Merge pull request #25 from shanehull/feat/auth-session-fix

fix: bridge browser OAuth to REST API session

Author: NitayRabi

src/ib-client.ts

@@ -210,6 +210,40 @@ export class IBClient {
     this.stopTickle();
   }
 
+  /**
+   * Re-authenticate the REST API session after browser OAuth completes.
+   * This must be called after the browser login creates the server-side session.
+   */
+  async reauthenticate(): Promise<void> {
+    try {
+      const authClient = axios.create({
+        baseURL: this.baseUrl,
+        timeout: 30000,
+        httpsAgent: new https.Agent({
+          rejectUnauthorized: false,
+        }),
+      });
+      
+      Logger.log("[REAUTH] Re-authenticating REST session...");
+      await authClient.post("/iserver/reauthenticate");
+      
+      // Verify the reauthentication worked
+      const statusResponse = await authClient.get("/iserver/auth/status");
+      if (statusResponse.data.authenticated) {
+        Logger.log("[REAUTH] Re-authentication successful");
+        this.isAuthenticated = true;
+        this.authAttempts = 0;
+        this.startTickle();
+      } else {
+        Logger.warn("[REAUTH] Re-authentication request sent but auth status is still false, will retry via interceptor");
+        this.isAuthenticated = false;
+      }
+    } catch (error) {
+      Logger.warn("[REAUTH] Re-authentication failed, will fall back to interceptor-based auth:", error);
+      this.isAuthenticated = false;
+    }
+  }
+
   private async authenticate(): Promise<void> {
     Logger.log(`[AUTH] Starting authentication process... (attempt ${this.authAttempts + 1}/${this.maxAuthAttempts})`);
     this.authAttempts++;

src/tool-handlers.ts

@@ -107,12 +107,22 @@ export class ToolHandlers {
         throw new Error(`Authentication failed: ${result.message}`);
       }
     } else {
-      // In non-headless mode, throw an error asking user to authenticate manually
-      const port = this.context.gatewayManager 
-        ? this.context.gatewayManager.getCurrentPort() 
-        : this.context.config.IB_GATEWAY_PORT;
-      const authUrl = `https://${this.context.config.IB_GATEWAY_HOST}:${port}`;
-      throw new Error(`Authentication required. Please use the 'authenticate' tool to complete the authentication process at ${authUrl}.`);
+      // In non-headless mode, check if the gateway is already authenticated
+      // (the user may have completed browser auth via the authenticate tool)
+      const authStatus = await this.context.ibClient.checkAuthenticationStatus();
+      if (!authStatus) {
+        const port = this.context.gatewayManager 
+          ? this.context.gatewayManager.getCurrentPort() 
+          : this.context.config.IB_GATEWAY_PORT;
+        const authUrl = `https://${this.context.config.IB_GATEWAY_HOST}:${port}`;
+        throw new Error(`Authentication required. Please use the 'authenticate' tool to complete the authentication process at ${authUrl}.`);
+      }
+      // Auth status is true, reauthenticate the REST session if needed
+      try {
+        await this.context.ibClient.reauthenticate();
+      } catch (e) {
+        Logger.warn("[ENSURE-AUTH] Reauthenticate after status check failed, but status is true:", e);
+      }
     }
   }
 
@@ -145,6 +155,46 @@ export class ToolHandlers {
     return `Authentication required. Please use the 'authenticate' tool to complete the authentication process (configured for ${mode}) at ${authUrl}.`;
   }
 
