SSO auth

2026-03-17 02:57:22 +08:00
parent 905ba5abc0
commit ace265e11f
12 changed files with 460 additions and 369 deletions
--- a/src-tauri/src/assets/auth-success.html
+++ b/src-tauri/src/assets/auth-success.html
@@ -0,0 +1,51 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <title>Friendolls Sign-in Complete</title>
+    <style>
+      :root {
+        color-scheme: light;
+      }
+
+      body {
+        margin: 0;
+        min-height: 100vh;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        background:
+          radial-gradient(circle at top, #d8f8ff, transparent 45%),
+          linear-gradient(180deg, #f8feff 0%, #eef8fb 100%);
+        font-family: "Avenir Next", "Segoe UI", sans-serif;
+        color: #24414b;
+      }
+
+      .card {
+        width: min(420px, calc(100vw - 32px));
+        padding: 32px 28px;
+        border-radius: 24px;
+        background: rgba(255, 255, 255, 0.9);
+        box-shadow: 0 24px 80px rgba(55, 113, 130, 0.18);
+        text-align: center;
+      }
+
+      h1 {
+        margin: 0 0 10px;
+        font-size: 28px;
+      }
+
+      p {
+        margin: 0;
+        line-height: 1.5;
+        color: #4b6973;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="card">
+      <h1>Signed in</h1>
+      <p>You can close this browser tab and return to Friendolls.</p>
+    </div>
+  </body>
+</html>
--- a/src-tauri/src/commands/auth.rs
+++ b/src-tauri/src/commands/auth.rs
@@ -8,45 +8,16 @@ pub async fn logout_and_restart() -> Result<(), String> {

 #[tauri::command]
 #[specta::specta]
-pub async fn login(email: String, password: String) -> Result<(), String> {
-    auth::login_and_init_session(&email, &password)
+pub async fn start_google_auth() -> Result<(), String> {
+    auth::start_browser_login("google")
        .await
        .map_err(|e| e.to_string())
 }

 #[tauri::command]
 #[specta::specta]
-pub async fn register(
-    email: String,
-    password: String,
-    name: Option<String>,
-    username: Option<String>,
-) -> Result<String, String> {
-    auth::register(
-        &email,
-        &password,
-        name.as_deref(),
-        username.as_deref(),
-    )
-    .await
-    .map_err(|e| e.to_string())
-}
-
-#[tauri::command]
-#[specta::specta]
-pub async fn change_password(
-    current_password: String,
-    new_password: String,
-) -> Result<(), String> {
-    auth::change_password(&current_password, &new_password)
-        .await
-        .map_err(|e| e.to_string())
-}
-
-#[tauri::command]
-#[specta::specta]
-pub async fn reset_password(old_password: String, new_password: String) -> Result<(), String> {
-    auth::reset_password(&old_password, &new_password)
+pub async fn start_discord_auth() -> Result<(), String> {
+    auth::start_browser_login("discord")
        .await
        .map_err(|e| e.to_string())
 }
--- a/src-tauri/src/lib.rs
+++ b/src-tauri/src/lib.rs
@@ -10,7 +10,7 @@ use commands::app_state::{
    get_active_doll_sprite_base64, get_app_data, get_friend_active_doll_sprites_base64,
    refresh_app_data,
 };
-use commands::auth::{change_password, login, logout_and_restart, register, reset_password};
+use commands::auth::{logout_and_restart, start_discord_auth, start_google_auth};
 use commands::config::{get_client_config, open_client_config, save_client_config};
 use commands::dolls::{
    create_doll, delete_doll, get_doll, get_dolls, remove_active_doll, set_active_doll, update_doll,
@@ -99,10 +99,8 @@ pub fn run() {
            get_scene_interactive,
            set_scene_interactive,
            set_pet_menu_state,
-            login,
-            register,
-            change_password,
-            reset_password,
+            start_google_auth,
+            start_discord_auth,
            logout_and_restart,
            send_interaction_cmd,
            get_modules
--- a/src-tauri/src/services/auth/api.rs
+++ b/src-tauri/src/services/auth/api.rs
@@ -6,48 +6,44 @@ use crate::{lock_r, lock_w, state::FDOLL};
 use super::storage::{build_auth_pass, save_auth_pass, AuthError, AuthPass};

