Improve GitHub token validation to handle invalid/expired tokens #200
Description
The embedded GitHub tools should properly handle cases where GITHUB_TOKEN is set but invalid or expired. Currently, the authentication only falls back to gh auth token when the environment variable is missing, but not when it contains an invalid token.
Context
When GITHUB_TOKEN is set to an expired or invalid token, the embedded GitHub tools fail with authentication errors instead of attempting to refresh the token. This creates a poor user experience where users must manually detect and resolve token issues rather than having the tools automatically recover.
According to GitHub API documentation, the /user endpoint is the standard method for validating token authenticity and permissions. The current implementation has a FIXME comment acknowledging this exact limitation.
Alternatives
Users can manually detect invalid tokens and run gh auth token to refresh, but this requires manual intervention and doesn't provide a seamless experience. Alternatively, we could implement more sophisticated token refresh logic, but the proposed solution provides the right balance of simplicity and effectiveness.
Proposed Implementation
Modify the auth() function in .config/jp/tools/src/github.rs to:
- After building the octocrab client, test the token validity using
octocrab.current().user().await - If the request fails with authentication error and
gh auth tokencommand exists, attempt to get a fresh token - Rebuild the client with the new token and test again
- Only fail if the second attempt also fails
This approach provides automatic recovery from expired tokens while maintaining the existing fallback behavior.
Tasks
- Test current token validity using
/userendpoint after client creation - Implement fallback to
gh auth tokenwhen validation fails - Rebuild octocrab client with refreshed token
- Add proper error handling for cases where refresh also fails