Overview Issues Merge Requests

auth status shows authenticated but commands fail when session token expires

did:plc:b2mcbcamkwyznc5fkplwlxbf opened this Feb 14, 2026 0 comments
did:plc:b2mcbcamkwyznc5fkplwlxbf opened Feb 14, 2026

Summary

auth status reports ✓ Authenticated but commands that require auth (e.g. issue list, pr list) fail with ✗ Not authenticated. Run "tangled auth login" first. This gives the false impression that no session exists when in fact the session token has simply expired.

Root Cause

There are two separate mechanisms for authentication:

  1. auth status reads only the metadata file (~/.config/tangled/session.json) — it does not validate the actual session token from the keychain. So it can show "Authenticated" even with an expired session.

  2. ensureAuthenticated() calls client.resumeSession(), which calls this.agent.resumeSession(sessionData) on the AT Protocol agent. If that call fails (e.g. the refresh token has expired and the PDS rejects it), the error is caught at api-client.ts:109:

} catch (error) {
  if (error instanceof KeychainAccessError) throw error;
  // Session resume failed (network error, expired refresh token, etc.)
  return false;  // ← silently swallows the real error
}

This causes ensureAuthenticated to exit with the generic "Not authenticated" message, which is indistinguishable from "you have never logged in."

Diagnostic Evidence

  • Keychain entry exists: acct=did:plc:b2mcbcamkwyznc5fkplwlxbf, last modified 2026-02-11T19:07:00Z
  • Metadata file exists at ~/.config/tangled/session.json, lastUsed: 2/11/2026 12:23 PM
  • auth status✓ Authenticated (reads metadata only)
  • issue list✗ Not authenticated. Run "tangled auth login" first. (resumeSession failed silently)

Proposed Fix

When resumeSession() returns false in ensureAuthenticated, check whether session metadata exists to distinguish between the two cases:

  • No metadata (truly never logged in): ✗ Not authenticated. Run "tangled auth login" first.
  • Metadata exists but resume failed (expired token): ✗ Session expired. Run "tangled auth login" to re-authenticate.

Optionally, the catch block in resumeSession() could log the underlying error at a debug level so it can be surfaced with a --verbose flag.

No activity yet.

Back to issues
cospan · schematic version control on atproto built on AT Protocol