Refresh claude oauth token as needed

Author: jahooma

cli/src/utils/claude-oauth.ts

@@ -4,11 +4,7 @@
 
 import crypto from 'crypto'
 import open from 'open'
-import {
-  CLAUDE_OAUTH_CLIENT_ID,
-  CLAUDE_OAUTH_AUTHORIZE_URL,
-  CLAUDE_OAUTH_TOKEN_URL,
-} from '@codebuff/common/constants/claude-oauth'
+import { CLAUDE_OAUTH_CLIENT_ID } from '@codebuff/common/constants/claude-oauth'
 import {
   saveClaudeOAuthCredentials,
   clearClaudeOAuthCredentials,
@@ -51,7 +47,7 @@ let pendingState: string | null = null
 export function startOAuthFlow(): { codeVerifier: string; authUrl: string } {
   const codeVerifier = generateCodeVerifier()
   const codeChallenge = generateCodeChallenge(codeVerifier)
-  
+
   // Generate a random state parameter for CSRF protection
   const state = crypto.randomBytes(16).toString('hex')
 
@@ -65,8 +61,14 @@ export function startOAuthFlow(): { codeVerifier: string; authUrl: string } {
   authUrl.searchParams.set('code', 'true')
   authUrl.searchParams.set('client_id', CLAUDE_OAUTH_CLIENT_ID)
   authUrl.searchParams.set('response_type', 'code')
-  authUrl.searchParams.set('redirect_uri', 'https://console.anthropic.com/oauth/code/callback')
-  authUrl.searchParams.set('scope', 'org:create_api_key user:profile user:inference')
+  authUrl.searchParams.set(
+    'redirect_uri',
+    'https://console.anthropic.com/oauth/code/callback',
+  )
+  authUrl.searchParams.set(
+    'scope',
+    'org:create_api_key user:profile user:inference',
+  )
   authUrl.searchParams.set('code_challenge', codeChallenge)
   authUrl.searchParams.set('code_challenge_method', 'S256')
   authUrl.searchParams.set('state', codeVerifier) // opencode uses verifier as state
@@ -92,7 +94,9 @@ export async function exchangeCodeForTokens(
 ): Promise<ClaudeOAuthCredentials> {
   const verifier = codeVerifier ?? pendingCodeVerifier
   if (!verifier) {
-    throw new Error('No code verifier found. Please start the OAuth flow again.')
+    throw new Error(
+      'No code verifier found. Please start the OAuth flow again.',
+    )
   }
 
   // The authorization code from claude.ai comes in format: code#state
@@ -140,55 +144,6 @@ export async function exchangeCodeForTokens(
   return credentials
 }
 
-/**
- * Refresh the access token using the refresh token.
- */
-export async function refreshAccessToken(): Promise<ClaudeOAuthCredentials | null> {
-  const credentials = getClaudeOAuthCredentials()
-  if (!credentials?.refreshToken) {
-    return null
-  }
-
-  try {
-    // Use the v1 OAuth token endpoint (same as opencode)
-    const response = await fetch('https://console.anthropic.com/v1/oauth/token', {
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-      },
-      body: JSON.stringify({
-        grant_type: 'refresh_token',
-        refresh_token: credentials.refreshToken,
-        client_id: CLAUDE_OAUTH_CLIENT_ID,
-      }),
-    })
-
-    if (!response.ok) {
-      // Refresh failed, clear credentials
-      clearClaudeOAuthCredentials()
-      return null
-    }
-
-    const data = await response.json()
-
-    const newCredentials: ClaudeOAuthCredentials = {
-      accessToken: data.access_token,
-      refreshToken: data.refresh_token ?? credentials.refreshToken,
-      expiresAt: Date.now() + data.expires_in * 1000,
-      connectedAt: credentials.connectedAt,
-    }
-
-    // Save updated credentials
-    saveClaudeOAuthCredentials(newCredentials)
-
-    return newCredentials
-  } catch {
-    // Refresh failed, clear credentials
-    clearClaudeOAuthCredentials()
-    return null
-  }
-}
-
 /**
  * Disconnect from Claude OAuth (clear credentials).
  */

sdk/src/credentials.ts

@@ -3,6 +3,7 @@ import path from 'node:path'
 import os from 'os'
 
 import { env } from '@codebuff/common/env'
+import { CLAUDE_OAUTH_CLIENT_ID } from '@codebuff/common/constants/claude-oauth'
 import { userSchema } from '@codebuff/common/util/credentials'
 import { z } from 'zod/v4'
 
