fix: restore cache + add .env reload on auth failure

Correct retry logic: 1. Use cached token 2. Token rejected → refresh session with current CLIENT_KEY 3. Still failing → reloadGlobalEnv() to pick up updated .env, rebuild config with new CLIENT_KEY, retry env.ts now tracks which keys it loaded from .env so reloadGlobalEnv() can overwrite them without touching externally-set env vars. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
refactor: remove all token caching — always fetch fresh session
2026-03-20 06:24:52 +08:00 · 2026-03-20 06:19:16 +08:00
4 changed files with 67 additions and 16 deletions
--- a/src/auth.ts
+++ b/src/auth.ts
@ -108,8 +108,6 @@ export async function refreshAccessToken(
  }
  const cacheFile = getCacheFile(config.authBase, config.clientKey, config.authCacheDir);
  // Remove cache file if exists
  deleteCache(cacheFile);
  return getAccessToken(dryRun, config);
--- a/src/cache.ts
+++ b/src/cache.ts
@ -15,11 +15,11 @@ export function sha256(input: string): string {
 */
 export function getCacheFile(authBase: string, clientKey: string, cacheDir: string): string {
  const key = sha256(`${authBase}|${clientKey}`);
-  
+
  if (!fs.existsSync(cacheDir)) {
    fs.mkdirSync(cacheDir, { recursive: true });
  }
-  
+
  return path.join(cacheDir, `session_${key}.json`);
 }
@ -37,16 +37,16 @@ export function readCachedToken(
  try {
    const data = JSON.parse(fs.readFileSync(cacheFile, 'utf-8')) as CachedTokenData;
    const now = Math.floor(Date.now() / 1000);
-    
+
    if (!data.accessToken || data.expiresAtEpoch <= 0) {
      return null;
    }
-    
+
    // Check if token is still valid (with min TTL buffer)
    if (now + minTtlSec >= data.expiresAtEpoch) {
      return null;
    }
-    
+
    return data.accessToken;
  } catch (error) {
    return null;
@ -63,13 +63,13 @@ export function writeCache(
  const nowEpoch = Math.floor(Date.now() / 1000);
  const expiresIn = sessionJson.expiresIn > 0 ? sessionJson.expiresIn : 900;
  const expiresAtEpoch = nowEpoch + expiresIn;
-  
+
  const cacheData: CachedTokenData = {
    accessToken: sessionJson.accessToken,
    expiresAtEpoch,
    createdAtEpoch: nowEpoch,
  };
-  
+
  fs.writeFileSync(cacheFile, JSON.stringify(cacheData, null, 2), 'utf-8');
 }
--- a/src/client.ts
+++ b/src/client.ts
@ -1,7 +1,7 @@
 import type { ApiResponse, ClientConfig, EnvConfig, HttpMethod, SessionResponse } from './types.js';
 import { requestApi } from './http.js';
 import { getCacheFile, readCachedToken, writeCache, deleteCache } from './cache.js';
-import { loadGlobalEnv } from './env.js';
+import { loadGlobalEnv, reloadGlobalEnv } from './env.js';
 const SESSION_RETRYABLE_STATUS = new Set([401, 403]);
 const SESSION_RETRYABLE_BODY_MARKERS = [
@ -28,7 +28,6 @@ export interface SkillClientOptions {
 }
 function buildConfig(options: SkillClientOptions): EnvConfig {
  loadGlobalEnv();
  return {
    authBase: (options.authBase || process.env.AUTH_BASE || 'https://api-gw-test.yuanwei-lnc.com').replace(/\/$/, ''),
    clientKey: options.clientKey || process.env.CLIENT_KEY || '',
@ -44,12 +43,20 @@ function isRetryable(response: ApiResponse): boolean {
  return SESSION_RETRYABLE_BODY_MARKERS.some((m) => body.includes(m));
 }
 function isKeyError(response: ApiResponse): boolean {
  const body = (response.body || '').toLowerCase();
  return body.includes('client key revoked') || body.includes('client key expired');
 }
 export class SkillClient {
-  private readonly config: EnvConfig;
+  private config: EnvConfig;
