Merge pull request #137 from AgentWorkforce/fix/auth-whoami-timeout-prod-default

fix(auth): use production cloud and tolerate whoami latency

Author: kjgbot

src/main/auth.test.ts

@@ -127,6 +127,11 @@ describe('getAccountWorkspaceId', () => {
     expect(mock.fetchMock).not.toHaveBeenCalled()
   })
 
+  it('uses the production cloud URL by default', async () => {
+    const { getApiUrl } = await import('./auth')
+    expect(getApiUrl()).toBe('https://agentrelay.com/cloud')
+  })
+
   it('returns the workspace id from currentWorkspace.id and persists the cache', async () => {
     writeAuthJson(userDataDir, {
       accessToken: 'cld_at_abc',
@@ -335,6 +340,61 @@ describe('getAccountWorkspaceId', () => {
     expect(mock.fetchMock).toHaveBeenCalledTimes(2)
   })
 
+  it('retries when whoami temporarily times out', async () => {
+    writeAuthJson(userDataDir, {
+      accessToken: 'cld_at_timeout_retry',
+      refreshToken: 'cld_rt_timeout_retry',
+      apiUrl: 'https://cloud.example'
+    })
+    mock.fetchMock
+      .mockRejectedValueOnce(Object.assign(new Error('aborted'), { name: 'AbortError' }))
+      .mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        statusText: 'OK',
+        json: async () => ({ currentWorkspace: { id: 'ws-after-timeout' } })
+      })
+
+    const { getAccountWorkspaceId } = await import('./auth')
+    await expect(getAccountWorkspaceId({ retryAttempts: 2, retryDelayMs: 0 })).resolves.toBe('ws-after-timeout')
+    expect(mock.fetchMock).toHaveBeenCalledTimes(2)
+  })
+
+  it('canonicalizes legacy agentrelay.dev auth records to production', async () => {
+    writeAuthJson(userDataDir, {
+      accessToken: 'cld_at_legacy_dev',
+      refreshToken: 'cld_rt_legacy_dev',
+      apiUrl: 'https://agentrelay.dev/cloud'
+    })
+    mock.fetchMock.mockResolvedValue({
+      ok: true,
+      status: 200,
+      statusText: 'OK',
+      json: async () => ({ currentWorkspace: { id: 'ws-prod' } })
+    })
+
+    const { getAccountWorkspaceId } = await import('./auth')
+    await expect(getAccountWorkspaceId()).resolves.toBe('ws-prod')
+    expect(mock.fetchMock).toHaveBeenCalledWith(
+      'https://agentrelay.com/cloud/api/v1/auth/whoami',
+      expect.any(Object)
+    )
+  })
+
+  it('canonicalizes legacy agentrelay.dev metadata used by getApiUrl callers', async () => {
+    writeAuthJson(userDataDir, {
+      accessToken: 'cld_at_legacy_meta',
+      refreshToken: 'cld_rt_legacy_meta',
+      apiUrl: 'https://agentrelay.dev/cloud'
+    })
+
+    const { getAccessToken, getApiUrl } = await import('./auth')
+    await expect(getAccessToken()).resolves.toBe('cld_at_legacy_meta')
+
+    expect(getApiUrl()).toBe('https://agentrelay.com/cloud')
+    expect(readMeta(userDataDir)?.apiUrl).toBe('https://agentrelay.com/cloud')
+  })
+
   it('throws cloud-auth-required when whoami rejects the access token', async () => {
     writeAuthJson(userDataDir, {
       accessToken: 'cld_at_401',
@@ -622,6 +682,32 @@ describe('getAuthStatus', () => {
     })
   })
 
+  it('canonicalizes legacy agentrelay.dev stored tokens before refreshing auth status', async () => {
+    writeAuthJson(userDataDir, {
+      accessToken: 'cld_at_legacy_status',
+      refreshToken: 'cld_rt_legacy_status',
+      apiUrl: 'https://agentrelay.dev/cloud'
+    })
+    mock.fetchMock.mockResolvedValue({
+      ok: true,
+      status: 200,
+      statusText: 'OK',
+      json: async () => ({ user: { id: 'user-legacy' } })
+    })
+
+    const { getAuthStatus } = await import('./auth')
+
+    await expect(getAuthStatus()).resolves.toEqual({
+      loggedIn: true,
+      apiUrl: 'https://agentrelay.com/cloud',
+      user: { username: 'user-legacy' }
+    })
+    expect(mock.fetchMock).toHaveBeenCalledWith(
+      'https://agentrelay.com/cloud/api/v1/auth/whoami',
+      expect.any(Object)
+    )
+  })
+
   it('hydrates a sparse stored profile from whoami', async () => {
     writeAuthJson(userDataDir, {
       accessToken: 'cld_at_sparse_user',

src/main/auth.ts

@@ -14,8 +14,10 @@ import {
   type UserInfo
 } from './schemas'
 