 #[derive(Debug, Deserialize)]
-struct LoginResponse {
+pub struct StartSsoResponse {
+    pub state: String,
+}
+
+#[derive(Debug, Deserialize)]
+struct TokenResponse {
    #[serde(rename = "accessToken")]
    access_token: String,
    #[serde(rename = "expiresIn")]
    expires_in: u64,
-}
-
-#[derive(Debug, Deserialize)]
-struct RegisterResponse {
-    id: String,
+    #[serde(rename = "refreshToken")]
+    refresh_token: String,
+    #[serde(rename = "refreshExpiresIn")]
+    refresh_expires_in: u64,
 }

 #[derive(Debug, Serialize)]
-struct LoginRequest<'a> {
-    email: &'a str,
-    password: &'a str,
+struct StartSsoRequest<'a> {
+    provider: &'a str,
+    #[serde(rename = "redirectUri")]
+    redirect_uri: &'a str,
 }

 #[derive(Debug, Serialize)]
-struct RegisterRequest<'a> {
-    email: &'a str,
-    password: &'a str,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    name: Option<&'a str>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    username: Option<&'a str>,
+struct ExchangeSsoCodeRequest<'a> {
+    code: &'a str,
 }

 #[derive(Debug, Serialize)]
-struct ChangePasswordRequest<'a> {
-    #[serde(rename = "currentPassword")]
-    current_password: &'a str,
-    #[serde(rename = "newPassword")]
-    new_password: &'a str,
+struct RefreshTokenRequest<'a> {
+    #[serde(rename = "refreshToken")]
+    refresh_token: &'a str,
 }

 #[derive(Debug, Serialize)]
-struct ResetPasswordRequest<'a> {
-    #[serde(rename = "oldPassword")]
-    old_password: &'a str,
-    #[serde(rename = "newPassword")]
-    new_password: &'a str,
+struct LogoutRequest<'a> {
+    #[serde(rename = "refreshToken")]
+    refresh_token: &'a str,
 }

 fn auth_http_context() -> Result<(String, reqwest::Client), AuthError> {
@@ -87,96 +83,70 @@ pub async fn with_auth(request: reqwest::RequestBuilder) -> reqwest::RequestBuil
    }
 }

-pub async fn login(email: &str, password: &str) -> Result<AuthPass, AuthError> {
+pub async fn start_sso(provider: &str, redirect_uri: &str) -> Result<StartSsoResponse, AuthError> {
    let (base_url, http_client) = auth_http_context()?;
    let response = http_client
-        .post(format!("{}/auth/login", base_url))
-        .json(&LoginRequest { email, password })
-        .send()
-        .await?;
-
-    let login_response: LoginResponse = ensure_success(response).await?.json().await?;
-    let auth_pass = build_auth_pass(login_response.access_token, login_response.expires_in)?;
-    lock_w!(FDOLL).auth.auth_pass = Some(auth_pass.clone());
-    save_auth_pass(&auth_pass)?;
-    Ok(auth_pass)
-}
-
-pub async fn register(
-    email: &str,
-    password: &str,
-    name: Option<&str>,
-    username: Option<&str>,
-) -> Result<String, AuthError> {
-    let (base_url, http_client) = auth_http_context()?;
-    let response = http_client
-        .post(format!("{}/auth/register", base_url))
-        .json(&RegisterRequest {
-            email,
-            password,
-            name,
-            username,
+        .post(format!("{}/auth/sso/start", base_url))
+        .json(&StartSsoRequest {
+            provider,
+            redirect_uri,
        })
        .send()
        .await?;

-    let register_response: RegisterResponse = ensure_success(response).await?.json().await?;
-    Ok(register_response.id)
+    ensure_success(response).await?.json().await.map_err(AuthError::from)
 }

