Skip to content

Fix Google Calendar Auth Refresh #357

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tembo wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Fix Google Calendar Auth Refresh #357

tembo wants to merge 3 commits into from

Conversation

@tembo
Copy link
Contributor

@tembo tembo bot commented Sep 2, 2025
edited by cubic-dev-ai bot
Loading

Description

Resolve Google Calendar authentication failures by implementing token refresh mechanism

Changes

  • Added token refresh logic for Google Calendar provider
  • Updated error handling in calendar providers
  • Implemented refreshGoogleAccessToken utility function
  • Added refresh token support across provider interfaces

Want me to make any changes? Add a review or comment with @tembo and i'll get back to work!

tembo.io sentry.io

Summary by cubic

Automatically refreshes expired Google access tokens to stop calendar operations from failing, with a single retry after refresh and DB persistence of new tokens. Adds the same refresh flow for Microsoft Calendar.

  • Bug Fixes

    • Detect auth errors and refresh access tokens for Google and Microsoft, then retry once.
    • Save new access/refresh tokens and expiry to the account record.
    • Improved errors include accountId and retryAttempt; Microsoft auth errors are detected more reliably.

  • Migration

    • ProviderConfig and provider constructors now require refreshToken. If constructing providers directly, pass refreshToken (factories already do).

@vercel
Copy link

vercel bot commented Sep 2, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
analog Ready Ready Preview Comment Sep 3, 2025 0:14am

@tembo
Copy link
Contributor Author

tembo bot commented Sep 2, 2025

Requesting review from @JeanMeijer who has experience with the following files modified in this PR:

  • bun.lock
  • packages/api/src/providers/index.ts
  • packages/api/src/providers/interfaces.ts
  • packages/api/src/providers/calendars/google-calendar.ts
  • packages/api/src/providers/calendars/microsoft-calendar.ts

@tembo tembo bot requested a review from JeanMeijer September 2, 2025 11:13
@coderabbitai
Copy link

coderabbitai bot commented Sep 2, 2025

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Join our Discord community for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

  • Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

  • Visit our Status Page to check the current availability of CodeRabbit.
  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@tembo
Copy link
Contributor Author

tembo bot commented Sep 2, 2025

Tembo is working on fixing this failing workflow: Check formatting

JeanMeijer
JeanMeijer requested changes Sep 3, 2025
View reviewed changes
packages/api/src/utils/token-refresh.ts Outdated
Comment on lines 1 to 40
import { TRPCError } from "@trpc/server";
import { eq } from "drizzle-orm";

import { db } from "@repo/db";
import { account } from "@repo/db/schema";
import { env } from "@repo/env/server";

interface GoogleTokenResponse {
access_token: string;
refresh_token?: string;
expires_in: number;
token_type: string;
}

interface MicrosoftTokenResponse {
access_token: string;
refresh_token?: string;
expires_in: number;
token_type: string;
}

interface RefreshTokenOptions {
refreshToken: string;
accountId: string;
}

export async function refreshGoogleAccessToken({
refreshToken,
accountId,
}: RefreshTokenOptions): Promise<string> {
try {
const response = await fetch("https://oauth2.googleapis.com/token", {
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
},
body: new URLSearchParams({
client_id: env.GOOGLE_CLIENT_ID,
client_secret: env.GOOGLE_CLIENT_SECRET,
refresh_token: refreshToken,
Copy link
Collaborator

@JeanMeijer JeanMeijer Sep 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

use better auth to refresh the tokens, instead of passing the accessToken to the provider pass enough info so we can refresh the token using better-auth

@tembo
Copy link
Contributor Author

tembo bot commented Sep 3, 2025

Thanks for the feedback about using Better Auth for token refreshing. I've refactored the token refresh implementation to leverage our auth service instead of directly managing OAuth tokens:

  1. Removed the direct OAuth provider calls and database updates
  2. Implemented a centralized refreshAccessToken function that uses the auth API
  3. Simplified both Google and Microsoft token refresh functions to use this common implementation
  4. Modified the calendar providers to no longer pass refresh tokens (they're now retrieved from the auth service)

This approach is more secure and maintainable as the token refresh logic is now handled by the auth service rather than managed directly in our application.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JeanMeijer JeanMeijer JeanMeijer requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JeanMeijer