Fix getAuth clearing refresh token on temporary failures

[Copilot]

The getAuth method cleared refresh tokens on any error, including network failures and service outages. This caused permanent authentication failures after temporary Ring service disruptions, with users seeing "Refresh token is not valid" errors despite having valid tokens.

Changes

• Only clear refresh token on 401 with invalid_grant or access_denied - these indicate truly invalid tokens
• Preserve token for all other errors - network failures, 5xx responses, rate limiting, etc. allow recovery
• Add logging to distinguish token cleared vs preserved states
• Add tests for server errors, rate limiting, and non-401 access_denied scenarios

Before

} catch (requestError: any) {
  if (grantData.refresh_token) {
    // failed request with refresh token
    this.refreshToken = undefined  // Cleared on ANY error
    this.authConfig = undefined
    logError(requestError)
    return this.getAuth()  // Infinite loop if no email/password
  }

After

} catch (requestError: any) {
  const response = requestError.response || {}
  const responseData: Auth2faResponse = response.body || {}
  const responseError = /* ... */

  if (grantData.refresh_token) {
    const isInvalidToken =
      response.status === 401 &&
      (responseError === 'invalid_grant' || responseError === 'access_denied')

    if (isInvalidToken) {
      // Only clear on actual auth failure
      this.refreshToken = undefined
      this.authConfig = undefined
      return this.getAuth(twoFactorAuthCode)
    }
    // Preserve token for temporary failures
  }

Addresses the core issue from #1265 and #1071 where the client couldn't recover from temporary service outages.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Infinite loop in geAuth</issue_title>
<issue_description>### Is there an existing issue for this?

• I have searched the existing issues

Describe The Bug

https://github.com/dgreif/ring/blob/main/packages/ring-client-api/rest-client.ts#L268

Doesn't this line cause a recursive request loop on a service or connection failure?

To Reproduce

No response

Expected behavior

N/A

Relevant log output

No response

Screenshots

No response

Additional context

No response

OS

All

Node.js Version

All

NPM Version

N/A

ring-client-api

11

Operating System

All</issue_description>

<agent_instructions>Take a look at #1071 as well. They are both a bit outdated, but I think there is still a problem with how we handle auth failures today. Add tests where applicable.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@tsightler I think this is a duplicate of my issue here: https://github.com//issues/1071 @tsightler I think it's just because the same code path is used for the initial authentication so, for example, if there is a configured token, but that saved token isn't valid, it's cleared so the same code path can be used to re-authenticate via standard 2FA auth. That's actually fine for the case where the token truly is invalid (for example, user removes account from authorized devices), but it's not good for the case where the token is only temporarily not working, which is the far more common case, in my experience.

• Fixes Infinite loop in geAuth #1252

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.