feat: immediately restart auth flow on invalid client errors

geelen · geelen · commit 290fe5733723 · 2025-05-28T15:17:50.000+10:00
Instead of throwing an error and requiring manual restart, now:
- Immediately kick off fresh auth flow after clearing invalid client data
- Open browser for new registration and authentication automatically
- Complete connection seamlessly without user intervention
- Add protection against infinite loops if fresh registration also fails

This ensures users don't need to manually restart their client when
server-side client registration is deleted - the recovery is automatic.
diff --git a/DEFENSIVE_AUTH_CHANGES.md b/DEFENSIVE_AUTH_CHANGES.md
@@ -62,8 +62,9 @@ When the scenario occurs again:
 2. Classifies this as `invalid_client` error
 3. Logs clear message about client registration being deleted
 4. Clears ALL stored auth data (tokens, client_info.json, code_verifier.txt)
-5. Provides helpful error message suggesting to reconnect
-6. Next connection attempt will start fresh with new client registration
+5. **Immediately starts fresh auth flow** (no manual restart required)
+6. Opens browser for new client registration and authentication
+7. Completes with working connection automatically
 
 ## Testing
 
@@ -74,6 +75,7 @@ When the scenario occurs again:
 ## Benefits
 
 - **No More Infinite Loops**: Client won't keep retrying with invalid credentials
-- **Automatic Recovery**: Forces clean slate for successful reconnection
-- **Better User Experience**: Clear error messages about what happened
+- **Immediate Recovery**: Automatically starts fresh auth flow without manual restart
+- **Seamless User Experience**: Single browser prompt resolves the entire issue
 - **Robust Defense**: Handles edge cases where server state diverges from client state
+- **Fail-Safe Protection**: Prevents infinite loops even if fresh registration fails
diff --git a/src/lib/utils.ts b/src/lib/utils.ts
@@ -420,7 +420,7 @@ export async function connectToRemoteServer(
 
       // Handle invalid_client errors by clearing all auth data
       if (errorType === 'invalid_client') {
-        log('Client registration is invalid. Clearing all stored auth data and restarting registration...')
+        log('Client registration is invalid. Clearing all stored auth data and starting fresh auth flow...')
         if (DEBUG) debugLog('Invalid client registration detected, clearing all auth data')
 
         // Clear all auth data to force complete re-registration
@@ -500,8 +500,8 @@ export async function connectToRemoteServer(
         const authErrorType = classifyAuthError(authError)
         if (authErrorType === 'invalid_client') {
           log('Token exchange failed due to invalid client. This suggests the client registration was deleted on the server.')
-          log('Clearing all stored auth data to force complete re-registration on next attempt...')
-          if (DEBUG) debugLog('Token exchange failed with invalid_client, clearing all auth data')
+          log('Clearing all stored auth data and immediately starting fresh auth flow...')
+          if (DEBUG) debugLog('Token exchange failed with invalid_client, clearing all auth data and restarting auth')
 
           // Clear all auth data to force complete re-registration
           const extendedProvider = authProvider as ExtendedOAuthClientProvider
@@ -512,13 +512,67 @@ export async function connectToRemoteServer(
           // Reset retry state since we're starting fresh
           resetAuthRetryState(serverUrlHash)
 
-          // Create a more descriptive error message
-          const descriptiveError = new Error(
-            'Client registration appears to be invalid or deleted on the server. ' +
-              'Cleared all local auth data. Please try connecting again to re-register.',
-          )
-          descriptiveError.stack = authError.stack
-          throw descriptiveError
+          // Immediately restart the auth flow with fresh registration
+          log('Starting fresh authentication flow...')
+          if (DEBUG) debugLog('Restarting auth flow after clearing invalid client data')
+
+          const { waitForAuthCode, skipBrowserAuth } = await authInitializer()
+
+          if (skipBrowserAuth) {
+            log('Authentication required but skipping browser auth - using shared auth')
+            if (DEBUG) debugLog('Authentication required but skipping browser auth - using shared auth')
+          } else {
+            log('Authentication required. Waiting for authorization...')
+            if (DEBUG) debugLog('Authentication required. Waiting for authorization...')
+          }
+
+          // Wait for the authorization code from the callback
+          if (DEBUG) debugLog('Waiting for auth code from callback server')
+          const newCode = await waitForAuthCode()
+          if (DEBUG) debugLog('Received new auth code from callback server')
+
+          // Try token exchange again with the new code
+          log('Completing fresh authorization...')
+          if (DEBUG) debugLog('Completing fresh authorization with new code')
+          try {
+            await transport.finishAuth(newCode)
+            if (DEBUG) debugLog('Fresh authorization completed successfully')
+          } catch (freshAuthError: any) {
+            // If the fresh auth also fails with invalid_client, we have a deeper problem
+            const freshErrorType = classifyAuthError(freshAuthError)
+            if (freshErrorType === 'invalid_client') {
+              log('Fresh authentication also failed with invalid client. This suggests a persistent server-side issue.')
+              if (DEBUG) debugLog('Fresh auth also failed with invalid_client, giving up')
+              throw new Error(
+                'Fresh client registration also failed with invalid_client error. ' +
+                  'This suggests a persistent server-side issue. Please check server configuration.',
+              )
+            }
+            // For other errors, just re-throw
+            throw freshAuthError
+          }
+
+          // Reset retry state on successful auth
+          resetAuthRetryState(serverUrlHash)
+
+          // Continue with recursive reconnection
+          if (recursionReasons.has(REASON_AUTH_NEEDED)) {
+            const errorMessage = `Already attempted reconnection for reason: ${REASON_AUTH_NEEDED}. Giving up.`
+            log(errorMessage)
+            if (DEBUG)
+              debugLog('Already attempted auth reconnection, giving up', {
+                recursionReasons: Array.from(recursionReasons),
+              })
+            throw new Error(errorMessage)
+          }
+
+          // Track this reason for recursion
+          recursionReasons.add(REASON_AUTH_NEEDED)
+          log(`Recursively reconnecting for reason: ${REASON_AUTH_NEEDED}`)
+          if (DEBUG) debugLog('Recursively reconnecting after fresh auth', { recursionReasons: Array.from(recursionReasons) })
+
+          // Recursively call connectToRemoteServer with the updated recursion tracking
+          return connectToRemoteServer(client, serverUrl, authProvider, headers, authInitializer, transportStrategy, recursionReasons)
         }
 
         throw authError