-pub async fn change_password(
-    current_password: &str,
-    new_password: &str,
-) -> Result<(), AuthError> {
-    let (base_url, http_client) = auth_http_context()?;
-    let response = with_auth(http_client.post(format!("{}/auth/change-password", base_url)).json(
-        &ChangePasswordRequest {
-            current_password,
-            new_password,
-        },
-    ))
-    .await
-    .send()
-    .await?;
-
-    ensure_success(response).await?;
-    Ok(())
-}
-
-pub async fn reset_password(old_password: &str, new_password: &str) -> Result<(), AuthError> {
-    let (base_url, http_client) = auth_http_context()?;
-    let response = with_auth(http_client.post(format!("{}/auth/reset-password", base_url)).json(
-        &ResetPasswordRequest {
-            old_password,
-            new_password,
-        },
-    ))
-    .await
-    .send()
-    .await?;
-
-    ensure_success(response).await?;
-    Ok(())
-}
-
-pub async fn refresh_token(access_token: &str) -> Result<AuthPass, AuthError> {
+pub async fn exchange_sso_code(code: &str) -> Result<AuthPass, AuthError> {
    let (base_url, http_client) = auth_http_context()?;
    let response = http_client
-        .post(format!("{}/auth/refresh", base_url))
-        .header("Authorization", format!("Bearer {}", access_token))
+        .post(format!("{}/auth/sso/exchange", base_url))
+        .json(&ExchangeSsoCodeRequest { code })
        .send()
        .await?;

-    if !response.status().is_success() {
-        let status = response.status();
-        let error_text = response.text().await.unwrap_or_default();
-        error!("Token refresh failed with status {}: {}", status, error_text);
-        return Err(AuthError::RefreshFailed);
-    }
+    let token_response: TokenResponse = ensure_success(response).await?.json().await?;
+    let auth_pass = build_auth_pass(
+        token_response.access_token,
+        token_response.expires_in,
+        token_response.refresh_token,
+        token_response.refresh_expires_in,
+    )?;

