fix: address Claude review findings

atom2ueki · atom2ueki · commit f92e4c13f62b · 2026-05-01T15:41:02.000+08:00
diff --git a/Sources/CodingPlanAuth/Infrastructure/Server/LocalCallbackServer.swift b/Sources/CodingPlanAuth/Infrastructure/Server/LocalCallbackServer.swift
@@ -162,12 +162,25 @@ actor LocalCallbackServer {
     private static func resolveListenPort(_ port: UInt16) throws -> UInt16 {
         guard port == 0 else { return port }
 
+        // SwiftWebServer does not expose the assigned ephemeral port before the
+        // redirect URI is built, so this is a best-effort reservation.
         let socketDescriptor = socket(AF_INET, SOCK_STREAM, 0)
         guard socketDescriptor >= 0 else {
             throw AuthError.callbackServerError("Could not create socket to reserve callback port")
         }
         defer { close(socketDescriptor) }
 
+        var reuseAddress = 1
+        guard setsockopt(
+            socketDescriptor,
+            SOL_SOCKET,
+            SO_REUSEADDR,
+            &reuseAddress,
+            socklen_t(MemoryLayout.size(ofValue: reuseAddress))
+        ) == 0 else {
+            throw AuthError.callbackServerError("Could not configure callback port socket")
+        }
+
         var address = sockaddr_in()
         address.sin_family = sa_family_t(AF_INET)
         address.sin_addr.s_addr = INADDR_ANY
diff --git a/Sources/CodingPlanAuth/Presentation/AuthState.swift b/Sources/CodingPlanAuth/Presentation/AuthState.swift
@@ -52,8 +52,10 @@ public final class AuthState {
             let creds = try await service.credentials(for: providerId)
             update(credentials: creds)
         } catch {
-            currentCredentials = nil
-            isAuthenticated = false
+            if shouldClearAuthentication(after: error) {
+                currentCredentials = nil
+                isAuthenticated = false
+            }
             setError(error)
         }
     }
@@ -107,4 +109,26 @@ public final class AuthState {
             self.lastError = .networkError(error.localizedDescription)
         }
     }
+
+    private func shouldClearAuthentication(after error: any Error) -> Bool {
+        guard let authError = error as? AuthError else { return false }
+        switch authError {
+        case .tokenExchangeFailed(let statusCode, let message):
+            if statusCode == 401 || statusCode == 403 {
+                return true
+            }
+            let normalizedMessage = message.lowercased()
+            return [
+                "invalid_grant",
+                "invalid grant",
+                "invalid_token",
+                "invalid token",
+                "no refresh token",
+            ].contains { normalizedMessage.contains($0) }
+        case .notAuthenticated, .unsupportedProvider:
+            return true
+        default:
+            return false
+        }
+    }
 }
diff --git a/Sources/CodingPlanAuth/Presentation/BrowserAuthSession.swift b/Sources/CodingPlanAuth/Presentation/BrowserAuthSession.swift
@@ -38,6 +38,11 @@ public final class BrowserAuthSession: NSObject {
 
         return try await withTaskCancellationHandler {
             try await withCheckedThrowingContinuation { continuation in
+                if Task.isCancelled {
+                    continuation.resume(throwing: AuthError.cancelled)
+                    return
+                }
+
                 self.continuation = continuation
                 let session = ASWebAuthenticationSession(
                     url: url,
diff --git a/Tests/CodingPlanAuthTests/AuthStateTests.swift b/Tests/CodingPlanAuthTests/AuthStateTests.swift
@@ -42,4 +42,43 @@ struct AuthStateTests {
         #expect(state.currentCredentials == nil)
         #expect(state.lastError == refreshError)
     }
+
+    @Test
+    func checkStatusKeepsAuthenticatedStateWhenRefreshNetworkFails() async throws {
+        let storage = MockTokenStorage()
+        let service = AuthService(storage: storage)
+        let provider = MockAuthProvider(id: "openai", name: "OpenAI")
+        await service.register(provider)
+
+        try await storage.save(
+            credentials: Credentials(
+                accessToken: "valid",
+                refreshToken: "rt",
+                expiresAt: Date().addingTimeInterval(3600)
+            ),
+            for: "openai"
+        )
+
+        let state = AuthState(service: service, providerId: "openai")
+        await state.checkStatus()
+        #expect(state.isAuthenticated)
+        #expect(state.currentCredentials?.accessToken == "valid")
+
+        let refreshError = AuthError.networkError("offline")
+        await provider.setShouldThrowOnRefresh(refreshError)
+        try await storage.save(
+            credentials: Credentials(
+                accessToken: "expired",
+                refreshToken: "rt",
+                expiresAt: Date().addingTimeInterval(-100)
+            ),
+            for: "openai"
+        )
+
+        await state.checkStatus()
+
+        #expect(state.isAuthenticated)
+        #expect(state.currentCredentials?.accessToken == "valid")
+        #expect(state.lastError == refreshError)
+    }
 }
diff --git a/Tests/CodingPlanAuthTests/Infrastructure/LocalCallbackServerTests.swift b/Tests/CodingPlanAuthTests/Infrastructure/LocalCallbackServerTests.swift
@@ -9,7 +9,7 @@ struct LocalCallbackServerTests {
         // We test the parsing logic indirectly by creating a server and
         // checking it would match the callback path.
         let server = LocalCallbackServer(port: 0, callbackPath: "/auth/callback")
-        // Since NWListener-based servers cannot be unit-tested in the
+        // Since SwiftWebServer-backed servers cannot be fully unit-tested in the
         // Swift Testing runner on macOS due to sandboxing constraints,
         // we verify the configuration is correct.
         #expect(server.callbackPath == "/auth/callback")
