DONOTMERGE feat: add retry logic for session cookie creation with token refresh #6540

viva-jinyi · 2025-11-02T09:43:09Z

🐛 Problem

Intermittent "No auth header available for session creation" errors during session cookie creation

🔍 Root Cause Analysis

Temporary token unavailability during Firebase token refresh process:

At the time of onIdTokenChanged event trigger
getAuthHeader() temporarily returns null while fetching new token
Results in session creation failure → user authentication issues

✅ Solution

1. Add Retry Logic (useSessionCookie.ts)

Maximum 3 retry attempts
First attempt: uses cached token (performance optimization)
On retry: forces token refresh with forceRefresh: true
Exponential backoff: 500ms, 1s intervals

2. Support forceRefresh Parameter (firebaseAuthStore.ts)

Add getAuthHeader(forceRefresh?: boolean) parameter
Add getIdToken(forceRefresh?: boolean) parameter
Utilize Firebase SDK's forced token refresh capability on retry
Note: This feature is already implemented in the rh-test branch and is also needed in main

🤖 Generated with Claude Code

Co-Authored-By: Claude [email protected]

┆Issue is synchronized with this Notion page by Unito

github-actions · 2025-11-02T09:43:25Z

🎨 Storybook Build Status

✅ Build completed successfully!

⏰ Completed at: 11/05/2025, 01:44:55 AM UTC

🔗 Links

📊 View Workflow Run
🎨 View Storybook

🎉 Your Storybook is ready for review!

github-actions · 2025-11-02T09:43:31Z

🎭 Playwright Test Results

⚠️ Tests passed with flaky tests

⏰ Completed at: 11/05/2025, 02:14:57 AM UTC

📈 Summary

Total Tests: 498
Passed: 464 ✅
Failed: 0
Flaky: 4 ⚠️
Skipped: 30 ⏭️

📊 Test Reports by Browser

✅ chromium: View Report • ✅ 455 / ❌ 0 / ⚠️ 4 / ⏭️ 30
✅ chromium-2x: View Report • ✅ 2 / ❌ 0 / ⚠️ 0 / ⏭️ 0
✅ chromium-0.5x: View Report • ✅ 1 / ❌ 0 / ⚠️ 0 / ⏭️ 0
✅ mobile-chrome: View Report • ✅ 6 / ❌ 0 / ⚠️ 0 / ⏭️ 0

🎉 Click on the links above to view detailed test results for each browser configuration.

github-actions · 2025-11-02T09:45:35Z

Bundle Size Report

Summary

Raw size: 12.2 MB baseline 12.2 MB — 🔴 +64 B
Gzip: 2.49 MB baseline 2.49 MB — 🟢 -11 B
Brotli: 1.96 MB baseline 1.96 MB — 🔴 +68 B
Bundles: 58 current • 58 baseline • 13 added / 13 removed

Category Glance
App Entry Points 🔴 +64 B (3.31 MB) · Vendor & Third-Party ⚪ 0 B (5.32 MB) · Other ⚪ 0 B (2.55 MB) · Graph Workspace ⚪ 0 B (729 kB) · Panels & Settings ⚪ 0 B (293 kB) · UI Components ⚪ 0 B (12.6 kB) · + 3 more

Per-category breakdown

App Entry Points — 3.31 MB (baseline 3.31 MB) • 🔴 +64 B

Main entry bundles and manifests

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/index-CVKeQ0bA.js (new)	—	2.92 MB	🔴 +2.92 MB	🔴 +605 kB	🔴 +457 kB
~~assets/index-zUwM8XLC.js~~ (removed)	2.92 MB	—	🟢 -2.92 MB	🟢 -605 kB	🟢 -457 kB
assets/index-DScHxeR8.js (new)	—	382 kB	🔴 +382 kB	🔴 +76.6 kB	🔴 +62.1 kB
~~assets/index-Dv04s-Ig.js~~ (removed)	382 kB	—	🟢 -382 kB	🟢 -76.6 kB	🟢 -62.1 kB
assets/index-CLom5JK2.js (new)	—	1.75 kB	🔴 +1.75 kB	🔴 +576 B	🔴 +484 B
~~assets/index-DTXds8Ct.js~~ (removed)	1.75 kB	—	🟢 -1.75 kB	🟢 -576 B	🟢 -483 B