-    let refresh_response: LoginResponse = response.json().await?;
-    let auth_pass = build_auth_pass(refresh_response.access_token, refresh_response.expires_in)?;
    lock_w!(FDOLL).auth.auth_pass = Some(auth_pass.clone());
    save_auth_pass(&auth_pass)?;
    Ok(auth_pass)
 }
+
+pub async fn refresh_token(refresh_token: &str) -> Result<AuthPass, AuthError> {
+    let (base_url, http_client) = auth_http_context()?;
+    let response = http_client
+        .post(format!("{}/auth/refresh", base_url))
+        .json(&RefreshTokenRequest { refresh_token })
+        .send()
+        .await?;
+
+    let token_response: TokenResponse = ensure_success(response).await?.json().await?;
+    let auth_pass = build_auth_pass(
+        token_response.access_token,
+        token_response.expires_in,
+        token_response.refresh_token,
+        token_response.refresh_expires_in,
+    )?;
+
+    lock_w!(FDOLL).auth.auth_pass = Some(auth_pass.clone());
+    save_auth_pass(&auth_pass)?;
+    Ok(auth_pass)
+}
+
+pub async fn logout_remote(refresh_token: &str) -> Result<(), AuthError> {
+    let (base_url, http_client) = auth_http_context()?;
+    let response = http_client
+        .post(format!("{}/auth/logout", base_url))
+        .json(&LogoutRequest { refresh_token })
+        .send()
+        .await?;
+
+    ensure_success(response).await?;
+    Ok(())
+}
--- a/src-tauri/src/services/auth/flow.rs
+++ b/src-tauri/src/services/auth/flow.rs
@@ -0,0 +1,187 @@
+use tauri_plugin_opener::OpenerExt;
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+use tokio::net::{TcpListener, TcpStream};
+use tokio_util::sync::CancellationToken;
+use tracing::{error, info, warn};
+
+use crate::get_app_handle;
+use crate::state::clear_auth_flow_state;
+use crate::{lock_r, state::FDOLL};
+
+use super::api::{exchange_sso_code, start_sso};
+use super::storage::AuthError;
+
+static AUTH_SUCCESS_HTML: &str = include_str!("../../assets/auth-success.html");
+
+pub struct OAuthCallbackParams {
+    pub state: String,
+    pub code: String,
+}
+
+pub async fn start_browser_auth_flow(provider: &str) -> Result<(), AuthError> {
+    clear_auth_flow_state();
+
+    let bind_addr = "127.0.0.1:0";
+    let std_listener = std::net::TcpListener::bind(bind_addr)
+        .map_err(|e| AuthError::ServerBindError(e.to_string()))?;
+    std_listener
+        .set_nonblocking(true)
+        .map_err(|e| AuthError::ServerBindError(e.to_string()))?;
+    let local_addr = std_listener
+        .local_addr()
+        .map_err(|e| AuthError::ServerBindError(e.to_string()))?;
+
+    let redirect_uri = format!("http://127.0.0.1:{}/callback", local_addr.port());
+    let start_response = start_sso(provider, &redirect_uri).await?;
+
+    let cancel_token = CancellationToken::new();
+    {
+        let mut guard = crate::lock_w!(crate::state::FDOLL);
+        guard.auth.oauth_flow.state = Some(start_response.state.clone());
+        guard.auth.oauth_flow.background_auth_token = Some(cancel_token.clone());
+    }
+
+    let listener = TcpListener::from_std(std_listener)
+        .map_err(|e| AuthError::ServerBindError(e.to_string()))?;
+    let expected_state = start_response.state.clone();
+    let auth_url = build_authorize_url(provider, &start_response.state)?;
+    tauri::async_runtime::spawn(async move {
+        match listen_for_callback(listener, cancel_token.clone()).await {
+            Ok(params) => {
+                if params.state != expected_state {
+                    error!("SSO state mismatch");
+                    clear_auth_flow_state();
+                    return;
+                }
+
+                if let Err(err) = exchange_sso_code(&params.code).await {
+                    error!("Failed to exchange SSO code: {}", err);
+                    clear_auth_flow_state();
+                    return;
+                }
+
+                clear_auth_flow_state();
+                if let Err(err) = super::session::finish_login_session().await {
+                    error!("Failed to finalize desktop login session: {}", err);
+                }
+            }
+            Err(AuthError::Cancelled) => {
+                info!("Auth flow cancelled");
+            }
