Merge pull request #337 from ndycode/audit/pr1-pool-health

ndycode · web-flow · commit 16af48bfe1a2 · 2026-04-02T02:12:42.000+08:00
fix report live token freshness handling
diff --git a/lib/codex-manager.ts b/lib/codex-manager.ts
@@ -3224,6 +3224,7 @@ export async function runCodexMultiAuthCli(rawArgs: string[]): Promise<number> {
 			loadAccounts,
 			saveAccounts,
 			resolveActiveIndex,
+			hasUsableAccessToken,
 			queuedRefresh,
 			fetchCodexQuotaSnapshot,
 			formatRateLimitEntry,
diff --git a/lib/codex-manager/commands/report.ts b/lib/codex-manager/commands/report.ts
@@ -58,6 +58,10 @@ export interface ReportCommandDeps {
 	loadAccounts: () => Promise<AccountStorageV3 | null>;
 	saveAccounts: (storage: AccountStorageV3) => Promise<void>;
 	resolveActiveIndex: (storage: AccountStorageV3, family?: "codex") => number;
+	hasUsableAccessToken: (
+		account: Pick<AccountMetadataV3, "accessToken" | "expiresAt">,
+		now: number,
+	) => boolean;
 	queuedRefresh: (refreshToken: string) => Promise<TokenResult>;
 	fetchCodexQuotaSnapshot: (input: {
 		accountId: string;
@@ -362,73 +366,79 @@ export async function runReportCommand(
 			const account = storage.accounts[i];
 			if (!account || account.enabled === false) continue;
 
-			const refreshResult = await deps.queuedRefresh(account.refreshToken);
-			if (refreshResult.type !== "success") {
-				refreshFailures.set(i, {
-					...refreshResult,
-					message: deps.normalizeFailureDetail(
-						refreshResult.message,
-						refreshResult.reason,
-					),
-				});
-				continue;
-			}
-
-			const refreshedEmail = sanitizeEmail(
-				extractAccountEmail(refreshResult.access, refreshResult.idToken),
-			);
-			const tokenDerivedAccountId = extractAccountId(refreshResult.access);
-			const refreshedAccountId = account.accountId ?? tokenDerivedAccountId;
-			const previousRefreshToken = account.refreshToken;
-			const previousAccessToken = account.accessToken;
-			const previousExpiresAt = account.expiresAt;
-			const previousEmail = account.email;
-			const previousAccountId = account.accountId;
-			const refreshPatch: RefreshedAccountPatch = {
-				refreshToken: refreshResult.refresh,
-				accessToken: refreshResult.access,
-				expiresAt: refreshResult.expires,
-			};
-			if (refreshedEmail) {
-				refreshPatch.email = refreshedEmail;
-			}
-			if (tokenDerivedAccountId) {
-				refreshPatch.accountId = tokenDerivedAccountId;
-				refreshPatch.accountIdSource = "token";
-			}
-			const accountMatch: AccountIdentityMatch = {
-				refreshToken: previousRefreshToken,
-				email: previousEmail,
-				accountId: previousAccountId,
-			};
-			applyRefreshedAccountPatch(account, refreshPatch);
-			if (
-				previousRefreshToken !== refreshPatch.refreshToken ||
-				previousAccessToken !== refreshPatch.accessToken ||
-				previousExpiresAt !== refreshPatch.expiresAt ||
-				previousEmail !== account.email ||
-				previousAccountId !== account.accountId
-			) {
-				try {
-					await persistRefreshedAccountPatch(
-						storage,
-						accountMatch,
-						refreshPatch,
-						deps.loadAccounts,
-						deps.saveAccounts,
-					);
-				} catch (error) {
-					const message = deps.normalizeFailureDetail(
-						error instanceof Error ? error.message : String(error),
-						undefined,
-					);
-					probeErrors.push(`${formatAccountLabel(account, i)}: ${message}`);
+			let probeAccessToken = account.accessToken;
+			let probeAccountId =
+				account.accountId ?? extractAccountId(account.accessToken);
+			if (!deps.hasUsableAccessToken(account, now)) {
+				const refreshResult = await deps.queuedRefresh(account.refreshToken);
+				if (refreshResult.type !== "success") {
+					refreshFailures.set(i, {
+						...refreshResult,
+						message: deps.normalizeFailureDetail(
+							refreshResult.message,
+							refreshResult.reason,
+						),
+					});
 					continue;
 				}
+
+				const refreshedEmail = sanitizeEmail(
+					extractAccountEmail(refreshResult.access, refreshResult.idToken),
+				);
+				const tokenDerivedAccountId = extractAccountId(refreshResult.access);
+				const refreshedAccountId = account.accountId ?? tokenDerivedAccountId;
+				const previousRefreshToken = account.refreshToken;
+				const previousAccessToken = account.accessToken;
+				const previousExpiresAt = account.expiresAt;
+				const previousEmail = account.email;
+				const previousAccountId = account.accountId;
+				const refreshPatch: RefreshedAccountPatch = {
+					refreshToken: refreshResult.refresh,
+					accessToken: refreshResult.access,
+					expiresAt: refreshResult.expires,
+				};
+				if (refreshedEmail) {
+					refreshPatch.email = refreshedEmail;
+				}
+				if (tokenDerivedAccountId) {
+					refreshPatch.accountId = tokenDerivedAccountId;
+					refreshPatch.accountIdSource = "token";
+				}
+				const accountMatch: AccountIdentityMatch = {
+					refreshToken: previousRefreshToken,
+					email: previousEmail,
+					accountId: previousAccountId,
+				};
+				applyRefreshedAccountPatch(account, refreshPatch);
+				probeAccessToken = refreshResult.access;
+				probeAccountId = account.accountId ?? refreshedAccountId;
+				if (
+					previousRefreshToken !== refreshPatch.refreshToken ||
+					previousAccessToken !== refreshPatch.accessToken ||
+					previousExpiresAt !== refreshPatch.expiresAt ||
+					previousEmail !== account.email ||
+					previousAccountId !== account.accountId
+				) {
+					try {
+						await persistRefreshedAccountPatch(
+							storage,
+							accountMatch,
+							refreshPatch,
+							deps.loadAccounts,
+							deps.saveAccounts,
+						);
+					} catch (error) {
+						const message = deps.normalizeFailureDetail(
+							error instanceof Error ? error.message : String(error),
+							undefined,
+						);
+						probeErrors.push(`${formatAccountLabel(account, i)}: ${message}`);
+						continue;
+					}
+				}
 			}
 
