Skip to content

fix: improve websocket error handling with actionable messages#626

Open
Guimove wants to merge 1 commit intomainfrom
fix/websocket-error-handling
Open

fix: improve websocket error handling with actionable messages#626
Guimove wants to merge 1 commit intomainfrom
fix/websocket-error-handling

Conversation

@Guimove
Copy link
Copy Markdown
Contributor

@Guimove Guimove commented Apr 2, 2026
edited
Loading

Summary

Stop infinite retry loops on permanent websocket errors (permission denied, auth failures). Detect error type and show clear, actionable messages instead of raw websocket close frames. Attempt token refresh once on auth failures (gated on HTTP 401/403 or WS 1008). Exit cleanly on permanent errors instead of hanging.

Before / After

Permission denied (Viewer role on qovery shell)

Before:

INFO Attempting to (re)connect to WebSocket
ERRO connection closed by server: websocket: close 1007 (invalid payload data): Invalid permission: Not authorized to websocket-gateway SHELL_EXEC...
INFO Attempting to (re)connect to WebSocket
ERRO connection closed by server: websocket: close 1007 (invalid payload data): Invalid permission: Not authorized to websocket-gateway SHELL_EXEC...
(repeats every 5s forever, Ctrl+C doesn't work, process hangs)

After (with API token):

INFO Attempting to (re)connect to WebSocket
ERRO Permission denied. Your account does not have access to Shell on this service. The minimum required role is Deployer. Contact your Organization admin to update your permissions.

After (with JWT from qovery auth):

INFO Attempting to (re)connect to WebSocket
INFO Permission denied. Attempting to refresh credentials...
INFO Attempting to (re)connect to WebSocket
ERRO Permission denied. Your account does not have access to Shell on this service. The minimum required role is Deployer. Contact your Organization admin to update your permissions.

No shell-agent on cluster (1011)

Before:

INFO Attempting to (re)connect to WebSocket
ERRO connection closed by server: websocket: close 1011 (internal server error): No shell-agent listening for this cluster ec865376-...
INFO Attempting to (re)connect to WebSocket
ERRO connection closed by server: websocket: close 1011 (internal server error): No shell-agent listening for this cluster ec865376-...
(repeats every 5s forever, no useful message)

After:

INFO Attempting to (re)connect to WebSocket
ERRO Shell is not available. Please verify that the cluster hosting this service is running and healthy. Retrying...
INFO Attempting to (re)connect to WebSocket
ERRO Shell is not available. Please verify that the cluster hosting this service is running and healthy. Retrying...
(retries with clear message, Ctrl+C exits cleanly)

Changes

File Change
pkg/wserror.go Shared error classifier + user-facing message helpers + IsAuthDialError
pkg/wserror_test.go 15 unit tests for error classification and messages
pkg/shell_test.go 4 tests for Ctrl+C handling and input forwarding
utils/auth.go ForceRefreshAccessToken() for websocket auth recovery
utils/auth_test.go 5 tests for IsUsingEnvToken and ForceRefreshAccessToken
utils/context.go IsUsingEnvToken() to skip refresh for env-provided tokens
pkg/shell.go Permanent error detection, token refresh (gated on 401/403 and 1008), Ctrl+C support, clean exit
pkg/log.go Permanent error detection, auth dial refresh, actionable messages
pkg/port-forward.go Same + log.Fatal to log.Errorf (don't kill listener)

Error classification

Error Type Retry? Refresh? Message
WS 1007 + "permission" Permission denied No No (same role after refresh) "Minimum required role is Deployer..."
WS 1008 Policy/auth violation Once (JWT refresh) Yes (JWT only) "Please run qovery auth..."
WS 1011 Internal server error Yes (transient) No "Cluster not available. Retrying..."
HTTP 401/403 at dial Auth failure Once (refresh) Yes (JWT only) "Try running qovery auth..."
WS 1000 Normal closure No No "shell terminated bye"
WS 1006, others Transient Yes No Unchanged behavior

Design decisions

  • 1011 is transient: shell-agent may come up during cluster startup, so we retry with a friendly message
  • Refresh only on 1008, not 1007: refreshing won't fix insufficient permissions (same role after refresh)
  • Dial refresh gated on HTTP 401/403: prevents corrupting stored credentials on transient network errors
  • Separate refresh guards (dialRefreshed / tokenRefreshed): reset after successful connection for long-lived sessions
  • IsUsingEnvToken skips ALL refresh: GetAccessToken() always returns env var directly, stored context refresh is futile
  • Ctrl+C only exits when not connected: when connected, byte 0x03 passes through to container shell

Test plan

  • qovery shell with Viewer API token — permission denied message, exits immediately
  • qovery shell with invalid API token — 401 Unauthorized, exits
  • qovery shell with Viewer token on other org — 403 Forbidden, exits
  • qovery shell with no shell-agent (1011) — cluster health message, retries, Ctrl+C exits
  • qovery shell with valid Deployer+ token — shell works normally, interactive
  • Ctrl+C during shell session — exits cleanly ("shell terminated bye")
  • Process returns to prompt after all error cases (no hang)
  • 24 unit tests pass, go vet clean, golangci-lint clean

Guimove
Guimove commented Apr 2, 2026
View reviewed changes
@Guimove Guimove force-pushed the fix/websocket-error-handling branch 2 times, most recently from 90a28f5 to d1be6d4 Compare April 2, 2026 17:42
@Guimove
fix: improve websocket error handling with proper error classificatio…
e6f9e98 
…n and actionable messages

Stop infinite retry loops on permanent websocket errors (permission denied,
auth failures). Detect error type and show clear, actionable messages instead
of raw websocket close frames.

Changes:
- Add shared error classifier (IsPermissionError, IsPermanentCloseError, IsInternalServerError)
- Attempt token refresh once on 1008 auth errors (JWT only, not env tokens)
- Gate dial-level refresh on HTTP 401/403 to avoid corrupting stored credentials
- Reset refresh guards after successful connection for long-lived sessions
- Show minimum required role (Deployer) on permission denied
- Show cluster health message on 1011 (treated as transient, retries)
- Stop retry loop and exit cleanly on permanent errors (1007, 1008)
- Replace log.Fatal with log.Errorf in port-forward (don't kill listener)
- Handle SIGINT alongside SIGTERM, Ctrl+C support when not connected
- Drain done channel after write/ping errors to capture real close frame
@Guimove Guimove force-pushed the fix/websocket-error-handling branch from d1be6d4 to e6f9e98 Compare April 2, 2026 17:48
erebe
erebe reviewed Apr 3, 2026
View reviewed changes
pkg/log.go
if err != nil {
log.Fatal("error while creating websocket connection", err)
if !utils.IsUsingEnvToken() && IsAuthDialError(resp) {
if _, refreshErr := utils.ForceRefreshAccessToken(); refreshErr == nil {
Copy link
Copy Markdown
Contributor

@erebe erebe Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the ForceRefreshAccessToken really needed ? the call createLogWebsocket is already fetching the token and refresh it if it has expired

Copy link
Copy Markdown
Contributor

@erebe erebe Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Image

Copy link
Copy Markdown
Contributor Author

@Guimove Guimove Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even for long term connections ?

Copy link
Copy Markdown
Contributor

@erebe erebe Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the auth is already made at the establishment of the connection. After the user has 1 hour before the connection is force cut by the server.

if it reconnect, the auth will be re-checked again

Copy link
Copy Markdown
Contributor Author

@Guimove Guimove Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok so maybe I can remove that part

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erebe erebe erebe left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Guimove @erebe