Merge branch 'release/pr-325' into release/integration-1.2.2

ndycode · ndycode · commit 821553d25336 · 2026-04-01T20:35:32.000+08:00
# Conflicts:
#	lib/refresh-guardian.ts
diff --git a/lib/refresh-guardian.ts b/lib/refresh-guardian.ts
@@ -26,6 +26,80 @@ export interface RefreshGuardianStats {
 
 const DEFAULT_INTERVAL_MS = 60_000;
 
+function findMatchingLiveAccountIndexes(
+	liveAccounts: ManagedAccount[],
+	predicate: (candidate: ManagedAccount) => boolean,
+): number[] {
+	const matches: number[] = [];
+	for (const [index, candidate] of liveAccounts.entries()) {
+		if (predicate(candidate)) {
+			matches.push(index);
+		}
+	}
+	return matches;
+}
+
+function resolveLiveAccountIndex(
+	liveAccounts: ManagedAccount[],
+	sourceAccount: ManagedAccount,
+): number {
+	if (sourceAccount.accountId) {
+		const accountIdMatches = findMatchingLiveAccountIndexes(
+			liveAccounts,
+			(candidate) => candidate.accountId === sourceAccount.accountId,
+		);
+		const resolvedIndex = accountIdMatches[0];
+		if (resolvedIndex !== undefined) {
+			log.debug("Resolved refreshed account by accountId", {
+				sourceIndex: sourceAccount.index,
+				resolvedIndex,
+				matchCount: accountIdMatches.length,
+			});
+			if (accountIdMatches.length > 1) {
+				log.warn("Duplicate live accountId matches during refresh reconciliation", {
+					sourceIndex: sourceAccount.index,
+					resolvedIndex,
+					matchCount: accountIdMatches.length,
+				});
+			}
+			return resolvedIndex;
+		}
+	}
+
+	const sourceEmail = sanitizeEmail(sourceAccount.email);
+	if (sourceEmail) {
+		const emailMatches = findMatchingLiveAccountIndexes(
+			liveAccounts,
+			(candidate) => sanitizeEmail(candidate.email) === sourceEmail,
+		);
+		const resolvedIndex = emailMatches[0];
+		if (resolvedIndex !== undefined) {
+			log.debug("Resolved refreshed account by email", {
+				sourceIndex: sourceAccount.index,
+				resolvedIndex,
+				matchCount: emailMatches.length,
+			});
+			if (emailMatches.length > 1) {
+				log.warn("Duplicate live email matches during refresh reconciliation", {
+					sourceIndex: sourceAccount.index,
+					resolvedIndex,
+					matchCount: emailMatches.length,
+				});
+			}
+			return resolvedIndex;
+		}
+	}
+
+	const byToken = liveAccounts.findIndex(
+		(candidate) => candidate.refreshToken === sourceAccount.refreshToken,
+	);
+	log.debug("Resolved refreshed account by refresh token fallback", {
+		sourceIndex: sourceAccount.index,
+		resolvedIndex: byToken,
+	});
+	return byToken;
+}
+
 export class RefreshGuardian {
 	private readonly getAccountManager: () => AccountManager | null;
 	private readonly intervalMs: number;
diff --git a/test/refresh-guardian.test.ts b/test/refresh-guardian.test.ts
@@ -34,6 +34,8 @@ vi.mock("../lib/proactive-refresh.js", () => ({
 function createManagedAccount(index: number): ManagedAccount {
   return {
     index,
+    accountId: `acct-${index}`,
+    email: `user${index}@example.com`,
     refreshToken: `refresh-${index}`,
     addedAt: Date.now() - 10_000,
     lastUsed: Date.now() - 5_000,
@@ -331,7 +333,7 @@ describe("refresh-guardian", () => {
     expect(tickSpy).toHaveBeenCalledTimes(1);
   });
 
-  it("resolves refreshed account using stable refresh token when indices shift", async () => {
+  it("resolves refreshed account by accountId when indices shift", async () => {
     const originalA = createManagedAccount(0);
     const originalB = createManagedAccount(1);
     const liveB = { ...originalB, index: 0 };
@@ -399,6 +401,196 @@ describe("refresh-guardian", () => {
     );
   });
 