+            Err(err) => {
+                error!("Auth callback listener failed: {}", err);
+                clear_auth_flow_state();
+            }
+        }
+    });
+
+    get_app_handle()
+        .opener()
+        .open_url(auth_url, None::<&str>)?;
+
+    Ok(())
+}
+
+fn build_authorize_url(provider: &str, state: &str) -> Result<String, AuthError> {
+    let base_url = lock_r!(FDOLL)
+        .app_config
+        .api_base_url
+        .clone()
+        .ok_or(AuthError::InvalidConfig)?;
+
+    let mut parsed = url::Url::parse(&base_url)
+        .map_err(|e| AuthError::RequestFailed(format!("Invalid API base URL: {}", e)))?;
+    let existing_path = parsed.path().trim_end_matches('/');
+    parsed.set_path(&format!("{}/auth/sso/{}", existing_path, provider));
+    let query = url::form_urlencoded::Serializer::new(String::new())
+        .append_pair("state", state)
+        .finish();
+    parsed.set_query(Some(&query));
+
+    Ok(parsed.to_string())
+}
+
+async fn listen_for_callback(
+    listener: TcpListener,
+    cancel_token: CancellationToken,
+) -> Result<OAuthCallbackParams, AuthError> {
+    let timeout = tokio::time::Duration::from_secs(300);
+    let start = tokio::time::Instant::now();
+
+    loop {
+        let elapsed = start.elapsed();
+        if elapsed >= timeout {
+            return Err(AuthError::CallbackTimeout);
+        }
+
+        let remaining = timeout - elapsed;
+        let accepted = tokio::select! {
+            _ = cancel_token.cancelled() => return Err(AuthError::Cancelled),
+            result = tokio::time::timeout(remaining, listener.accept()) => result,
+        };
+
+        let (mut stream, _) = match accepted {
+            Ok(Ok(value)) => value,
+            Ok(Err(err)) => {
+                warn!("Accept error in auth callback listener: {}", err);
+                continue;
+            }
+            Err(_) => return Err(AuthError::CallbackTimeout),
+        };
+
+        if let Some(callback) = parse_callback(&mut stream).await? {
+            return Ok(callback);
+        }
+    }
+}
+
+async fn parse_callback(stream: &mut TcpStream) -> Result<Option<OAuthCallbackParams>, AuthError> {
+    let mut buffer = [0; 4096];
+    let bytes_read = match stream.read(&mut buffer).await {
+        Ok(value) if value > 0 => value,
+        _ => return Ok(None),
+    };
+
+    let request = String::from_utf8_lossy(&buffer[..bytes_read]);
+    let first_line = request.lines().next().unwrap_or_default();
+    let mut parts = first_line.split_whitespace();
+
+    match (parts.next(), parts.next()) {
+        (Some("GET"), Some(path)) if path.starts_with("/callback") => {
+            let parsed = url::Url::parse(&format!("http://localhost{}", path))
+                .map_err(|e| AuthError::RequestFailed(e.to_string()))?;
+            let params: std::collections::HashMap<_, _> = parsed.query_pairs().into_owned().collect();
+
+            let state = params
+                .get("state")
+                .cloned()
+                .ok_or_else(|| AuthError::MissingParameter("state".to_string()))?;
+            let code = params
+                .get("code")
+                .cloned()
+                .ok_or_else(|| AuthError::MissingParameter("code".to_string()))?;
+
+            let response = format!(
+                "HTTP/1.1 200 OK\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: {}\r\n\r\n{}",
+                AUTH_SUCCESS_HTML.len(),
+                AUTH_SUCCESS_HTML
+            );
+            stream.write_all(response.as_bytes()).await?;
+            stream.flush().await?;
+
+            Ok(Some(OAuthCallbackParams { state, code }))
+        }
+        (Some("GET"), Some("/health")) => {
+            stream
+                .write_all(b"HTTP/1.1 200 OK\r\nContent-Length: 2\r\n\r\nOK")
+                .await?;
+            Ok(None)
+        }
+        _ => {
+            stream
+                .write_all(b"HTTP/1.1 404 Not Found\r\nContent-Length: 0\r\n\r\n")
+                .await?;
+            Ok(None)
+        }
+    }
+}
--- a/src-tauri/src/services/auth/mod.rs
+++ b/src-tauri/src/services/auth/mod.rs
@@ -1,7 +1,8 @@
 mod api;
+mod flow;
 mod session;
 mod storage;