Status: 3 added / 3 removed

Graph Workspace — 729 kB (baseline 729 kB) • ⚪ 0 B

Graph editor runtime, canvas, workflow orchestration

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
~~assets/GraphView-Dyy-XWDh.js~~ (removed)	729 kB	—	🟢 -729 kB	🟢 -142 kB	🟢 -110 kB
assets/GraphView-VDBxgBsh.js (new)	—	729 kB	🔴 +729 kB	🔴 +142 kB	🔴 +110 kB

Status: 1 added / 1 removed

Views & Navigation — 8.18 kB (baseline 8.18 kB) • ⚪ 0 B

Top-level views, pages, and routed surfaces

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
~~assets/UserSelectView-C9DKR6mg.js~~ (removed)	8.18 kB	—	🟢 -8.18 kB	🟢 -2.48 kB	🟢 -2.17 kB
assets/UserSelectView-onWKcqR9.js (new)	—	8.18 kB	🔴 +8.18 kB	🔴 +2.48 kB	🔴 +2.17 kB

Status: 1 added / 1 removed

Panels & Settings — 293 kB (baseline 293 kB) • ⚪ 0 B

Configuration panels, inspectors, and settings screens

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
~~assets/CreditsPanel-CMwT6wSm.js~~ (removed)	22.9 kB	—	🟢 -22.9 kB	🟢 -5.45 kB	🟢 -4.77 kB
assets/CreditsPanel-DInHZE5x.js (new)	—	22.9 kB	🔴 +22.9 kB	🔴 +5.45 kB	🔴 +4.76 kB
~~assets/KeybindingPanel-2qbK87QK.js~~ (removed)	15.3 kB	—	🟢 -15.3 kB	🟢 -3.78 kB	🟢 -3.32 kB
assets/KeybindingPanel-DL_SK2MG.js (new)	—	15.3 kB	🔴 +15.3 kB	🔴 +3.77 kB	🔴 +3.33 kB
~~assets/ExtensionPanel-CMZsUbOf.js~~ (removed)	12.1 kB	—	🟢 -12.1 kB	🟢 -2.84 kB	🟢 -2.48 kB
assets/ExtensionPanel-rch6GhOK.js (new)	—	12.1 kB	🔴 +12.1 kB	🔴 +2.84 kB	🔴 +2.48 kB
~~assets/AboutPanel-BM4HpRbG.js~~ (removed)	10.3 kB	—	🟢 -10.3 kB	🟢 -2.68 kB	🟢 -2.34 kB
assets/AboutPanel-CbW7H0_i.js (new)	—	10.3 kB	🔴 +10.3 kB	🔴 +2.68 kB	🔴 +2.34 kB
~~assets/ServerConfigPanel-pN2hcMW7.js~~ (removed)	8.23 kB	—	🟢 -8.23 kB	🟢 -2.18 kB	🟢 -1.91 kB
assets/ServerConfigPanel-QmY2O__P.js (new)	—	8.23 kB	🔴 +8.23 kB	🔴 +2.17 kB	🔴 +1.91 kB
~~assets/UserPanel-C3fnz9w3.js~~ (removed)	7.94 kB	—	🟢 -7.94 kB	🟢 -2.07 kB	🟢 -1.81 kB
assets/UserPanel-CKBDibpY.js (new)	—	7.94 kB	🔴 +7.94 kB	🔴 +2.07 kB	🔴 +1.81 kB
assets/settings-0O6mq5to.js	24.3 kB	24.3 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-BYaBy7dC.js	20.4 kB	20.4 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-C3vygQN4.js	25.7 kB	25.7 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-CbKYXyH0.js	22.7 kB	22.7 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-CCholIsI.js	25 kB	25 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-DFX7vRkK.js	19.8 kB	19.8 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-INJLrcmT.js	31.3 kB	31.3 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-iR6BKRXe.js	23.7 kB	23.7 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-YjQmudNE.js	23.5 kB	23.5 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Status: 6 added / 6 removed

