Skip to content

refactor(api): Stop masking refresh-token service errors as 401#38463

Merged
WH-2099 merged 7 commits into
langgenius:mainfrom
QuantumGhost:codex/remove-refresh-token-broad-401
Jul 6, 2026
Merged

refactor(api): Stop masking refresh-token service errors as 401#38463
WH-2099 merged 7 commits into
langgenius:mainfrom
QuantumGhost:codex/remove-refresh-token-broad-401

Conversation

@QuantumGhost

@QuantumGhost QuantumGhost commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

AI disclosure: This PR was primarily drafted with Codex using GPT-5.4. I have reviewed and edited the final diff, and I am responsible for the content.

Important

  1. Make sure you have read our contribution guidelines
  2. Ensure there is an associated issue and you have been assigned to it
  3. Use the correct syntax to link this PR: Fixes #<issue number>.

Summary

Fixes #38462.

Related to #38457.

This change narrows the error handling in POST /console/api/refresh-token and replaces the remaining string-based validation detection with dedicated exception types.

What changed:

  • keep the explicit 401 response when the refresh-token cookie is missing
  • define dedicated service-layer exceptions for the two current refresh-token validation failures:
    • RefreshTokenNotFoundError
    • RefreshTokenAccountNotFoundError
  • raise those dedicated exceptions from AccountService.refresh_token(...)
  • catch those dedicated exceptions, plus the existing Unauthorized path from banned-account loading, in the controller and map them to 401
  • allow unexpected ValueError instances and operational failures such as runtime/Redis errors to propagate instead of being rewritten as 401
  • update the focused unit tests to distinguish expected 401 validation failures from unexpected exceptions that must continue to bubble up

Why:

  • the earlier broad catch masked backend failures as authentication failures
  • the intermediate string whitelist on ValueError was narrower, but still encoded auth semantics in exception messages
  • dedicated exception types keep the same intended HTTP behavior while making the controller contract explicit and less fragile

Validation:

  • uv run --project api pytest -o addopts='' api/tests/unit_tests/controllers/console/auth/test_token_refresh.py

Screenshots

Before After
N/A N/A

Checklist

  • This change requires a documentation update, included: Dify Document
  • I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)
  • I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
  • I've updated the documentation accordingly.
  • I ran make lint && make type-check (backend) and cd web && pnpm exec vp staged (frontend) to appease the lint gods

From Codex

@QuantumGhost QuantumGhost changed the title [codex] Stop masking refresh-token service errors as 401 refactor(api): Stop masking refresh-token service errors as 401 Jul 6, 2026
@QuantumGhost QuantumGhost marked this pull request as ready for review July 6, 2026 07:16
@QuantumGhost QuantumGhost requested a review from laipz8200 as a code owner July 6, 2026 07:16
@dosubot dosubot Bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Jul 6, 2026
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Pyrefly Type Coverage

Metric Base PR Delta
Type coverage 52.38% 52.37% -0.01%
Strict coverage 51.89% 51.89% -0.01%
Typed symbols 32,084 32,087 +3
Untyped symbols 29,441 29,450 +9
Modules 2970 2970 0

@dosubot dosubot Bot added the refactor label Jul 6, 2026
@QuantumGhost QuantumGhost marked this pull request as draft July 6, 2026 07:17
@QuantumGhost QuantumGhost marked this pull request as ready for review July 6, 2026 07:57
@dosubot dosubot Bot added size:M This PR changes 30-99 lines, ignoring generated files. and removed size:S This PR changes 10-29 lines, ignoring generated files. labels Jul 6, 2026
@autofix-ci autofix-ci Bot requested a review from crazywoola as a code owner July 6, 2026 08:04
@github-actions github-actions Bot added the web This relates to changes on the web. label Jul 6, 2026
…h-token-broad-401

# Conflicts:
#	api/controllers/console/auth/login.py
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Pyrefly Diff

base → PR
--- /tmp/pyrefly_base.txt	2026-07-06 08:19:01.732021381 +0000
+++ /tmp/pyrefly_pr.txt	2026-07-06 08:18:52.472972359 +0000
@@ -1,3 +1,5 @@
+ERROR Argument `str | None` is not assignable to parameter `message` with type `bytearray | bytes | str` in function `controllers.common.fields.SimpleResultMessageResponse.__init__` [bad-argument-type]
+   --> controllers/console/auth/login.py:363:71
 ERROR Argument `SimpleNamespace` is not assignable to parameter `dataset` with type `Dataset` in function `dify_vdb_alibabacloud_mysql.alibabacloud_mysql_vector.AlibabaCloudMySQLVectorFactory.init_vector` [bad-argument-type]
   --> providers/vdb/vdb-alibabacloud-mysql/tests/unit_tests/test_alibabacloud_mysql_factory.py:42:38
 ERROR Argument `SimpleNamespace` is not assignable to parameter `dataset` with type `Dataset` in function `dify_vdb_alibabacloud_mysql.alibabacloud_mysql_vector.AlibabaCloudMySQLVectorFactory.init_vector` [bad-argument-type]

Assisted-by: Codex:GPT-5.4

@hjlarry hjlarry left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dosubot dosubot Bot added the lgtm This PR has been approved by a maintainer label Jul 6, 2026
@WH-2099 WH-2099 added this pull request to the merge queue Jul 6, 2026
Merged via the queue into langgenius:main with commit fc01d11 Jul 6, 2026
37 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

lgtm This PR has been approved by a maintainer refactor size:M This PR changes 30-99 lines, ignoring generated files. web This relates to changes on the web.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Refactor/Chore] Stop masking refresh-token service errors as 401

3 participants