-pub use api::{change_password, refresh_token, register, reset_password, with_auth};
-pub use session::{get_access_token, get_session_token, login_and_init_session, logout_and_restart};
+pub use api::{refresh_token, with_auth};
+pub use session::{get_access_token, get_session_token, logout_and_restart, start_browser_login};
 pub use storage::{clear_auth_pass, load_auth_pass, AuthPass};
--- a/src-tauri/src/services/auth/session.rs
+++ b/src-tauri/src/services/auth/session.rs
@@ -17,8 +17,21 @@ pub async fn get_access_token() -> Option<String> {

 pub fn logout() -> Result<(), AuthError> {
    info!("Logging out user");
-    lock_w!(FDOLL).auth.auth_pass = None;
+    let refresh_token = lock_w!(FDOLL)
+        .auth
+        .auth_pass
+        .take()
+        .map(|pass| pass.refresh_token);
    clear_auth_pass()?;
+
+    if let Some(refresh_token) = refresh_token {
+        tauri::async_runtime::spawn(async move {
+            if let Err(err) = super::api::logout_remote(&refresh_token).await {
+                info!("Failed to revoke refresh token on server: {}", err);
+            }
+        });
+    }
+
    Ok(())
 }

@@ -28,8 +41,7 @@ pub async fn logout_and_restart() -> Result<(), AuthError> {
    app_handle.restart();
 }

-pub async fn login_and_init_session(email: &str, password: &str) -> Result<(), AuthError> {
-    super::api::login(email, password).await?;
+pub async fn finish_login_session() -> Result<(), AuthError> {
    close_welcome_window();
    tauri::async_runtime::spawn(async {
        construct_user_session().await;
@@ -37,3 +49,7 @@ pub async fn login_and_init_session(email: &str, password: &str) -> Result<(), A
    });
    Ok(())
 }
+
+pub async fn start_browser_login(provider: &str) -> Result<(), AuthError> {
+    super::flow::start_browser_auth_flow(provider).await
+}
--- a/src-tauri/src/services/auth/storage.rs
+++ b/src-tauri/src/services/auth/storage.rs
@@ -29,6 +29,21 @@ pub enum AuthError {
    #[error("Request failed: {0}")]
    RequestFailed(String),

+    #[error("Missing callback parameter: {0}")]
+    MissingParameter(String),
+
+    #[error("Authentication flow cancelled")]
+    Cancelled,
+
+    #[error("Callback timeout - no response received")]
+    CallbackTimeout,
+
+    #[error("Server binding failed: {0}")]
+    ServerBindError(String),
+
+    #[error("Failed to open auth portal: {0}")]
+    OpenPortalFailed(#[from] tauri_plugin_opener::Error),
+
    #[error("IO error: {0}")]
    IoError(#[from] std::io::Error),
 }
@@ -37,12 +52,16 @@ pub enum AuthError {
 pub struct AuthPass {
    pub access_token: String,
    pub expires_in: u64,
+    pub refresh_token: String,
+    pub refresh_expires_in: u64,
    pub issued_at: Option<u64>,
 }

 pub(crate) fn build_auth_pass(
    access_token: String,
    expires_in: u64,
+    refresh_token: String,
+    refresh_expires_in: u64,
 ) -> Result<AuthPass, AuthError> {
    let issued_at = SystemTime::now()
        .duration_since(UNIX_EPOCH)
@@ -51,6 +70,8 @@ pub(crate) fn build_auth_pass(
    Ok(AuthPass {
        access_token,
        expires_in,
+        refresh_token,
+        refresh_expires_in,
        issued_at: Some(issued_at),
    })
 }
--- a/src-tauri/src/state/auth.rs
+++ b/src-tauri/src/state/auth.rs
@@ -11,10 +11,17 @@ use tracing::{error, info, warn};
 static REFRESH_LOCK: once_cell::sync::Lazy<Mutex<()>> =
    once_cell::sync::Lazy::new(|| Mutex::new(()));

+#[derive(Default, Clone)]
+pub struct OAuthFlowTracker {
+    pub state: Option<String>,
+    pub background_auth_token: Option<CancellationToken>,
+}
+
 #[derive(Default)]
 pub struct AuthState {
    pub auth_pass: Option<AuthPass>,
-    pub background_refresh_token: Option<tokio_util::sync::CancellationToken>,
+    pub oauth_flow: OAuthFlowTracker,
+    pub background_refresh_token: Option<CancellationToken>,
 }

 pub fn init_auth_state() -> AuthState {
@@ -29,10 +36,19 @@ pub fn init_auth_state() -> AuthState {

    AuthState {
        auth_pass,
+        oauth_flow: OAuthFlowTracker::default(),
        background_refresh_token: None,
    }
 }

