Bound kernel login token exchange with a timeout#202
Open
masnwilliams wants to merge 2 commits into
Open
Conversation
The login flow used a context with no deadline and an HTTP client with no timeout for the OAuth token exchange, so a stalled /token (e.g. auth-side Redis down) left `kernel login` spinning until Ctrl-C. Cap the code exchange and the refresh request at 30s so they fail with a clear error instead of hanging. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
kernel loginused a context with no deadline (signal.NotifyContext) and a default HTTP client with no timeout for the OAuth token exchange. When/tokenstalled (e.g. the auth server's Redis was unreachable), the browser showed the success page but the terminal spinner hung until the user hit Ctrl-C.exchangeCodeForTokens) in a 30s context deadline.RefreshTokens) an equivalenthttp.Client.Timeout.Now a stalled auth server fails with a clear error in seconds instead of hanging the login. Companion to the
kernel-mcp-serverPR that stops the server side from hanging in the first place.Test plan
go build ./...,go vet,gofmt,go test ./pkg/auth/...all passkernel loginstill completes against a healthy auth server (happy path unchanged)Note
Low Risk
Small, defensive timeout wiring on existing OAuth HTTP calls; no change to token handling or security semantics beyond earlier failure on slow responses.
Overview
kernel loginand token refresh no longer hang indefinitely when the auth server’s/tokenendpoint stalls (e.g. upstream Redis issues). The browser could already show success while the CLI spinner ran until Ctrl-C.OAuth in
pkg/auth/oauth.gonow uses a shared 30stokenExchangeTimeout: the authorization-code exchange wraps the caller context withcontext.WithTimeoutbeforeConfig.Exchange, andRefreshTokensuses anhttp.Clientwith the same timeout instead of an unbounded default client.Reviewed by Cursor Bugbot for commit 75a1057. Bugbot is set up for automated code reviews on this repo. Configure here.