+  /**
+   * After browser opens for OAuth, poll the gateway until authenticated,
+   * then trigger reauthenticate to establish the REST API session.
+   * This bridges the gap between browser-based OAuth and the REST API auth state.
+   */
+  private startBrowserAuthPolling(authUrl: string, port: number): void {
+    const maxAttempts = 60; // 2 minutes total
+    const initialDelay = 2000; // 2 second initial delay
+    let attempts = 0;
+
+    const poll = async () => {
+      attempts++;
+      Logger.log(`[BROWSER-AUTH-POLL] Attempt ${attempts}/${maxAttempts}`);
+
+      try {
+        const isAuth = await this.context.ibClient.checkAuthenticationStatus();
+        
+        if (isAuth) {
+          Logger.log("[BROWSER-AUTH-POLL] Authentication detected, reauthenticating REST session");
+          // Trigger reauthenticate to establish REST API session
+          await this.context.ibClient.reauthenticate();
+          Logger.log("[BROWSER-AUTH-POLL] Reauthentication successful, REST session established");
+          return; // Success, stop polling
+        }
+      } catch (error) {
+        Logger.warn("[BROWSER-AUTH-POLL] Poll attempt failed:", error);
+      }
+
+      if (attempts < maxAttempts) {
+        const delay = Math.min(initialDelay + (attempts * 500), 10000);
+        setTimeout(poll, delay);
+      } else {
+        Logger.warn("[BROWSER-AUTH-POLL] Timed out waiting for browser authentication");
+      }
+    };
+
+    // Start polling after initial delay
+    setTimeout(poll, initialDelay);
+  }
+
   private formatError(error: unknown): string {
     if (this.isAuthenticationError(error)) {
       return this.getAuthenticationErrorMessage();
@@ -241,6 +291,11 @@ export class ToolHandlers {
       try {
         await open(authUrl);
 
+        // Start polling for authentication to complete
+        // The browser auth creates a server-side session that the REST API can use
+        // We poll until authenticated, then trigger reauthenticate for the REST session
+        this.startBrowserAuthPolling(authUrl, port);
+        
         return {
           content: [
             {
@@ -257,7 +312,8 @@ export class ToolHandlers {
                   "5. Once authenticated, you can use other trading tools"
                 ],
                 browserOpened: true,
-                note: "IB Gateway is running locally - your credentials stay secure on your machine"
+                polling: true,
+                note: "IB Gateway is running locally - your credentials stay secure on your machine. Polling for authentication completion..."
               }, null, 2),
             },
           ],

test/ib-client.test.ts

@@ -353,6 +353,51 @@ describe('IBClient', () => {
     });
   });
 
+  describe('reauthenticate', () => {
+    it('should reauthenticate and start tickle on success', async () => {
+      const mockAuthClient = {
+        post: vi.fn().mockResolvedValue({ data: {} }),
+        get: vi.fn().mockResolvedValue({
+          data: { authenticated: true },
+        }),
+      };
+      
+      vi.mocked(axios.create).mockReturnValueOnce(mockAuthClient as any);
+      
+      await client.reauthenticate();
+      
+      expect(mockAuthClient.post).toHaveBeenCalledWith('/iserver/reauthenticate');
+      expect(mockAuthClient.get).toHaveBeenCalledWith('/iserver/auth/status');
+    });
+
+    it('should handle reauth when status returns false', async () => {
+      const mockAuthClient = {
+        post: vi.fn().mockResolvedValue({ data: {} }),
+        get: vi.fn().mockResolvedValue({
+          data: { authenticated: false },
+        }),
+      };
+      
+      vi.mocked(axios.create).mockReturnValueOnce(mockAuthClient as any);
+      
+      // Should not throw — handled internally
+      await expect(client.reauthenticate()).resolves.not.toThrow();
+      expect(mockAuthClient.post).toHaveBeenCalledWith('/iserver/reauthenticate');
+    });
+
+    it('should handle network errors gracefully', async () => {
+      const mockAuthClient = {
+        post: vi.fn().mockRejectedValue(new Error('Connection refused')),
+        get: vi.fn(),
+      };
+      
+      vi.mocked(axios.create).mockReturnValueOnce(mockAuthClient as any);
+      
+      // Should not throw — errors are caught internally
+      await expect(client.reauthenticate()).resolves.not.toThrow();
+    });
+  });
+
   describe('Cleanup', () => {
     it('should stop tickle on destroy', () => {
       // Start with authenticated state to trigger tickle