[BUG]: Handle 403 responses same as 401 responses in the first 3 seconds after an installation access token was created

[gr2m]

What happened?

This is a follow up to

• Handle 401 response when using installation token shortly after creation #65

Related to this code

auth-app.js/src/hook.ts

Lines 108 to 152 in d3d9133

	/**
	* Newly created tokens might not be accessible immediately after creation.
	* In case of a 401 response, we retry with an exponential delay until more
	* than five seconds pass since the creation of the token.
	*
	* @see https://github.com/octokit/auth-app.js/issues/65
	*/
	async function sendRequestWithRetries(
	state: State,
	request: RequestInterface,
	options: EndpointOptions,
	createdAt: string,
	retries: number = 0,
	): Promise<AnyResponse> {
	const timeSinceTokenCreationInMs = +new Date() - +new Date(createdAt);
	try {
	return await request(options);
	} catch (error: any) {
	if (error.status !== 401) {
	throw error;
	}
	if (timeSinceTokenCreationInMs >= FIVE_SECONDS_IN_MS) {
	if (retries > 0) {
	error.message = `After ${retries} retries within ${
	timeSinceTokenCreationInMs / 1000
	}s of creating the installation access token, the response remains 401. At this point, the cause may be an authentication problem or a system outage. Please check https://www.githubstatus.com for status information`;
	}
	throw error;
	}
	++retries;
	const awaitTime = retries * 1000;
	state.log.warn(
	`[@octokit/auth-app] Retrying after 401 response to account for token replication delay (retry: ${retries}, wait: ${
	awaitTime / 1000
	}s)`,
	);
	await new Promise((resolve) => setTimeout(resolve, awaitTime));
	return sendRequestWithRetries(state, request, options, createdAt, retries);
	}
	}

I learned today that we also have to handle 403 response, the reason is as follows

401 - We can't find your token yet.
403 - We found your scoped installation token with limited permissions, but the permissions they write aren't replicated yet.

We also heard from a partner that they 5s timeout might not be sufficient, but that is something we could address in a follow up. Instead of the hardcoded 5s timeout, we could provide a callback for users to provide more sophisticated retries.

Versions

Latest Node, latest octokit

Relevant log output

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[github-actions]

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