fix: re-establish session on ERR_NETWORK before retrying

chore: add diagnostic logging to session recovery flow
fix: clear all cookies on session expiry and throw LoginRequiredError
2026-04-21 13:11:31 +00:00 · 2026-04-20 12:54:14 +02:00 · 2026-04-16 10:08:33 +02:00 · 2026-04-16 10:02:36 +02:00 · 2026-04-15 08:57:34 +02:00
4 changed files with 219 additions and 6 deletions
@@ -375,7 +375,7 @@ export class AuthManager {
   *
   */
  public async logOut() {
-    this.requestClient.clearCsrfTokens()
+    this.requestClient.resetInMemoryAuthState()

    return this.requestClient.get(this.logoutUrl, undefined).then(() => true)
  }
@@ -28,6 +28,9 @@ import {
 import { InvalidSASjsCsrfError } from '../types/errors/InvalidSASjsCsrfError'
 import { inspect } from 'util'

+const getLogger = () =>
+  (typeof process !== 'undefined' && process.logger) || console
+
 export class RequestClient implements HttpClient {
  private requests: SASjsRequest[] = []
  private requestsLimit: number = 10
@@ -37,6 +40,7 @@ export class RequestClient implements HttpClient {
  protected csrfToken: CsrfToken = { headerName: '', value: '' }
  protected fileUploadCsrfToken: CsrfToken | undefined
  protected httpClient!: AxiosInstance
+  private isRecoveringFromNetworkError = false

  constructor(
    protected baseUrl: string,
@@ -77,6 +81,36 @@ export class RequestClient implements HttpClient {
    localStorage.setItem('refreshToken', '')
  }

+  public resetInMemoryAuthState() {
+    const logger = getLogger()
+    const clearedCookies: string[] = []
+
+    this.clearCsrfTokens()
+    if (typeof localStorage !== 'undefined') {
+      this.clearLocalStorageTokens()
+    }
+    if (typeof document !== 'undefined') {
+      clearedCookies.push(...this.clearAllCookies())
+    }
+
+    logger.warn('[resetInMemoryAuthState] cleared', {
+      cookies: clearedCookies,
+      localStorage: typeof localStorage !== 'undefined'
+    })
+  }
+
+  private clearAllCookies(): string[] {
+    const cookies = document.cookie.split(';')
+    const cleared: string[] = []
+    for (const cookie of cookies) {
+      const name = cookie.split('=')[0].trim()
+      if (!name) continue
+      document.cookie = `${name}=; Max-Age=0; Path=/;`
+      cleared.push(name)
+    }
+    return cleared
+  }
+
  public getBaseUrl() {
    return this.httpClient.defaults.baseURL || ''
  }
@@ -354,9 +388,14 @@ export class RequestClient implements HttpClient {
    const csrfTokenKey = Object.keys(params).find((k) =>
      k?.toLowerCase().includes('csrf')
    )
+    const logger = getLogger()
+
    if (csrfTokenKey) {
      this.csrfToken.value = params[csrfTokenKey]
      this.csrfToken.headerName = this.csrfToken.headerName || 'x-csrf-token'
+      logger.warn('[authorize] CSRF from form', {
+        headerName: this.csrfToken.headerName
+      })
    }

    const formData = new FormData()
@@ -371,15 +410,23 @@ export class RequestClient implements HttpClient {
      throw new Error('Auth Form URL is null or undefined.')
    }

+    logger.warn('[authorize] posting to', { authUrl })
+
    return await this.httpClient
      .post(authUrl, formData, {
        responseType: 'text',
        headers: { Accept: '*/*', 'Content-Type': 'text/plain' }
      })
-      .then((res) => res.data)
+      .then((res) => {
+        logger.warn('[authorize] success', { status: res.status })
+        return res.data
+      })
      .catch((error) => {
-        const logger = process.logger || console
-        logger.error(error)
+        logger.error('[authorize] failed', {
+          code: error?.code,
+          status: error?.response?.status,
+          message: error?.message
+        })
      })
  }

@@ -578,9 +625,16 @@ ${resHeaders}${parsedResBody ? `\n\n${parsedResBody}` : ''}

  protected parseAndSetCsrfToken = (response: AxiosResponse) => {
    const token = this.parseCsrfToken(response)
+    const logger = getLogger()

    if (token) {
      this.csrfToken = token
+      logger.warn('[parseAndSetCsrfToken] set', {
+        headerName: token.headerName,
+        hasValue: !!token.value
+      })
+    } else {
+      logger.warn('[parseAndSetCsrfToken] no token found in response')
    }
  }

@@ -600,6 +654,11 @@ ${resHeaders}${parsedResBody ? `\n\n${parsedResBody}` : ''}
    }
  }

