bunny-lab/Borealis-Github-Replica
1
0
Fork 0
mirror of https://github.com/bunny-lab-io/Borealis.git synced 2025-10-27 03:21:57 -06:00
Code Issues Packages Projects Releases Wiki Activity

Improve refresh token DPAPI fallback and add reload logging

Browse Source
This commit is contained in:
Nicole Rappe
2025-10-18 02:00:36 -06:00
parent 21c2ce0c0b
commit cf82474e07
2 changed files with 25 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
Data/Agent/agent.py
View File

@@ -684,6 +684,17 @@ class AgentHttpClient:
self.session.headers.update({"Authorization": f"Bearer {self.access_token}"}) self.session.headers.update({"Authorization": f"Bearer {self.access_token}"})
else: else:
self.session.headers.pop("Authorization", None) self.session.headers.pop("Authorization", None)
try:
_log_agent(
"Reloaded tokens from disk "
f"guid={'yes' if self.guid else 'no'} "
f"access={'yes' if self.access_token else 'no'} "
f"refresh={'yes' if self.refresh_token else 'no'} "
f"expiry={self.access_expires_at}",
fname="agent.log",
)
except Exception:
pass
def auth_headers(self) -> Dict[str, str]: def auth_headers(self) -> Dict[str, str]:
if self.access_token: if self.access_token:

21
Data/Agent/security.py
View File

@@ -227,16 +227,23 @@ class AgentKeyStore:
try: try:
with open(self._refresh_token_path, "rb") as fh: with open(self._refresh_token_path, "rb") as fh:
protected = fh.read() protected = fh.read()
raw = _unprotect(protected, scope_system=self.scope_system)
try:
return raw.decode("utf-8")
except Exception:
# Token may have been protected under the opposite DPAPI scope.
alt = _unprotect(protected, scope_system=not self.scope_system)
return alt.decode("utf-8")
except Exception: except Exception:
return None return None
# Try both scopes (preferred first) and decode once a UTF-8 payload is recovered.
for scope_first in (self.scope_system, not self.scope_system):
try:
candidate = _unprotect(protected, scope_system=scope_first)
except Exception:
continue
if not candidate:
continue
try:
return candidate.decode("utf-8")
except Exception:
continue
return None
def clear_tokens(self) -> None: def clear_tokens(self) -> None:
for path in (self._access_token_path, self._refresh_token_path, self._token_meta_path): for path in (self._access_token_path, self._refresh_token_path, self._token_meta_path):
try: try: