Skip to content

fix(token-refresh): microsoft, notion, x, linear#2933

Merged
icecrasher321 merged 4 commits intostagingfrom
fix/token-refresh-edge-cases
Jan 22, 2026
Merged

fix(token-refresh): microsoft, notion, x, linear#2933
icecrasher321 merged 4 commits intostagingfrom
fix/token-refresh-edge-cases

Conversation

@icecrasher321
Copy link
Collaborator

@icecrasher321 icecrasher321 commented Jan 22, 2026

Summary

  • Microsoft needs proactive refresh against their 90 day timeline. Confirmed from cloudwatch logs.
  • Notion, X, Linear were missing flag to replace refresh token with fresh one

Type of Change

  • Bug fix

Testing

Tested manually

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel
Copy link

vercel bot commented Jan 22, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Review Updated (UTC)
docs Skipped Skipped Jan 22, 2026 2:20am

Request Review

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Jan 22, 2026

Greptile Summary

Fixes token refresh issues for Microsoft, Notion, X, and Linear OAuth providers by implementing proactive refresh for Microsoft's 90-day expiry and enabling refresh token rotation for providers that support it.

  • Added proactive refresh logic for Microsoft providers to refresh tokens 7 days before the 90-day refresh token expiry, preventing authentication failures
  • Set supportsRefreshTokenRotation: true for X (x), Notion (notion), and Linear (linear) providers to properly handle rotated refresh tokens
  • Updated refresh token expiry tracking for Microsoft providers in both account creation and token refresh flows
  • Improved type safety by replacing any with Record<string, unknown> for update data objects

The proactive refresh mechanism checks if a Microsoft refresh token will expire within 7 days and triggers a refresh early to maintain continuous access. The rotation flag ensures that when providers issue new refresh tokens during the refresh flow, they are properly captured and stored.

Confidence Score: 4/5

  • Safe to merge with one bug fix needed for Microsoft sub-providers
  • The implementation correctly addresses the stated issues with well-structured proactive refresh logic and proper token rotation handling. However, the getProviderAuthConfig switch statement is missing cases for microsoft-excel, microsoft-planner, and microsoft-teams, which will cause runtime errors when these providers attempt to refresh tokens. Once this issue is fixed, the PR will be fully functional.
  • Pay close attention to apps/sim/lib/oauth/oauth.ts - it needs the missing Microsoft provider cases added to prevent token refresh failures

Important Files Changed

Filename Overview
apps/sim/app/api/auth/oauth/utils.ts Added Microsoft proactive refresh logic (7-day threshold before 90-day expiry), improved type safety with Record<string, unknown>, and consistent refresh token handling across multiple functions
apps/sim/lib/auth/auth.ts Set Microsoft refresh token expiry (90 days) in both account creation and update hooks to ensure proper token lifecycle tracking
apps/sim/lib/oauth/oauth.ts Added supportsRefreshTokenRotation flag for X, Notion, and Linear providers to enable automatic replacement of refresh tokens - missing support for microsoft-excel, microsoft-planner, and microsoft-teams

Sequence Diagram

sequenceDiagram
    participant Client
    participant Utils as OAuth Utils
    participant OAuth as OAuth Service
    participant DB as Database
    participant Provider as OAuth Provider

    Note over Client,Provider: Token Refresh Flow

    Client->>Utils: Request credential access
    Utils->>Utils: Check if access token expired
    
    alt Microsoft Provider
        Utils->>Utils: Check if refresh expires within 7 days
    end
    
    alt Token needs refresh
        Utils->>OAuth: Call refreshOAuthToken
        OAuth->>Provider: Send refresh request
        Provider-->>OAuth: Return new credentials
        
        alt Supports rotation
            OAuth->>OAuth: Extract new refresh value
        end
        
        OAuth-->>Utils: Return refreshed credentials
        
        alt Microsoft Provider
            Utils->>Utils: Set refresh expiry to 90 days
        end
        
        Utils->>DB: Update account with new values
        Utils-->>Client: Return valid credential
    else Token valid
        Utils-->>Client: Return existing credential
    end
Loading

greptile-apps[bot]
greptile-apps bot reviewed Jan 22, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Additional Comments (1)

  1. apps/sim/lib/oauth/oauth.ts, line 890-903 (link)

    logic: Missing microsoft-excel, microsoft-planner, and microsoft-teams cases

3 files reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

cursor[bot]

This comment was marked as outdated.

