Extend Google auth flow TTL and harden expired-flow handling

dcramer · codex · dcramer · commit f97270b3b421 · 2026-03-04T11:17:09.000-08:00
Increase default capability auth-flow TTL to 30 minutes for Google bridge + manager fallback, add explicit skill guidance for expired/invalid flow messaging, and assert minimum TTL in gog bridge tests.

Co-Authored-By: GPT-5 Codex &lt;codex@openai.com&gt;
diff --git a/src/ash/capabilities/manager.py b/src/ash/capabilities/manager.py
@@ -65,7 +65,7 @@ class CapabilityManager:
     def __init__(
         self,
         *,
-        auth_flow_ttl_seconds: int = 600,
+        auth_flow_ttl_seconds: int = 1800,
     ) -> None:
         self._lock = asyncio.Lock()
         self._definitions: dict[str, CapabilityDefinition] = {}
diff --git a/src/ash/integrations/skills/capabilities/google/SKILL.md b/src/ash/integrations/skills/capabilities/google/SKILL.md
@@ -69,6 +69,10 @@ Before prompting the user again, check whether the current task already contains
 
 Do not ask the user for another URL/code when one is already present in the task.
 
+If `auth complete` fails with an invalid/expired flow error, explicitly tell the user
+their previous auth link/code expired (or no longer matches the active flow), then
+start a fresh auth flow and ask them to paste the new callback URL promptly.
+
 **2a. Begin auth flow**
 
 Use `--account work` or `--account personal` if the user specifies an account preference:
diff --git a/src/ash/skills/bundled/gog/scripts/gogcli_bridge.py b/src/ash/skills/bundled/gog/scripts/gogcli_bridge.py
@@ -36,7 +36,7 @@
 DEFAULT_STATE_PATH = Path.home() / ".ash" / "gogcli" / "state.json"
 VAULT_NAMESPACE = "gog.credentials"
 STATE_VERSION = 1
-DEFAULT_AUTH_FLOW_TTL_SECONDS = 600
+DEFAULT_AUTH_FLOW_TTL_SECONDS = 1800
 MIN_AUTH_FLOW_TTL_SECONDS = 30
 MAX_AUTH_FLOW_TTL_SECONDS = 3600
 ENV_GOOGLE_CLIENT_ID = "GOOGLE_CLIENT_ID"
diff --git a/tests/test_gogcli_bridge.py b/tests/test_gogcli_bridge.py
@@ -4,6 +4,7 @@
 import subprocess
 import sys
 import threading
+import time
 from http.server import BaseHTTPRequestHandler, HTTPServer
 from pathlib import Path
 from typing import Any
@@ -374,6 +375,8 @@ def test_bridge_auth_code_flow_and_user_scoped_invoke(
     stored_flow = state_after_begin["auth_flows"][flow_state["flow_id"]]
     assert stored_flow["flow_type"] == "authorization_code"
     assert stored_flow["state_param"]
+    # Flows should remain valid long enough for real-world consent latency.
+    assert int(stored_flow["expires_at"]) - int(time.time()) >= 25 * 60
 
     # auth_complete exchanges code for tokens
     complete = _run_bridge(