@@ -211,3 +212,103 @@ export const isClaudeOAuthValid = (
   const bufferMs = 5 * 60 * 1000
   return credentials.expiresAt > Date.now() + bufferMs
 }
+
+// Mutex to prevent concurrent refresh attempts
+let refreshPromise: Promise<ClaudeOAuthCredentials | null> | null = null
+
+/**
+ * Refresh the Claude OAuth access token using the refresh token.
+ * Returns the new credentials if successful, null if refresh fails.
+ * Uses a mutex to prevent concurrent refresh attempts.
+ */
+export const refreshClaudeOAuthToken = async (
+  clientEnv: ClientEnv = env,
+): Promise<ClaudeOAuthCredentials | null> => {
+  // If a refresh is already in progress, wait for it
+  if (refreshPromise) {
+    return refreshPromise
+  }
+
+  const credentials = getClaudeOAuthCredentials(clientEnv)
+  if (!credentials?.refreshToken) {
+    return null
+  }
+
+  // Start the refresh and store the promise
+  refreshPromise = (async () => {
+    try {
+      const response = await fetch('https://console.anthropic.com/v1/oauth/token', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({
+          grant_type: 'refresh_token',
+          refresh_token: credentials.refreshToken,
+          client_id: CLAUDE_OAUTH_CLIENT_ID,
+        }),
+      })
+
+      if (!response.ok) {
+        // Refresh failed, clear credentials
+        clearClaudeOAuthCredentials(clientEnv)
+        return null
+      }
+
+      const data = await response.json()
+
+      const newCredentials: ClaudeOAuthCredentials = {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token ?? credentials.refreshToken,
+        expiresAt: Date.now() + data.expires_in * 1000,
+        connectedAt: credentials.connectedAt,
+      }
+
+      // Save updated credentials
+      saveClaudeOAuthCredentials(newCredentials, clientEnv)
+
+      return newCredentials
+    } catch {
+      // Refresh failed, clear credentials
+      clearClaudeOAuthCredentials(clientEnv)
+      return null
+    } finally {
+      // Clear the mutex after completion
+      refreshPromise = null
+    }
+  })()
+
+  return refreshPromise
+}
+
+/**
+ * Get valid Claude OAuth credentials, refreshing if necessary.
+ * This is the main function to use when you need credentials for an API call.
+ * 
+ * - Returns credentials immediately if valid (>5 min until expiry)
+ * - Attempts refresh if token is expired or near-expiry
+ * - Returns null if no credentials or refresh fails
+ */
+export const getValidClaudeOAuthCredentials = async (
+  clientEnv: ClientEnv = env,
+): Promise<ClaudeOAuthCredentials | null> => {
+  const credentials = getClaudeOAuthCredentials(clientEnv)
+  if (!credentials) {
+    return null
+  }
+
+  // Check if token is from environment variable (synthetic credentials, no refresh needed)
+  if (!credentials.refreshToken) {
+    // Environment variable tokens are assumed valid
+    return credentials
+  }
+
+  // Check if token is valid with 5 minute buffer
+  const bufferMs = 5 * 60 * 1000
+  if (credentials.expiresAt > Date.now() + bufferMs) {
+    return credentials
+  }
+
+  // Token is expired or expiring soon, try to refresh
+  return refreshClaudeOAuthToken(clientEnv)
+}

sdk/src/impl/llm.ts

@@ -143,6 +143,43 @@ function isClaudeOAuthRateLimitError(error: unknown): boolean {
   return false
 }
 
