fix(auth): persist access_token on refresh to prevent token loss

[FakerL]

Summary

• Fixed a bug where refreshed access tokens were not being persisted to disk/database for providers like iFlow
• Made the behavior provider-specific: providers that can re-fetch tokens (gemini, gemini-cli) continue to skip access_token writes as an optimization, while others now persist token changes

Root Cause

In sdk/auth/filestore.go, the metadataEqualIgnoringTimestamps() function ignored access_token for all providers:

ignoredFields := []string{"timestamp", "expired", "expires_in", "last_refresh", "access_token"}

This caused the Save() function to skip writing the file when only the access token changed, resulting in:

1. Token refreshes successfully in-memory
2. File comparison returns "equal" (since access_token is ignored)
3. File is NOT written → database is NOT updated
4. On restart, old expired token is loaded from disk

Solution

Made the behavior provider-specific by adding a provider parameter to metadataEqualIgnoringTimestamps():

• Providers like gemini and gemini-cli that issue new tokens on every refresh and can re-fetch when needed will continue to ignore access_token (optimization)
• Other providers like iFlow will now persist access_token changes

Test plan

• Verified iFlow token refresh now persists correctly to database
• Confirmed server loads the refreshed token after restart

�� Generated with Claude Code"

[gemini-code-assist]

Summary of Changes

Hello @FakerL, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a significant bug in the authentication system where refreshed access tokens were not being saved to persistent storage. The core problem was an oversight in the metadataEqualIgnoringTimestamps function, which erroneously excluded the access_token from its comparison logic, preventing the system from recognizing changes that necessitated a file update. By correcting this, the system now reliably persists refreshed tokens, ensuring that authentication remains stable across server restarts, especially for providers that depend on explicit token persistence.

Highlights

• Bug Fix: Access Token Persistence: Resolved a critical bug where refreshed access tokens were not being persisted to disk or database, leading to token loss upon server restart.
• Root Cause Identified: The issue stemmed from the metadataEqualIgnoringTimestamps() function in sdk/auth/filestore.go incorrectly ignoring the access_token field during metadata comparison.
• Solution Implemented: The access_token has been removed from the ignoredFields list, ensuring that changes to the access token now correctly trigger a file write and persistence of the refreshed token.
• Impact on Providers: This fix is particularly important for providers like iFlow, which require refreshed tokens to be explicitly persisted as they do not automatically re-fetch tokens like Google OAuth.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request fixes a bug where refreshed access tokens were not persisted for certain providers like iFlow. The fix involves removing access_token from the list of ignored fields when comparing token metadata for changes. This ensures that a change in the access token triggers a file write, persisting the new token. The change is correct and well-explained. I have one suggestion to make the fix more targeted to avoid potential side effects for other providers like Google OAuth.

[FakerL]

/gemini review

[gemini-code-assist]

Code Review

This pull request correctly addresses a bug where refreshed access tokens were not being persisted for certain providers. The solution is to make the token comparison logic provider-aware, conditionally ignoring the access_token field. The change is well-described and effectively solves the issue. I've added one suggestion to improve the implementation's maintainability and adhere to Go idioms by replacing the map initialization with a switch statement, and also pointed out a potential architectural improvement for future consideration to better decouple components.

[FakerL]

/gemini review

[gemini-code-assist]

Code Review

This pull request effectively addresses a critical bug where refreshed access tokens were not being persisted, leading to authentication failures after a restart for providers like iFlow. The solution is well-targeted, introducing provider-specific logic to determine whether the access_token should be considered when checking for metadata changes. The change is clean and the pull request description is excellent, clearly explaining the root cause and the fix. I have one minor suggestion regarding future maintainability, but overall this is a great improvement.