Skip to content

fix: return Unauthenticated instead of PermissionDenied on token expiration #5454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
johnnyjoygh merged 3 commits into from
Jan 8, 2026
Merged

fix: return Unauthenticated instead of PermissionDenied on token expiration #5454

johnnyjoygh merged 3 commits into from
Jan 8, 2026

Conversation

@Faizaanp
Copy link
Contributor

@Faizaanp Faizaanp commented Jan 7, 2026

Problem

When JWT access tokens expire (after 15 minutes), API endpoints return PermissionDenied instead of Unauthenticated. This prevents the frontend's auth interceptor from triggering automatic token refresh, forcing users to manually refresh the page.

Root Cause

Service methods checked user == nil and returned codes.PermissionDenied, but the frontend only catches codes.Unauthenticated to trigger token refresh via the refresh token cookie.

Solution

Split authentication checks to distinguish:

  • Unauthenticated: No valid token / token expired → triggers automatic refresh
  • PermissionDenied: Valid token but insufficient permissions → real authorization error

Changes

  • idp_service.go: Fixed CreateIdentityProvider, UpdateIdentityProvider, DeleteIdentityProvider
  • instance_service.go: Fixed GetInstanceSetting storage check
  • memo_service.go: Fixed GetMemo visibility check
  • user_service.go: Fixed UpdateUser, ListUserNotifications, UpdateUserNotification, DeleteUserNotification

Testing

  1. Reduced token expiration to 30 seconds for testing
  2. Created memo, waited for expiration
  3. Verified automatic refresh: 401 → RefreshToken (200) → retry succeeds
  4. User can continue working seamlessly without page refresh

Fixes #5448

@Faizaanp Faizaanp requested a review from johnnyjoygh as a code owner January 7, 2026 11:27
johnnyjoygh
johnnyjoygh approved these changes Jan 7, 2026
View reviewed changes
Copy link
Collaborator

@johnnyjoygh johnnyjoygh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@johnnyjoygh johnnyjoygh changed the title Fix: Return Unauthenticated instead of PermissionDenied on token expiration fix: return Unauthenticated instead of PermissionDenied on token expiration Jan 7, 2026
@Faizaanp
Fix: Update tests to expect Unauthenticated error for unauthenticated…
53c3dcc 
… requests

- Updated identity provider tests to expect 'user not authenticated' error
- Changed error expectations from 'permission denied' to 'user not authenticated'
@Faizaanp Faizaanp requested a review from johnnyjoygh January 7, 2026 14:52
@johnnyjoygh johnnyjoygh merged commit da2dd80 into usememos:main Jan 8, 2026
2 checks passed
@Faizaanp Faizaanp deleted the fix/session-timeout-permission-denied branch January 9, 2026 06:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@johnnyjoygh johnnyjoygh Awaiting requested review from johnnyjoygh johnnyjoygh is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Failed to save memo: [permission_denied] rpc error: code = PermissionDenied desc = permission denied

2 participants

@Faizaanp @johnnyjoygh