e.g., HTTP 401/invalid_grant or an auth-specific error
code). In the catch for the refresh function (the code surrounding
performOAuthLogin and process.stdout.isTTY), inspect the caught error (e.g.,
error.response?.status === 401 or error.code/message matching invalid_grant) and
only call clack.log.warn and performOAuthLogin(apiUrl) in that case; for other
errors (network/timeouts/server 5xx) rethrow or return the error to the caller
so transient failures aren’t escalated to interactive login. Ensure you
reference the same symbols: the token refresh call, the catch block,
process.stdout.isTTY, and performOAuthLogin(apiUrl).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8741a9ed-4b16-4858-a82a-b65eb98fb7e7

📥 Commits

Reviewing files that changed from the base of the PR and between 83b1ed0 and 8e6e338.

📒 Files selected for processing (1)

• src/lib/credentials.ts