OAuth token is never auto-refreshed after server startup

[arvanus]

Bug Description

The OAuth token obtained during server initialization is never refreshed during runtime. The OAUTH_ACCESS_TOKEN variable in index.ts is set once at startup and used as-is for all subsequent API calls, even after it expires.

Root Cause

In oauth.ts, the getAccessToken() method (line 559) correctly handles token refresh:

async getAccessToken(): Promise<string> {
    let tokenData = this.loadToken();
    if (!tokenData) {
        tokenData = await this.startOAuthFlow();
    } else if (this.isTokenExpired(tokenData)) {
        if (tokenData.refresh_token) {
            tokenData = await this.refreshAccessToken(tokenData.refresh_token);
            this.saveToken(tokenData);
        } else {
            tokenData = await this.startOAuthFlow();
        }
    }
    return tokenData.access_token;
}

However, in index.ts, this method is only called once during startup (line ~7369):

OAUTH_ACCESS_TOKEN = await initializeOAuth(gitlabBaseUrl);

The buildAuthHeaders() function (line 617) then uses the static OAUTH_ACCESS_TOKEN variable for every request without ever checking expiry or calling refresh:

const token = OAUTH_ACCESS_TOKEN || GITLAB_PERSONAL_ACCESS_TOKEN;

Expected Behavior

When an OAuth token expires, the server should automatically refresh it using the stored refresh_token, or re-initiate the OAuth flow if refresh fails.

Actual Behavior

The server continues using the expired token, resulting in 401 errors from the GitLab API until the server is manually restarted.

Suggested Fix

Either:

1. Store the GitLabOAuth instance and call getAccessToken() in buildAuthHeaders() (or on 401 responses) instead of using the static token variable
2. Set up a periodic refresh timer based on expires_in from the token response

Related

• OAuth Token Refresh Script #312 - Addresses a different use case (external token scripts) but doesn't fix the built-in refresh flow