fix: force relogin on 401/403 Codex token refresh failures

When the OAuth token endpoint returns 401/403 but the JSON body doesn't contain a known error code (invalid_grant, etc.), relogin_required stayed False. Users saw a bare error message without guidance to re-authenticate. Now any 401/403 from the token endpoint forces relogin_required=True, since these status codes always indicate invalid credentials on a refresh endpoint. 500+ errors remain as transient (no relogin).
2026-04-28 06:51:16 +08:00 · 2026-04-09 03:06:15 -07:00
parent beabbd87ef
commit 2a2e5c0fed
1 changed files with 5 additions and 0 deletions
--- a/hermes_cli/auth.py
+++ b/hermes_cli/auth.py
@@ -1544,6 +1544,11 @@ def refresh_codex_oauth_pure(
                "then run `hermes auth` to re-authenticate."
            )
            relogin_required = True
+        # A 401/403 from the token endpoint always means the refresh token
+        # is invalid/expired — force relogin even if the body error code
+        # wasn't one of the known strings above.
+        if response.status_code in (401, 403) and not relogin_required:
+            relogin_required = True
        raise AuthError(
            message,
            provider="openai-codex",