Sign in to view

@icecrasher321
Copy link
Collaborator Author

icecrasher321 commented Jan 22, 2026

@cursor review

cursor[bot]
cursor bot reviewed Jan 22, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

@icecrasher321 icecrasher321 merged commit 7cfdf46 into staging Jan 22, 2026
11 checks passed
@waleedlatif1 waleedlatif1 mentioned this pull request Jan 22, 2026
Merged
waleedlatif1 added a commit that referenced this pull request Jan 22, 2026
@waleedlatif1 @icecrasher321 @emir-karabeg
v0.5.67: loading, password reset, ui improvements, helm updates (#2928)
cc2be33 
* fix(zustand): updated to useShallow from deprecated createWithEqualityFn (#2919)

* fix(logger): use direct env access for webpack inlining (#2920)

* fix(notifications): text overflow with line-clamp (#2921)

* chore(helm): add env vars for Vertex AI, orgs, and telemetry (#2922)

* fix(auth): improve reset password flow and consolidate brand detection (#2924)

* fix(auth): improve reset password flow and consolidate brand detection

* fix(auth): set errorHandled for EMAIL_NOT_VERIFIED to prevent duplicate error

* fix(auth): clear success message on login errors

* chore(auth): fix import order per lint

* fix(action-bar): duplicate subflows with children (#2923)

* fix(action-bar): duplicate subflows with children

* fix(action-bar): add validateTriggerPaste for subflow duplicate

* fix(resolver): agent response format, input formats, root level (#2925)

* fix(resolvers): agent response format, input formats, root level

* fix response block initial seeding

* fix tests

* fix(messages-input): fix cursor alignment and auto-resize with overlay (#2926)

* fix(messages-input): fix cursor alignment and auto-resize with overlay

* fixed remaining zustand warnings

* fix(stores): remove dead code causing log spam on startup (#2927)

* fix(stores): remove dead code causing log spam on startup

* fix(stores): replace custom tools zustand store with react query cache

* improvement(ui): use BrandedButton and BrandedLink components (#2930)

- Refactor auth forms to use BrandedButton component
- Add BrandedLink component for changelog page
- Reduce code duplication in login, signup, reset-password forms
- Update star count default value

* fix(custom-tools): remove unsafe title fallback in getCustomTool (#2929)

* fix(custom-tools): remove unsafe title fallback in getCustomTool

* fix(custom-tools): restore title fallback in getCustomTool lookup

Custom tools are referenced by title (custom_${title}), not database ID.
The title fallback is required for client-side tool resolution to work.

* fix(null-bodies): empty bodies handling (#2931)

* fix(null-statuses): empty bodies handling

* address bugbot comment

* fix(token-refresh): microsoft, notion, x, linear (#2933)

* fix(microsoft): proactive refresh needed

* fix(x): missing token refresh flag

* notion and linear missing flag too

* address bugbot comment

* fix(auth): handle EMAIL_NOT_VERIFIED in onError callback (#2932)

* fix(auth): handle EMAIL_NOT_VERIFIED in onError callback

* refactor(auth): extract redirectToVerify helper to reduce duplication

* fix(workflow-selector): use dedicated selector for workflow dropdown (#2934)

* feat(workflow-block): preview (#2935)

* improvement(copilot): tool configs to show nested props (#2936)

* fix(auth): add genericOAuth providers to trustedProviders (#2937)

---------

Co-authored-by: Vikhyath Mondreti <vikhyathvikku@gmail.com>
Co-authored-by: Emir Karabeg <78010029+emir-karabeg@users.noreply.github.com>
@waleedlatif1 waleedlatif1 deleted the fix/token-refresh-edge-cases branch January 22, 2026 06:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@icecrasher321