-			const accountId = account.accountId ?? refreshedAccountId;
-			if (!accountId) {
+			if (!probeAccessToken || !probeAccountId) {
 				probeErrors.push(
 					`${formatAccountLabel(account, i)}: missing accountId for live probe`,
 				);
@@ -437,8 +447,8 @@ export async function runReportCommand(
 
 			try {
 				const liveQuota = await deps.fetchCodexQuotaSnapshot({
-					accountId,
-					accessToken: refreshResult.access,
+					accountId: probeAccountId,
+					accessToken: probeAccessToken,
 					model: modelInspection.normalized,
 				});
 				liveQuotaByIndex.set(i, liveQuota);
diff --git a/test/codex-manager-report-command.test.ts b/test/codex-manager-report-command.test.ts
@@ -35,6 +35,7 @@ function createDeps(
 		loadAccounts: vi.fn(async () => createStorage()),
 		saveAccounts: vi.fn(async () => undefined),
 		resolveActiveIndex: vi.fn(() => 0),
+		hasUsableAccessToken: vi.fn(() => false),
 		queuedRefresh: vi.fn(async () => ({
 			type: "success",
 			access: "access-token-1",
@@ -192,6 +193,71 @@ describe("runReportCommand", () => {
 		expect(jsonOutput.forecast.accounts[3]?.liveQuota?.planType).toBe("pro");
 	});
 
+	it("reuses usable access tokens for live probes without forcing refresh", async () => {
+		const deps = createDeps({
+			hasUsableAccessToken: vi.fn(() => true),
+			loadAccounts: vi.fn(async () =>
+				createStorage([
+					{
+						email: "one@example.com",
+						accountId: "acct-live",
+						refreshToken: "refresh-token-1",
+						accessToken: "access-token-1",
+						expiresAt: 5_000,
+						addedAt: 1,
+						lastUsed: 1,
+						enabled: true,
+					},
+				]),
+			),
+		});
+
+		const result = await runReportCommand(["--live", "--json"], deps);
+
+		expect(result).toBe(0);
+		expect(deps.queuedRefresh).not.toHaveBeenCalled();
+		expect(deps.saveAccounts).not.toHaveBeenCalled();
+		expect(deps.fetchCodexQuotaSnapshot).toHaveBeenCalledWith({
+			accountId: "acct-live",
+			accessToken: "access-token-1",
+			model: "gpt-5-codex",
+		});
+	});
+
+	it("records probe error when usable token exists but account id is missing", async () => {
+		const deps = createDeps({
+			hasUsableAccessToken: vi.fn(() => true),
+			loadAccounts: vi.fn(async () =>
+				createStorage([
+					{
+						email: "missing-id@example.com",
+						refreshToken: "refresh-token-1",
+						accessToken: "not-a-jwt",
+						expiresAt: 5_000,
+						addedAt: 1,
+						lastUsed: 1,
+						enabled: true,
+					},
+				]),
+			),
+		});
+
+		const result = await runReportCommand(["--live", "--json"], deps);
+
+		expect(result).toBe(0);
+		expect(deps.queuedRefresh).not.toHaveBeenCalled();
+		expect(deps.saveAccounts).not.toHaveBeenCalled();
+		expect(deps.fetchCodexQuotaSnapshot).not.toHaveBeenCalled();
+		const jsonOutput = JSON.parse(
+			(deps.logInfo as ReturnType<typeof vi.fn>).mock.calls.at(-1)?.[0] ?? "{}",
+		) as { forecast: { probeErrors: string[] } };
+		expect(jsonOutput.forecast.probeErrors).toEqual(
+			expect.arrayContaining([
+				expect.stringContaining("missing accountId for live probe"),
+			]),
+		);
+	});
+
 	it("persists refreshed probe tokens before report live probes", async () => {
 		const storage = createStorage([
 			{
