Back to Codeberg

api error: token was already used #406

forgejo-contrib-forgejo-cli-issues-406.md

latest19.2 KB
Original Source

forgejo-contrib/forgejo-cli

Watch20

Star402

Fork

You've already forked forgejo-cli

51

CodeIssues 44Pull requests 8Releases 11Packages 2WikiActivity

api error: token was already used #406

New issue

Closed

opened 2026-04-10 16:31:51 +02:00 by balejk · 8 comments

balejk commented 2026-04-10 16:31:51 +02:00

Copy link

Expected Behavior

Commands such as fj issue view forgejo-contrib/forgejo-cli#405 will work as expected, i. e. show the issue description in this case.

Actual Behavior

An error is printed:

text
Error: api error: token was already used

Location:
    src/keys.rs:132:36

fj was logged in via oauth only a day ago and all has worked fine until now.

Steps to Reproduce

I don't know if this is reproducible, but here is what I did: Authorized fj via oauth, used it for a day. Attempted to close an issue with --with-msg without any argument so that an editor was opened. Kept the editor running for about half an hour, then saved the close message and exited the editor. Instead of the issue being closed, the following error appeared, all subsequent commands now return the above error:

text
Error: unexpected status code 401 Unauthorized

Location:
    src/issues.rs:892:9

fj Version

text
fj v0.4.1
user agent: forgejo-cli/0.4.1 (https://codeberg.org/forgejo-contrib/forgejo-cli/)
build type: from source
    target: x86_64-unknown-linux-musl

Forgejo Version

Codeberg instance

Code of Conduct

  • I agree to act in accordance with the CoC & AI Agreement.
  • This issue was not generated by an LLM, even in part.

Expected Behavior Commands such as fj issue view forgejo-contrib/forgejo-cli#405 will work as expected, i. e. show the issue description in this case. ### Actual Behavior An error is printed: Error: api error: token was already used Location: src/keys.rs:132:36 fj was logged in via oauth only a day ago and all has worked fine until now. ### Steps to Reproduce I don't know if this is reproducible, but here is what I did: Authorized fj via oauth, used it for a day. Attempted to close an issue with --with-msg without any argument so that an editor was opened. Kept the editor running for about half an hour, then saved the close message and exited the editor. Instead of the issue being closed, the following error appeared, all subsequent commands now return the above error: Error: unexpected status code 401 Unauthorized Location: src/issues.rs:892:9 ### fj Version text fj v0.4.1 user agent: forgejo-cli/0.4.1 (https://codeberg.org/forgejo-contrib/forgejo-cli/) build type: from source target: x86_64-unknown-linux-musl ### Forgejo Version Codeberg instance ### Code of Conduct - [x] I agree to act in accordance with the CoC & AI Agreement. - [x] This issue was not generated by an LLM, even in part.

balejk added the Kind/Bug label 2026-04-10 16:31:51 +02:00

Cyborus commented 2026-04-11 17:08:58 +02:00

Member

Copy link

Yeah, I've run into this problem too, and I have no clue what's causing it. All I know so far is it only happens with OAuth.

Yeah, I've run into this problem too, and I have no clue what's causing it. All I know so far is it only happens with OAuth.

Cyborus added the [ Reviewed

Confirmed ](/forgejo-contrib/forgejo-cli/issues?labels=173007) label 2026-04-11 17:09:10 +02:00

balejk commented 2026-04-11 22:04:49 +02:00

Author

Copy link

I have not tried reauthenticating yet in case you asked me to perform some tests, but since you have run into this also, I assume you were able to perform all you could think of yourself and so I can relogin?

As for the problem, if I understand correctly, the issue is that the oauth refresh token that fj submits to forgejo in order to obtain a new access token, is somehow invalid. The message and the comment in the forgejo source would suggest that it is somehow outdated and is being reused but I don't know enough about oauth to know how/if refresh tokens are rotated.

Is it possible that the refresh token is not being updated (re-saved) somewhere in fj when it should be (e. g. after some operation which leads to a new token being issued)?

I have not tried reauthenticating yet in case you asked me to perform some tests, but since you have run into this also, I assume you were able to perform all you could think of yourself and so I can relogin? As for the problem, if I understand correctly, the issue is that the oauth refresh token that fj submits to forgejo in order to obtain a new access token, is somehow invalid. The message and the comment in the forgejo source would suggest that it is somehow outdated and is being reused but I don't know enough about oauth to know how/if refresh tokens are rotated. Is it possible that the refresh token is not being updated (re-saved) somewhere in fj when it should be (e. g. after some operation which leads to a new token being issued)?

