fix(kiro): improve auto-refresh and IDC auth file handling

Amp-Thread-ID: https://ampcode.com/threads/T-019bdb94-80e3-7302-be0f-a69937826d13 Co-authored-by: Amp <amp@ampcode.com>
2026-03-29 16:54:41 +00:00 · 2026-01-20 21:57:45 +08:00
parent 73cef3a25a
commit a9ee971e1c
6 changed files with 53 additions and 32 deletions
--- a/internal/auth/kiro/aws_auth.go
+++ b/internal/auth/kiro/aws_auth.go
@@ -280,6 +280,11 @@ func (k *KiroAuth) CreateTokenStorage(tokenData *KiroTokenData) *KiroTokenStorag
 		AuthMethod:   tokenData.AuthMethod,
 		Provider:     tokenData.Provider,
 		LastRefresh:  time.Now().Format(time.RFC3339),
+		ClientID:     tokenData.ClientID,
+		ClientSecret: tokenData.ClientSecret,
+		Region:       tokenData.Region,
+		StartURL:     tokenData.StartURL,
+		Email:        tokenData.Email,
 	}
 }

@@ -311,4 +316,19 @@ func (k *KiroAuth) UpdateTokenStorage(storage *KiroTokenStorage, tokenData *Kiro
 	storage.AuthMethod = tokenData.AuthMethod
 	storage.Provider = tokenData.Provider
 	storage.LastRefresh = time.Now().Format(time.RFC3339)
+	if tokenData.ClientID != "" {
+		storage.ClientID = tokenData.ClientID
+	}
+	if tokenData.ClientSecret != "" {
+		storage.ClientSecret = tokenData.ClientSecret
+	}
+	if tokenData.Region != "" {
+		storage.Region = tokenData.Region
+	}
+	if tokenData.StartURL != "" {
+		storage.StartURL = tokenData.StartURL
+	}
+	if tokenData.Email != "" {
+		storage.Email = tokenData.Email
+	}
 }
--- a/internal/auth/kiro/oauth_web.go
+++ b/internal/auth/kiro/oauth_web.go
@@ -377,17 +377,18 @@ func (h *OAuthWebHandler) pollForToken(ctx context.Context, session *webAuthSess
 			email := FetchUserEmailWithFallback(ctx, h.cfg, tokenResp.AccessToken)

 			tokenData := &KiroTokenData{
-				AccessToken:  tokenResp.AccessToken,
-				RefreshToken: tokenResp.RefreshToken,
-				ProfileArn:   profileArn,
-				ExpiresAt:    expiresAt.Format(time.RFC3339),
-				AuthMethod:   session.authMethod,
-				Provider:     "AWS",
-				ClientID:     session.clientID,
-				ClientSecret: session.clientSecret,
-				Email:        email,
-				Region:       session.region,
-			}
+					AccessToken:  tokenResp.AccessToken,
+					RefreshToken: tokenResp.RefreshToken,
+					ProfileArn:   profileArn,
+					ExpiresAt:    expiresAt.Format(time.RFC3339),
+					AuthMethod:   session.authMethod,
+					Provider:     "AWS",
+					ClientID:     session.clientID,
+					ClientSecret: session.clientSecret,
+					Email:        email,
+					Region:       session.region,
+					StartURL:     session.startURL,
+				}

 			h.mu.Lock()
 			session.status = statusSuccess
@@ -828,7 +829,7 @@ func (h *OAuthWebHandler) handleImportToken(c *gin.Context) {

 // handleManualRefresh handles manual token refresh requests from the web UI.
 // This allows users to trigger a token refresh when needed, without waiting
-// for the automatic 5-second check and 10-minute-before-expiry refresh cycle.
+// for the automatic 30-second check and 20-minute-before-expiry refresh cycle.
 // Uses the same refresh logic as kiro_executor.Refresh for consistency.
 func (h *OAuthWebHandler) handleManualRefresh(c *gin.Context) {
 	authDir := ""
--- a/internal/runtime/executor/kiro_executor.go
+++ b/internal/runtime/executor/kiro_executor.go
@@ -3513,14 +3513,14 @@ func (e *KiroExecutor) Refresh(ctx context.Context, auth *cliproxyauth.Auth) (*c
 		// Also check if expires_at is now in the future with sufficient buffer
 		if expiresAt, ok := auth.Metadata["expires_at"].(string); ok {
 			if expTime, err := time.Parse(time.RFC3339, expiresAt); err == nil {
-				// If token expires more than 5 minutes from now, it's still valid
-				if time.Until(expTime) > 5*time.Minute {
+				// If token expires more than 20 minutes from now, it's still valid
+				if time.Until(expTime) > 20*time.Minute {
 					log.Debugf("kiro executor: token is still valid (expires in %v), skipping refresh", time.Until(expTime))
 					// CRITICAL FIX: Set NextRefreshAfter to prevent frequent refresh checks
-					// Without this, shouldRefresh() will return true again in 5 seconds
+					// Without this, shouldRefresh() will return true again in 30 seconds
 					updated := auth.Clone()
-					// Set next refresh to 5 minutes before expiry, or at least 30 seconds from now
-					nextRefresh := expTime.Add(-5 * time.Minute)
+					// Set next refresh to 20 minutes before expiry, or at least 30 seconds from now
+					nextRefresh := expTime.Add(-20 * time.Minute)
 					minNextRefresh := time.Now().Add(30 * time.Second)
 					if nextRefresh.Before(minNextRefresh) {
 						nextRefresh = minNextRefresh
@@ -3626,9 +3626,9 @@ func (e *KiroExecutor) Refresh(ctx context.Context, auth *cliproxyauth.Auth) (*c
 		updated.Attributes["profile_arn"] = tokenData.ProfileArn
 	}

-	// NextRefreshAfter is aligned with RefreshLead (5min)
+	// NextRefreshAfter is aligned with RefreshLead (20min)
 	if expiresAt, parseErr := time.Parse(time.RFC3339, tokenData.ExpiresAt); parseErr == nil {
-		updated.NextRefreshAfter = expiresAt.Add(-5 * time.Minute)
+		updated.NextRefreshAfter = expiresAt.Add(-20 * time.Minute)
 	}

 	log.Infof("kiro executor: token refreshed successfully, expires at %s", tokenData.ExpiresAt)