UI Components — 12.6 kB (baseline 12.6 kB) • ⚪ 0 B

Reusable component library chunks

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/ComfyQueueButton-BookcFvL.js (new)	—	11.3 kB	🔴 +11.3 kB	🔴 +2.82 kB	🔴 +2.5 kB
~~assets/ComfyQueueButton-d1L9pL9N.js~~ (removed)	11.3 kB	—	🟢 -11.3 kB	🟢 -2.83 kB	🟢 -2.49 kB
assets/UserAvatar.vue_vue_type_script_setup_true_lang-CY-Afo9h.js	1.29 kB	1.29 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Status: 1 added / 1 removed

Data & Services — 10.4 kB (baseline 10.4 kB) • ⚪ 0 B

Stores, services, APIs, and repositories

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/keybindingService-Bex7iv-Q.js (new)	—	7.6 kB	🔴 +7.6 kB	🔴 +1.84 kB	🔴 +1.58 kB
~~assets/keybindingService-DfBQoB60.js~~ (removed)	7.6 kB	—	🟢 -7.6 kB	🟢 -1.85 kB	🟢 -1.59 kB
assets/serverConfigStore-Drx1xdev.js	2.79 kB	2.79 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Status: 1 added / 1 removed

Utilities & Hooks — 1.07 kB (baseline 1.07 kB) • ⚪ 0 B

Helpers, composables, and utility bundles

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/mathUtil-CTARWQ-l.js	1.07 kB	1.07 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Vendor & Third-Party — 5.32 MB (baseline 5.32 MB) • ⚪ 0 B

External libraries and shared vendor chunks

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/vendor-other-DTJaZ2wB.js	3.22 MB	3.22 MB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-primevue-PESgPnbc.js	517 B	517 B	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-three-JDoAqkQm.js	1.37 MB	1.37 MB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-tiptap-BovKm-bo.js	232 kB	232 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-vue-D0cJmhlH.js	92.6 kB	92.6 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-xterm-BZLod3g9.js	407 kB	407 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Other — 2.55 MB (baseline 2.55 MB) • ⚪ 0 B

Bundles that do not match a named category

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/commands-B2KZRBmX.js	15.1 kB	15.1 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-Bw-ckyga.js	13.9 kB	13.9 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-C_NmM85I.js	13.8 kB	13.8 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-CuozCW4W.js	14 kB	14 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-DGfVUJCR.js	16.2 kB	16.2 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-dOJNDogK.js	14.5 kB	14.5 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-DwiE551e.js	14.7 kB	14.7 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-Fw7mvqSy.js	13.1 kB	13.1 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-FXnO1W4Q.js	13.2 kB	13.2 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-B2H4r1yK.js	70.7 kB	70.7 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-BfrcYvru.js	59.4 kB	59.4 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-BhRi1J0e.js	68.4 kB	68.4 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-BUG9wuyt.js	80.3 kB	80.3 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-C0hL5eRA.js	76.4 kB	76.4 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-CkKZCT7r.js	58.7 kB	58.7 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-D1RQ0Vb_.js	66.3 kB	66.3 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-DdyfZOXg.js	67.6 kB	67.6 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-DPE2NqRw.js	92.9 kB	92.9 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-3I1vPgv4.js	181 kB	181 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-B2huPGKQ.js	190 kB	190 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-BWugyUzd.js	215 kB	215 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-bXqu6Stq.js	194 kB	194 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-CtB2M3sY.js	229 kB	229 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-D-rCrn-T.js	200 kB	200 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-D38DSnl1.js	179 kB	179 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-DAsU52ON.js	192 kB	192 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-DnGONaA_.js	196 kB	196 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

src/platform/auth/session/useSessionCookie.ts

claude · 2025-11-02T23:46:14Z

src/platform/auth/session/useSessionCookie.ts

-      headers: {
-        ...authHeader,
-        'Content-Type': 'application/json'
+      if (authHeader) {


