mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-13 03:52:00 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

fix(auth): send Nous refresh token via header

Browse source
This commit is contained in:
Shannon Sands 2026-05-08 10:24:34 +10:00 committed by Teknium
parent 486b14b423
commit b32461f6e8
2 changed files with 40 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hermes_cli/auth.py
View file

@ -3117,10 +3117,10 @@ def _refresh_access_token(
) -> Dict[str, Any]: ) -> Dict[str, Any]:
response = client.post( response = client.post(
f"{portal_base_url}/api/oauth/token", f"{portal_base_url}/api/oauth/token",
headers={"x-nous-refresh-token": refresh_token},
data={ data={
"grant_type": "refresh_token", "grant_type": "refresh_token",
"client_id": client_id, "client_id": client_id,
"refresh_token": refresh_token,
}, },
) )

40
tests/hermes_cli/test_auth_nous_provider.py
View file

@ -1,7 +1,6 @@
"""Regression tests for Nous OAuth refresh + agent-key mint interactions.""" """Regression tests for Nous OAuth refresh + agent-key mint interactions."""
import json import json
import os
from datetime import datetime, timezone from datetime import datetime, timezone
from pathlib import Path from pathlib import Path
@ -862,6 +861,45 @@ def test_refresh_token_reuse_detection_surfaces_actionable_message():
assert exc_info.value.relogin_required is True assert exc_info.value.relogin_required is True
def test_refresh_token_exchange_sends_refresh_token_header():
"""Nous refresh tokens must be sent in a header so sandbox proxies can
substitute placeholder credentials without parsing form bodies.
"""
from hermes_cli.auth import _refresh_access_token
class _FakeResponse:
status_code = 200
def json(self):
return {"access_token": "access-2", "refresh_token": "refresh-2"}
class _FakeClient:
def __init__(self):
self.kwargs = None
def post(self, *args, **kwargs):
del args
self.kwargs = kwargs
return _FakeResponse()
client = _FakeClient()
payload = _refresh_access_token(
client=client,
portal_base_url="https://portal.nousresearch.com",
client_id="hermes-cli",
refresh_token="refresh-1",
)
assert payload["access_token"] == "access-2"
assert client.kwargs is not None
assert client.kwargs["headers"]["x-nous-refresh-token"] == "refresh-1"
assert client.kwargs["data"] == {
"grant_type": "refresh_token",
"client_id": "hermes-cli",
}
def test_refresh_non_reuse_error_keeps_original_description(): def test_refresh_non_reuse_error_keeps_original_description():
"""Non-reuse invalid_grant errors must keep their original description untouched. """Non-reuse invalid_grant errors must keep their original description untouched.