+  it("resolves refreshed account by accountId after refresh token rotation", async () => {
+    const originalA = createManagedAccount(0);
+    const originalB = createManagedAccount(1);
+    const liveA = {
+      ...originalA,
+      index: 1,
+      refreshToken: "refresh-0-rotated",
+    };
+    const liveB = { ...originalB, index: 0 };
+    const snapshots = [
+      [originalA, originalB],
+      [liveB, liveA],
+    ];
+    let readCount = 0;
+    const manager = {
+      getAccountsSnapshot: vi.fn(
+        () => snapshots[Math.min(readCount++, snapshots.length - 1)],
+      ),
+      getAccountByIndex: vi.fn(
+        (index: number) =>
+          [liveB, liveA].find((account) => account.index === index) ?? null,
+      ),
+      clearAuthFailures: vi.fn(),
+      markAccountCoolingDown: vi.fn(),
+      setAccountEnabled: vi.fn(),
+      saveToDiskDebounced: vi.fn(),
+    } as unknown as AccountManager;
+    const { RefreshGuardian } = await import("../lib/refresh-guardian.js");
+    const guardian = new RefreshGuardian(() => manager, {
+      bufferMs: 60_000,
+      intervalMs: 5_000,
+    });
+
+    refreshExpiringAccountsMock.mockResolvedValue(
+      new Map([
+        [
+          0,
+          {
+            refreshed: true,
+            reason: "success",
+            tokenResult: {
+              type: "success",
+              access: "access-account-id",
+              refresh: "refresh-account-id",
+              expires: Date.now() + 3_600_000,
+            },
+          },
+        ],
+      ]),
+    );
+
+    await guardian.tick();
+
+    expect(applyRefreshResultMock).toHaveBeenCalledWith(
+      liveA,
+      expect.objectContaining({ type: "success" }),
+    );
+    expect(
+      manager.clearAuthFailures as ReturnType<typeof vi.fn>,
+    ).toHaveBeenCalledWith(liveA);
+  });
+
+  it("falls back to refreshToken when accountId is unavailable and email is invalid", async () => {
+    const originalA = {
+      ...createManagedAccount(0),
+      accountId: undefined,
+      email: "invalid-no-at",
+    };
+    const originalB = createManagedAccount(1);
+    const liveA = {
+      ...originalA,
+      index: 1,
+    };
+    const liveB = { ...originalB, index: 0 };
+    const snapshots = [
+      [originalA, originalB],
+      [liveB, liveA],
+    ];
+    let readCount = 0;
+    const manager = {
+      getAccountsSnapshot: vi.fn(
+        () => snapshots[Math.min(readCount++, snapshots.length - 1)],
+      ),
+      getAccountByIndex: vi.fn(
+        (index: number) =>
+          [liveB, liveA].find((account) => account.index === index) ?? null,
+      ),
+      clearAuthFailures: vi.fn(),
+      markAccountCoolingDown: vi.fn(),
+      setAccountEnabled: vi.fn(),
+      saveToDiskDebounced: vi.fn(),
+    } as unknown as AccountManager;
+    const { RefreshGuardian } = await import("../lib/refresh-guardian.js");
+    const guardian = new RefreshGuardian(() => manager, {
+      bufferMs: 60_000,
+      intervalMs: 5_000,
+    });
+
+    refreshExpiringAccountsMock.mockResolvedValue(
+      new Map([
+        [
+          0,
+          {
+            refreshed: true,
+            reason: "success",
+            tokenResult: {
+              type: "success",
+              access: "access-token",
+              refresh: "refresh-token",
+              expires: Date.now() + 3_600_000,
+            },
+          },
+        ],
+      ]),
+    );
+
+    await guardian.tick();
+
+    expect(applyRefreshResultMock).toHaveBeenCalledWith(
+      liveA,
+      expect.objectContaining({ type: "success" }),
+    );
+    expect(
+      manager.clearAuthFailures as ReturnType<typeof vi.fn>,
+    ).toHaveBeenCalledWith(liveA);
+  });
+
+  it("treats empty string accountId the same as undefined by using normalized email", async () => {
+    const originalA = { ...createManagedAccount(0), accountId: "", email: " User0@Example.com " };
+    const originalB = createManagedAccount(1);
+    const liveA = {
+      ...originalA,
+      index: 1,
+      refreshToken: "refresh-0-rotated",
+      email: "user0@example.com",
+    };
+    const liveB = { ...originalB, index: 0 };
+    const snapshots = [
+      [originalA, originalB],
+      [liveB, liveA],
+    ];
+    let readCount = 0;
+    const manager = {
+      getAccountsSnapshot: vi.fn(
+        () => snapshots[Math.min(readCount++, snapshots.length - 1)],
+      ),
+      getAccountByIndex: vi.fn(
+        (index: number) =>
+          [liveB, liveA].find((account) => account.index === index) ?? null,
+      ),
+      clearAuthFailures: vi.fn(),
+      markAccountCoolingDown: vi.fn(),
+      setAccountEnabled: vi.fn(),
+      saveToDiskDebounced: vi.fn(),
+    } as unknown as AccountManager;
+    const { RefreshGuardian } = await import("../lib/refresh-guardian.js");
+    const guardian = new RefreshGuardian(() => manager, {
+      bufferMs: 60_000,
+      intervalMs: 5_000,
+    });
+
+    refreshExpiringAccountsMock.mockResolvedValue(
+      new Map([
+        [
+          0,
+          {
+            refreshed: true,
+            reason: "success",
+            tokenResult: {
+              type: "success",
+              access: "access-email",
+              refresh: "refresh-email",
+              expires: Date.now() + 3_600_000,
+            },
+          },
+        ],
+      ]),
+    );
+
+    await guardian.tick();
+
+    expect(applyRefreshResultMock).toHaveBeenCalledWith(
+      liveA,
+      expect.objectContaining({ type: "success" }),
+    );
+    expect(
+      manager.clearAuthFailures as ReturnType<typeof vi.fn>,
+    ).toHaveBeenCalledWith(liveA);
+  });
+
   it("classifies failure reasons and handles no-op branches", async () => {
     const accountA = createManagedAccount(0);
     const accountB = createManagedAccount(1);
@@ -649,6 +841,9 @@ describe("refresh-guardian", () => {
     expect(
       manager.saveToDiskDebounced as ReturnType<typeof vi.fn>,
     ).toHaveBeenCalledTimes(1);
+    expect(
+      manager.getAccountsSnapshot as ReturnType<typeof vi.fn>,
+    ).toHaveBeenCalledTimes(2);
 
     const stats = guardian.getStats();
     expect(stats.runs).toBe(1);
