fix: SSE onerror should not poison EventSource lifetime with isAuthRetry

felixweinberger · felixweinberger · commit 56ffc7b4dcca · 2026-03-24T21:03:32.000Z
The isAuthRetry parameter approach works for recursive method calls
(send, _startOrAuthSse) but not for the EventSource onerror callback.
Passing _startOrAuth(true) on retry permanently captures isAuthRetry=true
in the new EventSource's closure — if that EventSource auto-reconnects
later (network blip on a long-lived stream) and gets 401, onUnauthorized
is skipped and the transport cannot recover.

Verified against eventsource lib: non-200 → failConnection (CLOSED, no
reconnect); stream end after OPEN → scheduleReconnect → reconnect attempt
can get 401 → failConnection → onerror fires. The 'hours later' scenario
is real.

Fix: retry always calls _startOrAuth() fresh (no parameter). Matches
pre-PR _authThenStart() behavior. Trade-off: no circuit breaker on the
SSE connect path — if onUnauthorized succeeds but server keeps 401ing,
it loops (same as pre-PR).

Also fixes double-onerror: two-arg .then(onSuccess, onFail) separates
retry failures (inner _startOrAuth already fired onerror) from
onUnauthorized failures (not yet reported). Added close + clear
_last401Response before retry for hygiene.

Two regression tests added, both verified to FAIL against the buggy
code:
- 401→401→200: onUnauthorized called TWICE, start() resolves
- 401→onUnauthorized succeeds→401→onUnauthorized throws: onerror
  fires ONCE with the thrown error
diff --git a/packages/client/src/client/sse.ts b/packages/client/src/client/sse.ts
@@ -118,7 +118,7 @@ export class SSEClientTransport implements Transport {
         });
     }
 
-    private _startOrAuth(isAuthRetry = false): Promise<void> {
+    private _startOrAuth(): Promise<void> {
         const fetchImpl = (this?._eventSourceInit?.fetch ?? this._fetch ?? fetch) as typeof fetch;
         return new Promise((resolve, reject) => {
             this._eventSource = new EventSource(this._url.href, {
@@ -147,22 +147,22 @@ export class SSEClientTransport implements Transport {
 
             this._eventSource.onerror = event => {
                 if (event.code === 401 && this._authProvider) {
-                    if (this._authProvider.onUnauthorized && this._last401Response && !isAuthRetry) {
+                    if (this._authProvider.onUnauthorized && this._last401Response) {
                         const response = this._last401Response;
-                        this._authProvider
-                            .onUnauthorized({ response, serverUrl: this._url, fetchFn: this._fetchWithInit })
-                            .then(() => this._startOrAuth(true))
-                            .then(resolve, error => {
+                        this._last401Response = undefined;
+                        this._eventSource?.close();
+                        this._authProvider.onUnauthorized({ response, serverUrl: this._url, fetchFn: this._fetchWithInit }).then(
+                            // onUnauthorized succeeded → retry fresh. Its onerror handles its own onerror?.() + reject.
+                            () => this._startOrAuth().then(resolve, reject),
+                            // onUnauthorized failed → not yet reported.
+                            error => {
                                 this.onerror?.(error);
                                 reject(error);
-                            });
+                            }
+                        );
                         return;
                     }
-                    const error = isAuthRetry
-                        ? new SdkError(SdkErrorCode.ClientHttpAuthentication, 'Server returned 401 after re-authentication', {
-                              status: 401
-                          })
-                        : new UnauthorizedError();
+                    const error = new UnauthorizedError();
                     reject(error);
                     this.onerror?.(error);
                     return;
diff --git a/packages/client/test/client/sse.test.ts b/packages/client/test/client/sse.test.ts
@@ -1624,5 +1624,76 @@ describe('SSEClientTransport', () => {
 
             await expect(transport.finishAuth('auth-code')).rejects.toThrow('finishAuth requires an OAuthClientProvider');
         });
+
+        it('SSE connect 401 retry does not poison future 401s — onUnauthorized called on each attempt', async () => {
+            // Regression: _startOrAuth(true) baked isAuthRetry=true into the retry EventSource's
+            // onerror closure, so a subsequent 401 (token expiry on reconnect) would throw
+            // instead of refreshing. Fix: retry always calls _startOrAuth() fresh.
+            await resourceServer.close();
+
+            let getAttempt = 0;
+            resourceServer = createServer((req, res) => {
+                if (req.method !== 'GET') {
+                    res.writeHead(404).end();
+                    return;
+                }
+                getAttempt++;
+                if (getAttempt < 3) {
+                    res.writeHead(401).end();
+                    return;
+                }
+                res.writeHead(200, {
+                    'Content-Type': 'text/event-stream',
+                    'Cache-Control': 'no-cache, no-transform',
+                    Connection: 'keep-alive'
+                });
+                res.write('event: endpoint\n');
+                res.write(`data: ${resourceBaseUrl.href}post\n\n`);
+            });
+            resourceBaseUrl = await listenOnRandomPort(resourceServer);
+
+            const authProvider: AuthProvider = {
+                token: vi.fn(async () => 'token'),
+                onUnauthorized: vi.fn(async () => {})
+            };
+            transport = new SSEClientTransport(resourceBaseUrl, { authProvider });
+
+            await transport.start(); // should resolve on attempt 3
+
+            expect(authProvider.onUnauthorized).toHaveBeenCalledTimes(2);
+            expect(getAttempt).toBe(3);
+        });
+
+        it('retry failure during SSE connect fires onerror exactly once', async () => {
+            // Regression: when the retry EventSource rejected, its onerror fired inside, then
+            // the outer .then() rejection handler fired onerror AGAIN for the same error.
+            // Fix: inner retry chains to .then(resolve, reject) — no outer onerror call.
+            // onUnauthorized's own failure is handled separately and fires onerror once.
+            await resourceServer.close();
+
+            resourceServer = createServer((req, res) => {
+                if (req.method === 'GET') {
+                    res.writeHead(401).end(); // always 401
+                }
+            });
+            resourceBaseUrl = await listenOnRandomPort(resourceServer);
+
+            const onUnauthorized: AuthProvider['onUnauthorized'] = vi
+                .fn()
+                .mockResolvedValueOnce(undefined) // first call succeeds → triggers retry
+                .mockRejectedValueOnce(new Error('refresh failed')); // second call (in retry) throws
+            const authProvider: AuthProvider = {
+                token: vi.fn(async () => 'token'),
+                onUnauthorized
+            };
+            transport = new SSEClientTransport(resourceBaseUrl, { authProvider });
+            const onerror = vi.fn();
+            transport.onerror = onerror;
+
+            await expect(transport.start()).rejects.toThrow('refresh failed');
+            expect(authProvider.onUnauthorized).toHaveBeenCalledTimes(2);
+            expect(onerror).toHaveBeenCalledTimes(1);
+            expect(onerror.mock.calls[0]![0].message).toBe('refresh failed');
+        });
     });
 });