+pub fn clear_auth_flow_state() {
+    let mut guard = lock_w!(FDOLL);
+    if let Some(cancel_token) = guard.auth.oauth_flow.background_auth_token.take() {
+        cancel_token.cancel();
+    }
+    guard.auth.oauth_flow.state = None;
+}
+
 /// Returns the auth pass object, including access token and metadata.
 /// Automatically refreshes if expired and clears session on refresh failure.
 pub async fn get_auth_pass_with_refresh() -> Option<AuthPass> {
@@ -46,9 +62,15 @@ pub async fn get_auth_pass_with_refresh() -> Option<AuthPass> {
    };

    let current_time = SystemTime::now().duration_since(UNIX_EPOCH).ok()?.as_secs();
-    let expires_at = issued_at.saturating_add(auth_pass.expires_in);
-    let expired = current_time >= expires_at;
-    if !expired {
+    let access_expires_at = issued_at.saturating_add(auth_pass.expires_in);
+    let refresh_expires_at = issued_at.saturating_add(auth_pass.refresh_expires_in);
+
+    if current_time >= refresh_expires_at {
+        clear_expired_auth().await;
+        return None;
+    }
+
+    if current_time < access_expires_at {
        return Some(auth_pass);
    }

@@ -61,28 +83,39 @@ pub async fn get_auth_pass_with_refresh() -> Option<AuthPass> {
        lock_w!(FDOLL).auth.auth_pass = None;
        return None;
    };
-    let expires_at = issued_at.saturating_add(auth_pass.expires_in);
-    let expired = current_time >= expires_at;
-    if !expired {
+
+    let access_expires_at = issued_at.saturating_add(auth_pass.expires_in);
+    let refresh_expires_at = issued_at.saturating_add(auth_pass.refresh_expires_in);
+
+    if current_time >= refresh_expires_at {
+        clear_expired_auth().await;
+        return None;
+    }
+
+    if current_time < access_expires_at {
        return Some(auth_pass);
    }

    info!("Access token expired, attempting refresh");
-    match refresh_token(&auth_pass.access_token).await {
+    match refresh_token(&auth_pass.refresh_token).await {
        Ok(new_pass) => Some(new_pass),
        Err(e) => {
            error!("Failed to refresh token: {}", e);
-            lock_w!(FDOLL).auth.auth_pass = None;
-            if let Err(e) = clear_auth_pass() {
-                error!("Failed to clear expired auth pass: {}", e);
-            }
-            destruct_user_session().await;
-            open_welcome_window();
+            clear_expired_auth().await;
            None
        }
    }
 }

+async fn clear_expired_auth() {
+    lock_w!(FDOLL).auth.auth_pass = None;
+    if let Err(e) = clear_auth_pass() {
+        error!("Failed to clear expired auth pass: {}", e);
+    }
+    destruct_user_session().await;
+    open_welcome_window();
+}
+
 async fn refresh_if_expiring_soon() {
    let Some(auth_pass) = ({ lock_r!(FDOLL).auth.auth_pass.clone() }) else {
        return;
@@ -97,6 +130,12 @@ async fn refresh_if_expiring_soon() {
        Err(_) => return,
    };

+    let refresh_expires_at = issued_at.saturating_add(auth_pass.refresh_expires_in);
+    if current_time >= refresh_expires_at {
+        clear_expired_auth().await;
+        return;
+    }
+
    let access_expires_at = issued_at.saturating_add(auth_pass.expires_in);
    if access_expires_at.saturating_sub(current_time) >= 60 {
        return;
@@ -117,19 +156,20 @@ async fn refresh_if_expiring_soon() {
        Err(_) => return,
    };

+    let refresh_expires_at = latest_issued_at.saturating_add(latest_pass.refresh_expires_in);
+    if current_time >= refresh_expires_at {
+        clear_expired_auth().await;
+        return;
+    }
+
    let access_expires_at = latest_issued_at.saturating_add(latest_pass.expires_in);
    if access_expires_at.saturating_sub(current_time) >= 60 {
        return;
    }

-    if let Err(e) = refresh_token(&latest_pass.access_token).await {
+    if let Err(e) = refresh_token(&latest_pass.refresh_token).await {
        warn!("Background refresh failed: {}", e);
-        lock_w!(FDOLL).auth.auth_pass = None;
-        if let Err(e) = clear_auth_pass() {
-            error!("Failed to clear auth pass after refresh failure: {}", e);
-        }
-        destruct_user_session().await;
-        open_welcome_window();
+        clear_expired_auth().await;
    }
 }