Ayuriel/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): classify permission_error as auth_permanent for profile fallback (#31324)

Browse Source 
When an OAuth auth profile returns HTTP 403 with permission_error
(e.g. expired plan), the error was not matched by the authPermanent
patterns. This caused the profile to receive only a short cooldown
instead of being disabled, so the gateway kept retrying the same
broken profile indefinitely.

Add "permission_error" and "not allowed for this organization" to
the authPermanent error patterns so these errors trigger the longer
billing/auth_permanent disable window and proper profile rotation.

Closes #31306

Made-with: Cursor

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
This commit is contained in:
Sid 2026-03-02 14:26:05 +08:00 committed by GitHub
parent f2dbaf70fa
commit 40e078a567
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/agents/failover-error.test.ts
View File

@ -100,6 +100,32 @@ describe("failover-error", () => {
expect(err?.provider).toBe("anthropic"); expect(err?.provider).toBe("anthropic");
}); });
it("403 permission_error returns auth_permanent", () => {
expect(
resolveFailoverReasonFromError({
status: 403,
message:
"permission_error: OAuth authentication is currently not allowed for this organization.",
}),
).toBe("auth_permanent");
});
it("permission_error in error message string classifies as auth_permanent", () => {
const err = coerceToFailoverError(
"HTTP 403 permission_error: OAuth authentication is currently not allowed for this organization.",
{ provider: "anthropic", model: "claude-opus-4-6" },
);
expect(err?.reason).toBe("auth_permanent");
});
it("'not allowed for this organization' classifies as auth_permanent", () => {
const err = coerceToFailoverError(
"OAuth authentication is currently not allowed for this organization",
{ provider: "anthropic", model: "claude-opus-4-6" },
);
expect(err?.reason).toBe("auth_permanent");
});
it("describes non-Error values consistently", () => { it("describes non-Error values consistently", () => {
const described = describeFailoverError(123); const described = describeFailoverError(123);
expect(described.message).toBe("123"); expect(described.message).toBe("123");

2
src/agents/pi-embedded-helpers/errors.ts
View File

@ -660,6 +660,8 @@ const ERROR_PATTERNS = {
"key has been revoked", "key has been revoked",
"account has been deactivated", "account has been deactivated",
/could not (?:authenticate|validate).*(?:api[_ ]?key|credentials)/i, /could not (?:authenticate|validate).*(?:api[_ ]?key|credentials)/i,
"permission_error",
"not allowed for this organization",
], ],
auth: [ auth: [
/invalid[_ ]?api[_ ]?key/, /invalid[_ ]?api[_ ]?key/,