Claude VM
293d15edf2
Previous logic set token.error=RefreshAccessTokenError and never retried — once a refresh failed (likely a race during the early parallel-storm period), Marius's JWT cookie carried that error forever. New jwt calls all saw "blocked" → kept using the stale accessToken → api.gis.ac returned invalid_token on every call. Fix: store errorAt timestamp alongside the error flag. Block refresh attempts for 60s after a failure (avoids hot-loop on persistent Authentik issues), then unblock and retry. On the next failure, the 60s cooldown re-arms. For Marius's currently-stuck session: as soon as this deploys, his next jwt callback will pass the cooldown check (errorAt is hours ago) and trigger a fresh refresh. If Authentik is happy with his refresh_token, the error flag is cleared and he's back to normal — no relogin needed. Logs now show "blocked=true/false" alongside secLeft for visibility. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>