-  private readonly apiBase: string;
+  private apiBase: string;
  private readonly dryRun: boolean;
  private readonly options: SkillClientOptions;
  constructor(options: SkillClientOptions = {}) {
    this.options = options;
    loadGlobalEnv();
    this.config = buildConfig(options);
    this.apiBase = (options.apiBase || process.env.ECOM_BASE || this.config.authBase).replace(/\/$/, '');
    this.dryRun = options.dryRun ?? false;
@ -118,6 +125,7 @@ export class SkillClient {
    const url = `${this.apiBase}${path}`;
    const bodyStr = body != null ? JSON.stringify(body) : undefined;
    // 1. Try with cached or fresh token
    const token = await this.getToken();
    const first = await requestApi(method, url, token, bodyStr);
@ -125,9 +133,18 @@ export class SkillClient {
      return first;
    }
-    // Token expired — refresh and retry once
+    // 2. Token rejected — clear cache, fetch new session with same key
    const freshToken = await this.refreshToken();
-    return requestApi(method, url, freshToken, bodyStr);
+    const second = await requestApi(method, url, freshToken, bodyStr);
    if (!isRetryable(second)) {
      return second;
    }
    // 3. Still failing — maybe CLIENT_KEY changed in .env, reload and retry
    this.reloadConfig();
    const reloadedToken = await this.refreshToken();
    return requestApi(method, url, reloadedToken, bodyStr);
  }
  private async getToken(): Promise<string> {
@ -149,6 +166,23 @@ export class SkillClient {
    return session.accessToken;
  }
  /**
   * Re-read ~/.openclaw/.env and rebuild config.
   * Called when auth keeps failing — the CLIENT_KEY may have been updated on disk.
   */
  private reloadConfig(): void {
    reloadGlobalEnv();
    const oldKey = this.config.clientKey;
    this.config = buildConfig(this.options);
    this.apiBase = (this.options.apiBase || process.env.ECOM_BASE || this.config.authBase).replace(/\/$/, '');
    if (this.config.clientKey !== oldKey) {
      // Clear old key's cache too
      const oldCacheFile = getCacheFile(this.config.authBase, oldKey, this.config.authCacheDir);
      deleteCache(oldCacheFile);
    }
  }
  private async fetchSession(): Promise<SessionResponse> {
    const result = await requestApi(
      'POST',
--- a/src/env.ts
+++ b/src/env.ts
@ -4,15 +4,33 @@ import * as os from 'os';
 const GLOBAL_ENV_PATH = path.join(os.homedir(), '.openclaw', '.env');
 /** Keys that were loaded from .env (not pre-existing in process.env) */
 const loadedKeys = new Set<string>();
 let loaded = false;
 /**
- * Load ~/.openclaw/.env into process.env (once, won't overwrite existing vars).
+ * Load ~/.openclaw/.env into process.env (once, won't overwrite explicitly set env vars).
 */
 export function loadGlobalEnv(): void {
  if (loaded) return;
  loaded = true;
  applyEnvFile();
 }
 /**
 * Force re-read ~/.openclaw/.env. Overwrites keys that were originally loaded
 * from .env, but still won't touch keys set externally (e.g. shell export).
 */
 export function reloadGlobalEnv(): void {
  // Clear values we previously loaded so applyEnvFile can overwrite them
  for (const key of loadedKeys) {
    delete process.env[key];
  }
  loadedKeys.clear();
  applyEnvFile();
 }
 function applyEnvFile(): void {
  let content: string;
  try {
    content = fs.readFileSync(GLOBAL_ENV_PATH, 'utf-8');
@ -38,6 +56,7 @@ export function loadGlobalEnv(): void {
    // don't overwrite explicitly set env vars
    if (process.env[key] === undefined) {
      process.env[key] = value;
      loadedKeys.add(key);
    }
  }
 }