-const CLOUD_API_URL = process.env.RELAY_CLOUD_URL || 'https://agentrelay.dev/cloud'
+const CLOUD_API_URL = process.env.RELAY_CLOUD_URL || 'https://agentrelay.com/cloud'
+const LEGACY_CLOUD_API_URL = 'https://agentrelay.dev/cloud'
 const TOKEN_EXPIRY_BUFFER_MS = 60_000
+const WHOAMI_REQUEST_TIMEOUT_MS = 10_000
 const ACCOUNT_WORKSPACE_RETRY_ATTEMPTS = 8
 const ACCOUNT_WORKSPACE_RETRY_DELAY_MS = 500
 const warnedWhoamiWorkspaceFailures = new Set<string>()
@@ -145,8 +147,9 @@ function delay(ms: number): Promise<void> {
 
 function saveAuthMeta(tokens: Pick<StoredTokens, 'apiUrl' | 'user'> & Partial<Pick<StoredTokens, 'accessToken'>>): void {
   const previous = loadAuthMeta()
+  const apiUrl = normalizeCloudApiUrl(tokens.apiUrl)
   const accountKey = tokens.accessToken
-    ? deriveCloudAuthAccountKey(tokens.apiUrl, tokens.accessToken, tokens.user)
+    ? deriveCloudAuthAccountKey(apiUrl, tokens.accessToken, tokens.user)
     : undefined
   const tokenHash = tokens.accessToken ? accountWorkspaceTokenHash(tokens.accessToken) : undefined
   const accountWorkspace =
@@ -161,7 +164,7 @@ function saveAuthMeta(tokens: Pick<StoredTokens, 'apiUrl' | 'user'> & Partial<Pi
         }
       : undefined
   const meta = {
-    apiUrl: tokens.apiUrl,
+    apiUrl,
     user: tokens.user,
     ...(accountWorkspace ? { accountWorkspace } : {})
   }
@@ -172,8 +175,9 @@ function loadAuthMeta(): AuthMeta {
   try {
     const parsed = AuthMetaSchema.safeParse(JSON.parse(readFileSync(getAuthMetaPath(), 'utf8')))
     if (!parsed.success) return { apiUrl: CLOUD_API_URL }
+    const apiUrl = (parsed.data.apiUrl?.trim() || CLOUD_API_URL).replace(/\/+$/, '')
     return {
-      apiUrl: parsed.data.apiUrl?.trim() || CLOUD_API_URL,
+      apiUrl: apiUrl === LEGACY_CLOUD_API_URL ? CLOUD_API_URL : apiUrl,
       user: parsed.data.user,
       accountWorkspace: parsed.data.accountWorkspace
     }
@@ -225,8 +229,9 @@ function loadTokens(): StoredTokens | null {
     const decrypted = safeStorage.decryptString(raw)
     const parsed = StoredTokensSchema.safeParse(JSON.parse(decrypted))
     if (!parsed.success) return null
-    saveAuthMeta(parsed.data)
-    return parsed.data
+    const tokens = { ...parsed.data, apiUrl: normalizeCloudApiUrl(parsed.data.apiUrl) }
+    saveAuthMeta(tokens)
+    return tokens
   } catch {
     return null
   }
@@ -277,7 +282,7 @@ function warnWhoamiWorkspaceFailure(failureClass: string): void {
 
 async function fetchWhoamiPayload(apiUrl: string, accessToken: string): Promise<WhoamiPayloadResult> {
   const controller = new AbortController()
-  const timeout = setTimeout(() => controller.abort(), 2500)
+  const timeout = setTimeout(() => controller.abort(), WHOAMI_REQUEST_TIMEOUT_MS)
 
   try {
     const res = await fetch(`${apiUrl}/api/v1/auth/whoami`, {
@@ -320,7 +325,7 @@ function accountWorkspaceIdFromWhoami(value: unknown): string | undefined {
 function saveAccountWorkspaceCache(auth: CloudAuth, workspaceId: string): void {
   const previous = loadAuthMeta()
   const meta = {
-    apiUrl: auth.apiUrl || previous.apiUrl?.trim() || CLOUD_API_URL,
+    apiUrl: normalizeCloudApiUrl(auth.apiUrl || previous.apiUrl),
     user: previous.user,
     accountWorkspace: {
       accountKey: auth.accountKey,
@@ -577,7 +582,7 @@ async function performTokenRefresh(stored: StoredTokens): Promise<StoredTokens |
 
 export function getApiUrl(): string {
   if (hasStoredTokens()) {
-    return loadAuthMeta().apiUrl || CLOUD_API_URL
+    return normalizeCloudApiUrl(loadAuthMeta().apiUrl)
   }
   return CLOUD_API_URL
 }
@@ -598,7 +603,9 @@ function cloudAuthFromStored(tokens: StoredTokens): CloudAuth {
 }
 
 function normalizeCloudApiUrl(url: string | undefined): string {
-  return (url || getApiUrl()).trim().replace(/\/+$/, '')
+  const normalized = (url || CLOUD_API_URL).trim().replace(/\/+$/, '')
+  if (normalized === LEGACY_CLOUD_API_URL) return CLOUD_API_URL
+  return normalized
 }
 
 function readJwtPayload(token: string): Record<string, unknown> | null {
@@ -696,8 +703,9 @@ export async function getAccountWorkspaceId(options: AccountWorkspaceIdOptions =
   if (!auth) throw new Error('cloud-auth-required')
 
   const cached = loadAuthMeta().accountWorkspace
-  if (accountWorkspaceCacheMatches(cached, auth)) {
-    return cached.workspaceId.trim()
+  const cachedWorkspaceId = cached?.workspaceId.trim()
+  if (cachedWorkspaceId && accountWorkspaceCacheMatches(cached, auth)) {
+    return cachedWorkspaceId
   }
 
   const retryAttempts = Math.max(1, Math.floor(options.retryAttempts ?? 1))