mirror of
https://github.com/langgenius/dify.git
synced 2026-07-15 01:17:04 +08:00
Previously an expired OAuth bearer and an unknown/invalid one both surfaced as an indistinguishable generic 401 (and an invalid token actually leaked a 500), so a client could not tell "session expired, re-authenticate" apart from "never authenticated." The resolver now raises a distinct TokenExpiredError for expired DB rows and records a separate `expired` negative-cache marker, so a retry within the negative-cache TTL still reports expiry instead of collapsing into a generic miss. The auth pipeline maps the two domain errors to unified OpenApiError responses: SessionExpired (code `token_expired`) and InvalidBearer (code `unauthorized`), both 401. This also fixes the latent 500 on invalid bearers. The `token_expired` code is synced through the contract codegen into the generated types/zod, and the difyctl error mapper branches the 401 on it. The CLI `expired_token` taxonomy member (RFC 8628 device-flow code expiry) is merged into `token_expired`; the RFC 8628 wire value is unchanged. Closes WTA-1062