fix: SetOrgWideDefaults._poll_action fails with stale access token after deploy#3976
Open
yippie wants to merge 1 commit into
Open
fix: SetOrgWideDefaults._poll_action fails with stale access token after deploy#3976yippie wants to merge 1 commit into
yippie wants to merge 1 commit into
Conversation
…ploy The _deploy() method spawns a new Deploy task instance and calls api() on it. Deploy.__call__() always invokes BaseSalesforceTask._update_credentials() which calls org_config.refresh_oauth_token(), rotating the access token stored on org_config AFTER self.sf was already frozen in _init_task(). Subsequent self.sf.query() calls in _poll_action() then use the stale token, causing 401 failures during the sharing-enablement polling phase. Fix: replace self.sf.query() with self.org_config.salesforce_client.query(). OrgConfig.salesforce_client is a @Property that constructs a fresh simple_salesforce.Salesforce instance from the current org_config.access_token on every access, so it always reflects the most recently refreshed token. Update the three affected tests to mock org_config.salesforce_client via PropertyMock instead of assigning to the now-unused task.sf attribute. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Task set_organization_wide_defaults fails 100% of the time if RTR (Refresh token rotation) is on. This is a Connected App security setting that Salesforce now requires and affects CumulusCI when embedded in MetaDeploy.
Root cause
SetOrgWideDefaults._run_task() calls _deploy(), which instantiates a new
Deploy task and invokes api() on it. Deploy.call() always calls
BaseSalesforceTask._update_credentials() → org_config.refresh_oauth_token(),
rotating org_config.access_token AFTER self.sf was already frozen in _init_task().
When _post_deploy() → _poll() → _poll_action() runs, self.sf.query() uses
the pre-deploy access token. If the org has refresh token rotation or a short
session policy, this token is invalid and every poll call returns a 401.
Sequence
Fix
Replace self.sf.query(...) with self.org_config.salesforce_client.query(...).
OrgConfig.salesforce_client is a @Property that constructs a fresh
simple_salesforce.Salesforce instance from self.access_token on every
access, so it always uses the current (post-deploy-refresh) token.
Tests
Updated the three _poll_action / _post_deploy tests to mock
org_config.salesforce_client via PropertyMock instead of assigning
directly to task.sf.