[PR #29] [CLOSED] fix(auth): sync tokens with kiro-cli in SQLite mode #61

New issue

Closed

opened 2026-02-27 07:17:47 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 07:17:47 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/jwadow/kiro-gateway/pull/29
Author: @bhaskoro-muthohar
Created: 1/10/2026
Status: ❌ Closed

Base: main ← Head: fix/sqlite-token-sync

📝 Commits (1)

566a18b fix(auth): sync tokens with kiro-cli in SQLite mode

📊 Changes

1 file changed (+22 additions, -1 deletions)

View changed files

📝 kiro/auth.py (+22 -1)

📄 Description

Problem

When using SQLite mode (KIRO_CLI_DB_FILE), the gateway fails with 400 Bad Request when trying to refresh tokens via AWS SSO OIDC, even though kiro-cli works fine.

Root cause: kiro-cli doesn't persist refreshed tokens back to SQLite - it only writes during initial login. When kiro-cli refreshes tokens in-memory, the refresh token in SQLite becomes stale/invalid. The gateway then tries to use this stale refresh token and AWS rejects it.

Related: #14

Solution

Re-read SQLite on each request - picks up fresh tokens immediately after kiro-cli login without requiring gateway restart
Don't attempt token refresh in SQLite mode - since kiro-cli owns the refresh token and doesn't persist it, the gateway cannot refresh. Instead:
- Use the token until it's actually expired
- Warn user when token is expiring soon to run kiro-cli login
- Only error when token is fully expired

Behavior

Scenario	Before	After
kiro-cli works, gateway token expiring	400 error (tries to refresh)	Works (uses existing token, warns user)
After `kiro-cli login`	Requires gateway restart	Auto picks up new tokens
Token fully expired	400 error	Clear error message to run `kiro-cli login`

Testing

Tested with kiro-cli SQLite credentials over multiple token expiration cycles.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/jwadow/kiro-gateway/pull/29 **Author:** [@bhaskoro-muthohar](https://github.com/bhaskoro-muthohar) **Created:** 1/10/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix/sqlite-token-sync` --- ### 📝 Commits (1) - [`566a18b`](https://github.com/jwadow/kiro-gateway/commit/566a18b8584e305ec7d1ce49da20ca3fc8993931) fix(auth): sync tokens with kiro-cli in SQLite mode ### 📊 Changes **1 file changed** (+22 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `kiro/auth.py` (+22 -1) </details> ### 📄 Description ## Problem When using SQLite mode (`KIRO_CLI_DB_FILE`), the gateway fails with `400 Bad Request` when trying to refresh tokens via AWS SSO OIDC, even though kiro-cli works fine. **Root cause:** kiro-cli doesn't persist refreshed tokens back to SQLite - it only writes during initial login. When kiro-cli refreshes tokens in-memory, the refresh token in SQLite becomes stale/invalid. The gateway then tries to use this stale refresh token and AWS rejects it. Related: #14 ## Solution 1. **Re-read SQLite on each request** - picks up fresh tokens immediately after `kiro-cli login` without requiring gateway restart 2. **Don't attempt token refresh in SQLite mode** - since kiro-cli owns the refresh token and doesn't persist it, the gateway cannot refresh. Instead: - Use the token until it's actually expired - Warn user when token is expiring soon to run `kiro-cli login` - Only error when token is fully expired ## Behavior | Scenario | Before | After | |----------|--------|-------| | kiro-cli works, gateway token expiring | 400 error (tries to refresh) | Works (uses existing token, warns user) | | After `kiro-cli login` | Requires gateway restart | Auto picks up new tokens | | Token fully expired | 400 error | Clear error message to run `kiro-cli login` | ## Testing Tested with kiro-cli SQLite credentials over multiple token expiration cycles. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>