Cyborus commented 2026-04-12 19:04:08 +02:00

Member

Copy link

No, you're fine to reauthenticate. I don't wanna hold you up too long. I've had it happen more than once, I'm sure I'll come across it again, I'll test it then.

Is it possible that the refresh token is not being updated (re-saved) somewhere in fj when it should be (e. g. after some operation which leads to a new token being issued)?

...maybe? The refresh token is used and replace in the same function though, I don't know how it would fail to replace it.

No, you're fine to reauthenticate. I don't wanna hold you up too long. I've had it happen more than once, I'm sure I'll come across it again, I'll test it then. > Is it possible that the refresh token is not being updated (re-saved) somewhere in fj when it should be (e. g. after some operation which leads to a new token being issued)? ...maybe? The refresh token is used and replace in the same function though, I don't know how it would fail to replace it.

Cyborus commented 2026-04-13 20:41:57 +02:00

Member

Copy link

The refresh token is used and replaced in the same function though

Ah! I think I've found the problem, and this is actually mistaken! If fj uses the refresh token, and you Ctrl+C to kill it in the same invocation, the new refresh token never gets written to disk.

> The refresh token is used and replaced in the same function though Ah! I think I've found the problem, and this is actually mistaken! If fj uses the refresh token, *and* you Ctrl+C to kill it in the same invocation, the new refresh token never gets written to disk.

balejk commented 2026-04-14 09:07:53 +02:00

Author

Copy link

I don't think I've killed fj though. I was thinking more something along the lines that the refresh token didn't get saved because the initial operation failed due to the 401 error -- although I don't know where that came from either.

Again, I know very little about oauth and in particular about how long the access token is valid, but if it happens to be shortlived, is it possible that fj obtained it along with the refresh token when I tried to close the issue but then it expired before I finished typing up the close message causing the 401 and the refresh token to not be saved?

As for the Ctrl+C, I really don't recall doing that. Some things that I have done (but I cannot recall when with respect to these errors) were: suspending the process briefly while in editor via Ctrl+Z which I don't expect should cause these problems; and causing the editor to fail (exit with non-zero code) in order to cancel the whole fj operation.

I don't think I've killed fj though. I was thinking more something along the lines that the refresh token didn't get saved because the initial operation failed due to the 401 error -- although I don't know where that came from either. Again, I know very little about oauth and in particular about how long the access token is valid, but if it happens to be shortlived, is it possible that fj obtained it along with the refresh token when I tried to close the issue but then it expired before I finished typing up the close message causing the 401 and the refresh token to not be saved? As for the Ctrl+C, I really don't recall doing that. Some things that I have done (but I cannot recall when with respect to these errors) were: suspending the process briefly while in editor via Ctrl+Z which I don't expect should cause these problems; and causing the editor to fail (exit with non-zero code) in order to cancel the whole fj operation.

Cyborus commented 2026-04-14 15:00:57 +02:00

Member

Copy link

I don't think I've killed fj though.

Huh. That's interesting if it reproduces it but isn't the only cause.

is it possible that fj obtained it along with the refresh token when I tried to close the issue but then it expired before I finished typing up the close message causing the 401 and the refresh token to not be saved?

That's almost certainly what caused the 401, but it should still write the new key in that case. There used to be a bug where it wouldn't, but (at least I thought) I fixed that.

As for the Ctrl+C, I really don't recall doing that. Some things that I have done (but I cannot recall when with respect to these errors) were: suspending the process briefly while in editor via Ctrl+Z which I don't expect should cause these problems; and causing the editor to fail (exit with non-zero code) in order to cancel the whole fj operation.

hmmm, those shouldn't have caused it either. Did you ever have two instances of fj running at the same time..? I could see that possibly causing it.

> I don't think I've killed fj though. Huh. That's interesting if it reproduces it but isn't the only cause. > is it possible that fj obtained it along with the refresh token when I tried to close the issue but then it expired before I finished typing up the close message causing the 401 and the refresh token to not be saved? That's almost certainly what caused the 401, but it should still write the new key in that case. There *used* to be a bug where it wouldn't, but (at least I thought) I fixed that. > As for the Ctrl+C, I really don't recall doing that. Some things that I have done (but I cannot recall when with respect to these errors) were: suspending the process briefly while in editor via Ctrl+Z which I don't expect should cause these problems; and causing the editor to fail (exit with non-zero code) in order to cancel the whole fj operation. hmmm, those shouldn't have caused it either. Did you ever have two instances of fj running at the same time..? I could see that possibly causing it.

balejk commented 2026-04-14 15:16:17 +02:00

Author

Copy link

hmmm, those shouldn't have caused it either. Did you ever have two instances of
fj running at the same time..? I could see that possibly causing it.