+  private logHandleError(step: string, details?: Record<string, any>) {
+    const logger = getLogger()
+    logger.warn(`[handleError] ${step}`, details || '')
+  }
+
  protected handleError = async (
    e: any,
    callback: any,
@@ -607,7 +666,19 @@ ${resHeaders}${parsedResBody ? `\n\n${parsedResBody}` : ''}
  ) => {
    const response = e.response as AxiosResponse

+    this.logHandleError('entered', {
+      errorType: e?.constructor?.name,
+      code: e?.code,
+      status: response?.status,
+      url: e?.config?.url || response?.config?.url,
+      hasResponse: !!response,
+      isRecovering: this.isRecoveringFromNetworkError
+    })
+
    if (e instanceof AuthorizeError) {
+      this.logHandleError('AuthorizeError — fetching confirmUrl', {
+        confirmUrl: e.confirmUrl
+      })
      const res = await this.httpClient
        .get(e.confirmUrl, {
          responseType: 'text',
@@ -617,13 +688,24 @@ ${resHeaders}${parsedResBody ? `\n\n${parsedResBody}` : ''}
          throw prefixMessage(err, 'Error while getting error confirmUrl. ')
        })

-      if (isAuthorizeFormRequired(res?.data as string)) {
+      const needsAuthorize = isAuthorizeFormRequired(res?.data as string)
+      this.logHandleError(
+        'AuthorizeError — authorize form required: ' + needsAuthorize
+      )
+
+      if (needsAuthorize) {
        await this.authorize(res.data as string).catch((err) => {
          throw prefixMessage(err, 'Error while authorizing request. ')
        })
      }

+      this.logHandleError('AuthorizeError — retrying callback')
      return await callback().catch((err: any) => {
+        this.logHandleError('AuthorizeError — callback failed', {
+          errorType: err?.constructor?.name,
+          code: err?.code,
+          message: err?.message
+        })
        throw prefixMessage(
          err,
          'Error while executing callback in handleError. '
@@ -632,12 +714,14 @@ ${resHeaders}${parsedResBody ? `\n\n${parsedResBody}` : ''}
    }

    if (e instanceof LoginRequiredError) {
+      this.logHandleError('LoginRequiredError — clearing CSRF and re-throwing')
      this.clearCsrfTokens()

      throw e
    }

    if (e instanceof InvalidSASjsCsrfError) {
+      this.logHandleError('InvalidSASjsCsrfError — re-fetching CSRF cookie')
      // Fetching root and creating CSRF cookie
      await this.httpClient
        .get('/', {
@@ -649,13 +733,22 @@ ${resHeaders}${parsedResBody ? `\n\n${parsedResBody}` : ''}
              response.data
            )?.[1]

+          this.logHandleError(
+            'InvalidSASjsCsrfError — cookie found: ' + !!cookie
+          )
          if (cookie) document.cookie = cookie
        })
        .catch((err) => {
          throw prefixMessage(err, 'Error while re-fetching CSRF token.')
        })

+      this.logHandleError('InvalidSASjsCsrfError — retrying callback')
      return await callback().catch((err: any) => {
+        this.logHandleError('InvalidSASjsCsrfError — callback failed', {
+          errorType: err?.constructor?.name,
+          code: err?.code,
+          message: err?.message
+        })
        throw prefixMessage(
          err,
          'Error while executing callback in handleError. '
@@ -666,8 +759,20 @@ ${resHeaders}${parsedResBody ? `\n\n${parsedResBody}` : ''}
    if (response?.status === 403 || response?.status === 449) {
      this.parseAndSetCsrfToken(response)

-      if (this.csrfToken.headerName && this.csrfToken.value) {
+      const hasToken = !!(this.csrfToken.headerName && this.csrfToken.value)
+      this.logHandleError('403/449 — parsed CSRF from response', {
+        hasToken,
+        headerName: this.csrfToken.headerName
+      })
+
+      if (hasToken) {
+        this.logHandleError('403/449 — retrying callback with new CSRF')
        return await callback().catch((err: any) => {
+          this.logHandleError('403/449 — callback failed', {
+            errorType: err?.constructor?.name,
+            code: err?.code,
+            message: err?.message
+          })
          throw prefixMessage(
            err,
            'Error while executing callback in handleError. '
@@ -675,6 +780,9 @@ ${resHeaders}${parsedResBody ? `\n\n${parsedResBody}` : ''}
        })
      }

+      this.logHandleError(
+        '403/449 — no CSRF in response, throwing original error'
+      )
      throw e
    } else if (response?.status === 404) {
      throw new NotFoundError(response.config.url!)
@@ -687,6 +795,68 @@ ${resHeaders}${parsedResBody ? `\n\n${parsedResBody}` : ''}
      throw new CertificateError(e.message)
    }

