fix: refresh tokens in approve command when unauthorized (#493)

pullfrog[bot] · web-flow · commit 42e00f74aaa4 · 2026-04-14T14:11:29.000Z
Fixes #460. ## What changed - `approve` now handles `Unauthorized` from `list_auth_sessions` by re-running login, which refreshes tokens when possible. - After re-login, it retries listing auth sessions once. - When no sessions are pending, the command now continues to the next account instead of returning early from the entire command. ## Validation - `cargo test -p steamguard-cli --bin steamguard`  <sup><a href="https://pullfrog.com"><picture><source media="(prefers-color-scheme: dark)" srcset="https://pullfrog.com/logos/frog-white-full-18px.png"><img src="https://pullfrog.com/logos/frog-green-full-18px.png" width="9px" height="9px" style="vertical-align: middle; " alt="Pullfrog"></picture></a>&nbsp;&nbsp;｜ [View workflow run](https://github.com/dyc3/steamguard-cli/actions/runs/24402382941/job/71276260441) ｜ Triggered by [Pullfrog](https://pullfrog.com) ｜ Using `GPT Codex` ｜ [𝕏](https://x.com/pullfrogai)</sup> --------- Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
diff --git a/src/commands/approve.rs b/src/commands/approve.rs
@@ -8,7 +8,7 @@ use steamguard::approver::Challenge;
 use steamguard::protobufs::enums::ESessionPersistence;
 use steamguard::protobufs::steammessages_auth_steamclient::EAuthTokenPlatformType;
 use steamguard::transport::Transport;
-use steamguard::{LoginApprover, SteamGuardAccount};
+use steamguard::{ApproverError, LoginApprover, SteamGuardAccount};
 
 #[derive(Debug, Clone, Parser)]
 #[clap(about = "Approve or deny pending login sessions")]
@@ -47,20 +47,30 @@ where
 				crate::do_login(transport.clone(), &mut account, args.password.clone())?;
 			}
 
-			let Some(tokens) = account.tokens.as_ref() else {
-				error!(
-					"No tokens found for {}. Can't approve login if we aren't logged in ourselves.",
-					account.account_name
-				);
-				return Err(anyhow!("No tokens found for {}", account.account_name));
-			};
-
-			let mut approver = LoginApprover::new(transport.clone(), tokens);
+			let mut did_relogin = false;
+			let (sessions, mut approver) = loop {
+				let Some(tokens) = account.tokens.as_ref() else {
+					error!(
+						"No tokens found for {}. Can't approve login if we aren't logged in ourselves.",
+						account.account_name
+					);
+					return Err(anyhow!("No tokens found for {}", account.account_name));
+				};
 
-			let sessions = approver.list_auth_sessions()?;
+				let approver = LoginApprover::new(transport.clone(), tokens);
+				match approver.list_auth_sessions() {
+					Ok(sessions) => break (sessions, approver),
+					Err(ApproverError::Unauthorized) if !did_relogin => {
+						info!("Access token expired, re-logging in...");
+						crate::do_login(transport.clone(), &mut account, args.password.clone())?;
+						did_relogin = true;
+					}
+					Err(err) => return Err(err.into()),
+				}
+			};
 			if sessions.is_empty() {
 				info!("No pending sessions to approve");
-				return Ok(());
+				continue;
 			}
 
 			info!("Found {} pending sessions", sessions.len());