[architecture] high Priority

Issue: Nested conditional and loop complexity increases cognitive load
Context: The retry logic combines loop control, conditional checks, and async operations making it harder to understand and test
Suggestion: Extract retry logic into a separate helper function like 'retryWithBackoff' to improve readability and testability

src/platform/auth/session/useSessionCookie.ts

claude · 2025-11-02T23:46:35Z

src/stores/firebaseAuthStore.ts

  })

-  const getIdToken = async (): Promise<string | undefined> => {
+  const getIdToken = async (


[quality] high Priority

Issue: Missing JSDoc parameter documentation for new forceRefresh parameter
Context: The function has comprehensive JSDoc but the new parameter is undocumented
Suggestion: Add @param forceRefresh documentation to match the existing JSDoc standard

src/stores/firebaseAuthStore.ts

src/platform/auth/session/useSessionCookie.ts

claude

Comprehensive PR Review

This review is generated by Claude. It may not always be accurate, as with human reviewers. If you believe that any of the comments are invalid or incorrect, please state why for each. For others, please implement the changes in one way or another.

Review Summary

PR: feat: add retry logic for session cookie creation with token refresh (#6540)
Impact: 42 additions, 20 deletions across 2 files

Issue Distribution

Critical: 0
High: 3
Medium: 4
Low: 1

Category Breakdown

Architecture: 3 issues
Security: 1 issues
Performance: 1 issues
Code Quality: 3 issues

Key Findings

Architecture & Design

The retry logic implementation addresses a real authentication timing issue, but the current approach has some architectural concerns:

Complexity Management: The nested retry logic within the main function increases cognitive complexity. Consider extracting the retry pattern into a reusable utility.
Error Handling Strategy: The implementation only retries on null auth headers but immediately throws on HTTP errors. This might miss cases where 401/403 responses indicate token expiration that could benefit from retries.
API Signature Changes: Adding optional parameters to existing functions maintains backward compatibility but requires consideration of how this affects the broader codebase.

Security Considerations

Information Disclosure: Error messages from network requests could potentially leak sensitive information about the authentication infrastructure. Consider sanitizing error messages before exposing them to prevent information disclosure attacks.

Performance Impact

Resource Management: The current Promise-based timeout implementation creates unnecessary promises. Consider more efficient approaches like AbortController.
Magic Numbers: Hard-coded retry counts and backoff intervals reduce maintainability and testing flexibility.

Integration Points

The changes maintain backward compatibility since the new parameters are optional. However, the lack of test coverage for this critical authentication flow increases the risk of regressions.

Positive Observations

Problem Identification: The PR correctly identifies and addresses a real timing issue with Firebase token refresh
Incremental Approach: The solution uses exponential backoff, which is a sound approach for handling transient failures
Documentation: The implementation includes inline comments explaining the retry strategy
Backward Compatibility: Optional parameters maintain existing API contracts

References

Next Steps

Address high priority issues before merge (missing tests, JSDoc documentation)
Consider architectural feedback for long-term maintainability (extract retry utility)
Add comprehensive unit tests for the retry scenarios
Validate error handling strategy for HTTP failures

This is a comprehensive automated review. For architectural decisions requiring human judgment, please request additional manual review.

viva-jinyi · 2025-11-04T08:18:52Z

DO NOT MERGE YET

- Add retry mechanism with exponential backoff in useSessionCookie - Support forceRefresh parameter in getAuthHeader and getIdToken - First attempt uses cached token, retries force token refresh - Fixes intermittent 'No auth header available' errors during token refresh Addresses Sentry issue affecting users with authentication timing issues

- Continue retry loop when API returns non-ok response instead of throwing immediately - Ensures 401/403 errors trigger token refresh retry as intended - Only throw error on final attempt to preserve error details - Add comprehensive unit tests for retry scenarios including token timing issues Addresses Claude Code review feedback on retry logic error handling 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>

dosubot bot added the size:M This PR changes 30-99 lines, ignoring generated files. label Nov 2, 2025

viva-jinyi added backport Backporting a PR onto a release candidate branch:rh-test labels Nov 2, 2025