+    if (
+      e.isAxiosError &&
+      !response &&
+      e.code === 'ERR_NETWORK' &&
+      !this.isRecoveringFromNetworkError
+    ) {
+      // Opaque ERR_NETWORK usually means the server rejected stale credentials.
+      // Wipe in-memory auth state, re-establish session via GET /,
+      // then retry the original request.
+      this.logHandleError('ERR_NETWORK — clearing all auth state')
+      this.resetInMemoryAuthState()
+      this.isRecoveringFromNetworkError = true
+      try {
+        // Re-establish session and CSRF cookie
+        this.logHandleError('ERR_NETWORK — re-establishing session via GET /')
+        const rootResponse = await this.httpClient
+          .get('/', { withXSRFToken: true })
+          .catch((err) => {
+            this.logHandleError('ERR_NETWORK — GET / failed', {
+              code: err?.code,
+              status: err?.response?.status,
+              message: err?.message
+            })
+            return err.response
+          })
+
+        if (rootResponse?.data) {
+          const cookie =
+            /<script>document.cookie = '(XSRF-TOKEN=.*; Max-Age=86400; SameSite=Strict; Path=\/;)'<\/script>/.exec(
+              rootResponse.data
+            )?.[1]
+
+          if (cookie && typeof document !== 'undefined') {
+            document.cookie = cookie
+            this.logHandleError('ERR_NETWORK — XSRF-TOKEN cookie restored')
+          }
+
+          this.parseAndSetCsrfToken(rootResponse)
+        }
+
+        this.logHandleError('ERR_NETWORK — retrying original request')
+        return await callback()
+      } catch (retryErr: any) {
+        // Session could not be recovered — surface LoginRequiredError
+        this.logHandleError(
+          'ERR_NETWORK — retry failed, throwing LoginRequiredError',
+          {
+            errorType: retryErr?.constructor?.name,
+            code: retryErr?.code,
+            message: retryErr?.message
+          }
+        )
+        throw new LoginRequiredError()
+      } finally {
+        this.isRecoveringFromNetworkError = false
+      }
+    }
+
+    this.logHandleError('unhandled — throwing as-is', {
+      message: e?.message,
+      code: e?.code
+    })
    if (e.message) throw e
    else throw prefixMessage(e, 'Error while handling error. ')
  }
@@ -23,6 +23,13 @@ export class Sas9RequestClient extends RequestClient {
    }
  }

+  public resetInMemoryAuthState() {
+    super.resetInMemoryAuthState()
+    if (this.httpClient.defaults.jar) {
+      ;(this.httpClient.defaults.jar as tough.CookieJar).removeAllCookiesSync()
+    }
+  }
+
  public async login(username: string, password: string, jobsPath: string) {
    const codeInjectorPath = `/User Folders/${username}/My Folder/sasjs/runner`
    if (this.httpClient.defaults.jar) {
@@ -589,6 +589,42 @@ ${resHeaders[0]}: ${resHeaders[1]}${
        requestClient['handleError'](error, () => {}, false)
      ).resolves.toEqual(undefined)
    })
+
+    it('should clear CSRF and retry once on opaque ERR_NETWORK', async () => {
+      const networkError = {
+        isAxiosError: true,
+        code: 'ERR_NETWORK',
+        message: 'Network Error'
+      }
+      requestClient['csrfToken'] = { headerName: 'h', value: 'v' }
+      const callback = jest.fn().mockResolvedValue('ok')
+
+      await expect(
+        requestClient['handleError'](networkError, callback)
+      ).resolves.toEqual('ok')
+
+      expect(callback).toHaveBeenCalledTimes(1)
+      expect(requestClient['csrfToken']).toEqual({ headerName: '', value: '' })
+    })
+
+    it('should throw LoginRequiredError if retry also fails with ERR_NETWORK', async () => {
+      const networkError = {
+        isAxiosError: true,
+        code: 'ERR_NETWORK',
+        message: 'Network Error'
+      }
+      const innerHandle = jest.fn(() =>
+        requestClient['handleError'](networkError, () =>
+          Promise.reject(networkError)
+        )
+      )
+
+      await expect(
+        requestClient['handleError'](networkError, innerHandle)
+      ).rejects.toThrow(LoginRequiredError)
+
+      expect(innerHandle).toHaveBeenCalledTimes(1)
+    })
  })
 })
Author	SHA1	Message	Date
mulahasanovic	39883f60d7	fix: re-establish session on ERR_NETWORK before retrying	2026-04-20 12:54:14 +02:00
mulahasanovic	706fd8e470	chore: add diagnostic logging to session recovery flow	2026-04-16 10:08:33 +02:00
mulahasanovic	53ebeb1cf5	fix: clear all cookies on session expiry and throw LoginRequiredError	2026-04-16 10:02:36 +02:00
mulahasanovic	fe5f0e87b7	fix: handle session inactivity expiry	2026-04-15 08:57:34 +02:00