+/**
+ * Check if an error is a Claude OAuth authentication error (expired/invalid token).
+ * This indicates we should try refreshing the token.
+ */
+function isClaudeOAuthAuthError(error: unknown): boolean {
+  if (!error || typeof error !== 'object') return false
+
+  const err = error as {
+    statusCode?: number
+    message?: string
+    responseBody?: string
+  }
+
+  // 401 Unauthorized or 403 Forbidden typically indicate auth issues
+  if (err.statusCode === 401 || err.statusCode === 403) return true
+
+  const message = (err.message || '').toLowerCase()
+  const responseBody = (err.responseBody || '').toLowerCase()
+
+  if (message.includes('unauthorized') || message.includes('invalid_token'))
+    return true
+  if (message.includes('authentication') || message.includes('expired'))
+    return true
+  if (
+    responseBody.includes('unauthorized') ||
+    responseBody.includes('invalid_token')
+  )
+    return true
+  if (
+    responseBody.includes('authentication') ||
+    responseBody.includes('expired')
+  )
+    return true
+
+  return false
+}
+
 export async function* promptAiSdkStream(
   params: ParamsOf<PromptAiSdkStreamFn> & {
     skipClaudeOAuth?: boolean
@@ -169,7 +206,7 @@ export async function* promptAiSdkStream(
     model: params.model,
     skipClaudeOAuth: params.skipClaudeOAuth,
   }
-  const { model: aiSDKModel, isClaudeOAuth } = getModelForRequest(modelParams)
+  const { model: aiSDKModel, isClaudeOAuth } = await getModelForRequest(modelParams)
 
   // Notify about Claude OAuth usage
   if (isClaudeOAuth && params.onClaudeOAuthStatusChange) {
@@ -377,6 +414,28 @@ export async function* promptAiSdkStream(
         return fallbackResult
       }
 
+      // Check if this is a Claude OAuth authentication error (expired token) - only fall back if no content yielded yet
+      if (
+        isClaudeOAuth &&
+        !params.skipClaudeOAuth &&
+        !hasYieldedContent &&
+        isClaudeOAuthAuthError(chunkValue.error)
+      ) {
+        logger.info(
+          { error: getErrorObject(chunkValue.error) },
+          'Claude OAuth auth error during stream, falling back to Codebuff backend',
+        )
+        if (params.onClaudeOAuthStatusChange) {
+          params.onClaudeOAuthStatusChange(false)
+        }
+        // Retry with Codebuff backend (skipClaudeOAuth will bypass the failed OAuth)
+        const fallbackResult = yield* promptAiSdkStream({
+          ...params,
+          skipClaudeOAuth: true,
+        })
+        return fallbackResult
+      }
+
       logger.error(
         {
           chunk: { ...chunkValue, error: undefined },
@@ -495,7 +554,7 @@ export async function promptAiSdk(
     model: params.model,
     skipClaudeOAuth: true, // Always use Codebuff backend for non-streaming
   }
-  const { model: aiSDKModel } = getModelForRequest(modelParams)
+  const { model: aiSDKModel } = await getModelForRequest(modelParams)
 
   const response = await generateText({
     ...params,
@@ -552,7 +611,7 @@ export async function promptAiSdkStructured<T>(
     model: params.model,
     skipClaudeOAuth: true, // Always use Codebuff backend for non-streaming
   }
-  const { model: aiSDKModel } = getModelForRequest(modelParams)
+  const { model: aiSDKModel } = await getModelForRequest(modelParams)
 
   const response = await generateObject<z.ZodType<T>, 'object'>({
     ...params,

sdk/src/impl/model-provider.ts

@@ -21,7 +21,7 @@ import {
 } from '@codebuff/internal/openai-compatible/index'
 
 import { WEBSITE_URL } from '../constants'
-import { getClaudeOAuthCredentials, isClaudeOAuthValid } from '../credentials'
+import { getValidClaudeOAuthCredentials } from '../credentials'
 import { getByokOpenrouterApiKeyFromEnv } from '../env'
 
 import type { LanguageModel } from 'ai'
@@ -61,13 +61,16 @@ type OpenRouterUsageAccounting = {
  *
  * If Claude OAuth credentials are available and the model is a Claude model,
  * returns an Anthropic direct model. Otherwise, returns the Codebuff backend model.
+ * 
+ * This function is async because it may need to refresh the OAuth token.
  */
-export function getModelForRequest(params: ModelRequestParams): ModelResult {
+export async function getModelForRequest(params: ModelRequestParams): Promise<ModelResult> {
   const { apiKey, model, skipClaudeOAuth } = params
 
   // Check if we should use Claude OAuth direct
-  if (!skipClaudeOAuth && isClaudeModel(model) && isClaudeOAuthValid()) {
-    const claudeOAuthCredentials = getClaudeOAuthCredentials()
+  if (!skipClaudeOAuth && isClaudeModel(model)) {
+    // Get valid credentials (will refresh if needed)
+    const claudeOAuthCredentials = await getValidClaudeOAuthCredentials()
     if (claudeOAuthCredentials) {
       return {
         model: createAnthropicOAuthModel(