fix(ai-chat): refresh JWT token on SSE reconnect to prevent login red…

[b3nito404]

Closes #18928

Problem

When a JWT access token expires while the AI chat is streaming a response, the SSE connection drops and graphql-sse calls the retry callback. The previous implementation would wait, then destroy the SSE client but never refreshed the token. On the next connection attempt the client reused the same expired token, eventually triggering an UNAUTHENTICATED error that redirected the user to the login screen.

Solution

Add proactive token renewal inside useHandleSseClientConnectionRetry before each reconnect attempt:

• Uses a module-level let renewalPromise variable to deduplicate concurrent renewal requests , the exactpattern used in ApolloFactory.ts
• Calls renewToken via retryWithBackoff against the /metadata endpoint
• Writes the fresh token pair into the Jotai store ,the SSE client's headers() callback picks it up automatically on reconnect
• If renewal fails -> falls back to destroying the SSE client as before

Files changed

• packages/twenty-front/src/modules/sse-db-event/hooks/useHandleSseClientConnectionRetry.ts

Notes

This addresses the two issues from the previous review:

• No useRef using module-level variable instead
• CI passing removed the CombinedGraphQLErrors import

[github-actions]

Welcome!

Hello there, congrats on your first PR! We're excited to have you contributing to this project.
By submitting your Pull Request, you acknowledge that you agree with the terms of our Contributor License Agreement.

Generated by 🚫 dangerJS against fbf44b7

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="packages/twenty-front/src/modules/sse-db-event/hooks/useHandleSseClientConnectionRetry.ts">

<violation number="1" location="packages/twenty-front/src/modules/sse-db-event/hooks/useHandleSseClientConnectionRetry.ts:65">
P1: Unconditionally writing renewed tokens from a shared in-flight promise can overwrite a newer auth/session state if the user logs out or switches accounts during renewal.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: Unconditionally writing renewed tokens from a shared in-flight promise can overwrite a newer auth/session state if the user logs out or switches accounts during renewal.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/twenty-front/src/modules/sse-db-event/hooks/useHandleSseClientConnectionRetry.ts, line 65:

<comment>Unconditionally writing renewed tokens from a shared in-flight promise can overwrite a newer auth/session state if the user logs out or switches accounts during renewal.</comment>

<file context>
@@ -20,21 +31,53 @@ export const useHandleSseClientConnectionRetry = () => {
+        )
+          .then((tokens) => {
+            if (isDefined(tokens)) {
+              store.set(tokenPairState.atom, tokens);
+            }
+            return true;
</file context>