Hi @ShahabSL,
First of all, thank you for developing Skirk. It is an amazing and innovative project!
I recently ran into an issue regarding the Personal Google OAuth setup on the exit node, which causes the service to enter an infinite restart loop in PM2 after exactly 7 days. I managed to diagnose and resolve it, and I would like to share the details and suggest a feature improvement for the project.
The Problem
When setting up a personal Google Cloud project for the Drive API, the project status defaults to "Testing". According to Google's security policy, OAuth refresh tokens for apps in "Testing" status expire automatically after 7 days.
Once the token expired, the exit node threw the following error continuously, causing PM2 to crash and restart every second:
error: oauth token refresh failed status=400 error=invalid_grant description=Token has been expired or revoked
Note: On the client side, the app still connects successfully to the local port, but no traffic is passed since the server-side process is dead/looping.
The Workaround (How I Fixed It)
To fix this without forcing all connected clients to re-import a new profile, we performed a "surgical" configuration update:
Changed the Google Cloud project publishing status from "Testing" to "In Production" (which unlocks permanent refresh tokens).
Generated a temporary environment using skirk setup init --out temp-kit --reset-google-login just to obtain a fresh, non-expiring refresh_token.
Manually copied the new "auth" block from temp-kit/exit.json and pasted it into the original skirk-kit/exit.json.
Kept the original "secret", "session_id", and "drive.folder_id" intact.
This successfully restored the server functionality, and all 3 existing clients reconnected instantly without needing any manual config changes.
Suggestions for Improvement
To make Skirk even more robust, it would be fantastic if you could consider the following:
Documentation Update: Add a small note in the README/Setup guide advising users to switch their Google Cloud project status to "In Production" during the OAuth consent screen setup to prevent the 7-day token expiration.
Token Renewal Command: Introduce a new CLI command (e.g., skirk setup renew-oauth or a flag like skirk setup init --renew-only) that allows server administrators to re-authenticate with Google and update only the "auth" credentials inside an existing exit.json, without overwriting the master encryption keys (secret) and mailbox folder ID.
Thank you again for your hard work and dedication to this project!
Hi @ShahabSL,
First of all, thank you for developing Skirk. It is an amazing and innovative project!
I recently ran into an issue regarding the Personal Google OAuth setup on the exit node, which causes the service to enter an infinite restart loop in PM2 after exactly 7 days. I managed to diagnose and resolve it, and I would like to share the details and suggest a feature improvement for the project.
The Problem
When setting up a personal Google Cloud project for the Drive API, the project status defaults to "Testing". According to Google's security policy, OAuth refresh tokens for apps in "Testing" status expire automatically after 7 days.
Once the token expired, the exit node threw the following error continuously, causing PM2 to crash and restart every second:
error: oauth token refresh failed status=400 error=invalid_grant description=Token has been expired or revoked
Note: On the client side, the app still connects successfully to the local port, but no traffic is passed since the server-side process is dead/looping.
The Workaround (How I Fixed It)
To fix this without forcing all connected clients to re-import a new profile, we performed a "surgical" configuration update:
Changed the Google Cloud project publishing status from "Testing" to "In Production" (which unlocks permanent refresh tokens).
Generated a temporary environment using skirk setup init --out temp-kit --reset-google-login just to obtain a fresh, non-expiring refresh_token.
Manually copied the new "auth" block from temp-kit/exit.json and pasted it into the original skirk-kit/exit.json.
Kept the original "secret", "session_id", and "drive.folder_id" intact.
This successfully restored the server functionality, and all 3 existing clients reconnected instantly without needing any manual config changes.
Suggestions for Improvement
To make Skirk even more robust, it would be fantastic if you could consider the following:
Documentation Update: Add a small note in the README/Setup guide advising users to switch their Google Cloud project status to "In Production" during the OAuth consent screen setup to prevent the 7-day token expiration.
Token Renewal Command: Introduce a new CLI command (e.g., skirk setup renew-oauth or a flag like skirk setup init --renew-only) that allows server administrators to re-authenticate with Google and update only the "auth" credentials inside an existing exit.json, without overwriting the master encryption keys (secret) and mailbox folder ID.
Thank you again for your hard work and dedication to this project!