Oh, yeah, I certainly think I might have run some fj issue view... in another terminal while composing the close message, maybe even several times.

> hmmm, those shouldn't have caused it either. Did you ever have two instances of > fj running at the same time..? I could see that possibly causing it. Oh, yeah, I certainly think I might have run some fj issue view... in another terminal while composing the close message, maybe even several times.

Cyborus referenced this issue from a pull request that will close it, 2026-04-15 23:26:03 +02:00 fix(oauth): save new token immediately after refreshing #417

Cyborus added this to the v0.5.0 milestone 2026-04-15 23:42:27 +02:00

Cyborus closed this issue 2026-04-16 18:00:45 +02:00

balejk commented 2026-04-16 18:11:23 +02:00

Author

Copy link

Thanks!

Thanks!

❤️ 1

Sign in to join this conversation.

No Branch/Tag specified

BranchesTags

main

renovate/lock-file-maintenance

renovate/serde-saphyr-0.x

docs/contributing

no-port-in-refspec

login/v16.next.forgejo.org

crates-io-publish

0.5.x

compile-time-fluent

0.4.x

localization-alias-demo

api_url_field

v0.5.0

v0.4.1

v0.4.0

v0.3.0

v0.2.0

v0.1.1

v0.1.0

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels[ Kind/Breaking Breaking change that won't be backward compatible

](#)[ Kind/Bug Something is not working

](#)[ Kind/Design Discussion about UI/UX design

](#)[ Kind/Documentation Documentation changes

](#)[ Kind/Enhancement Improve existing functionality

](#)[ Kind/Feature New functionality

](#)[ Kind/Security This is security issue

](#)[ Kind/Testing Issue or pull request related to testing

](#)[ Kind/Upstream This is an issue with upstream software (Forgejo) that is probably not our fault

](#)

[ Priority

Critical The priority is critical

](#)[ Priority

High The priority is high

](#)[ Priority

Low The priority is low

](#)[ Priority

Medium The priority is medium

](#)

[ Reviewed

Confirmed Issue has been confirmed

](#)[ Reviewed

Duplicate This issue or pull request already exists

](#)[ Reviewed

Invalid Invalid issue

](#)[ Reviewed

Won't Fix This issue won't be fixed

](#)

[ Status

Abandoned Somebody has started to work on this but abandoned work

](#)[ Status

Blocked Something is blocking this issue or pull request

](#)[ Status

Need More Info Feedback is required to reproduce issue or to continue work

](#)

[ Suspicious

](#)

No labels Kind/Breaking Kind/Bug Kind/Design Kind/Documentation Kind/Enhancement Kind/Feature Kind/Security Kind/Testing Kind/Upstream [ Priority

Critical ](/forgejo-contrib/forgejo-cli/issues?labels=173012) [ Priority

High ](/forgejo-contrib/forgejo-cli/issues?labels=173013) [ Priority

Low ](/forgejo-contrib/forgejo-cli/issues?labels=173015) [ Priority

Medium ](/forgejo-contrib/forgejo-cli/issues?labels=173014) [ Reviewed

Confirmed ](/forgejo-contrib/forgejo-cli/issues?labels=173007) [ Reviewed

Duplicate ](/forgejo-contrib/forgejo-cli/issues?labels=173005) [ Reviewed

Invalid ](/forgejo-contrib/forgejo-cli/issues?labels=173006) [ Reviewed

Won't Fix ](/forgejo-contrib/forgejo-cli/issues?labels=173008) [ Status

Abandoned ](/forgejo-contrib/forgejo-cli/issues?labels=173011) [ Status

Blocked ](/forgejo-contrib/forgejo-cli/issues?labels=173010) [ Status

Need More Info ](/forgejo-contrib/forgejo-cli/issues?labels=173009) Suspicious

Milestone

Clear milestone

No items

No milestone v0.5.0

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo-contrib/forgejo-cli#406

WritePreview

Loading…

Add table

| Rows | | | Columns | |

CancelOK

Add a link

Url Description Hint: With a URL in your clipboard, you can paste directly into the editor to create a link.

CancelOK

CancelSave

Reference in a new issue

Repository

forgejo-contrib/forgejo-cli

Title

Body

Create issue

No description provided.

Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?

No Yes