fix(settings): keep Refresh result from being clobbered by stale auth check

[joalves]

Summary

• Fixes a race condition in useSettingsForm.checkAuthStatus: when SettingsView mounts, loadConfig auto-runs an auth check against the stored endpoint. If the user changes the endpoint and clicks Refresh before the first response lands, both checks race — and whichever response arrives last writes to React state, so the UI ends up showing auth for the previous endpoint. Tracked with a per-call ID ref so only the latest call's response is honored.
• Hardens the avatar service-worker proxy along the way: derives the endpoint from the avatar URL's origin (so the avatar still loads when storage is empty / settings unsaved) and adds the Strategy-2 Authorization-header fallback that checkAuthentication already does.
• Resets avatarFailed whenever a new auth check starts, so a stale failed-load state can't suppress a successful refresh when the proxy URL string is unchanged.
• Bumps version to 1.5.1.

Test plan

• npx jest background/handlers/__tests__/avatar-proxy.test.ts — 20 passed (4 new)
• npx jest src/hooks/__tests__/useSettingsForm.race-condition.test.tsx — 2 passed (new)
• npx jest --testPathPatterns="(SettingsView|useSettingsForm|auth\.|AuthenticationStatus|avatar)" — 98 passed
• Manual: open Settings, change endpoint URL, click Refresh — auth should now reflect the new endpoint instead of the previous one

Summary by CodeRabbit

Release Notes – v1.5.1

• Bug Fixes

  • Fixed avatar failed state incorrectly persisting across authentication refreshes
  • Resolved race condition where overlapping authentication checks could display stale user data
  • Added JWT authentication retry mechanism for failed initial requests

• New Features

  • Enhanced API key validation with clearer error messaging when authentication is misconfigured

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cedead60-04c9-4028-9ecd-9ee53dd0cf8f

📥 Commits

Reviewing files that changed from the base of the PR and between bbcda78 and cac00f7.

📒 Files selected for processing (6)

• background/handlers/__tests__/avatar-proxy.test.ts
• background/handlers/avatar-proxy.ts
• package.json
• src/components/settings/AuthenticationStatusSection.tsx
• src/hooks/__tests__/useSettingsForm.race-condition.test.tsx
• src/hooks/useSettingsForm.ts

---

Walkthrough

This pull request addresses avatar proxy handling and race conditions in authentication state management. The avatar proxy handler now derives the API origin directly from the avatar URL, constructs auth configuration per method type, and implements JWT retry logic on 401 responses using an Authorization header. The authentication hook now tracks each checkAuthStatus invocation with an incrementing call ID to prevent stale in-flight responses from overwriting the latest state. The UI component resets failed avatar state when a new authentication check begins, and comprehensive test coverage has been added for both the retry mechanism and race condition handling.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Poem

🐰 Hops through the proxy with origin in sight,
JWT retries when met with four-oh-one's bite,
Call IDs dancing to keep state so neat,
No more stale avatars—our race condition's beat!
Version bumped clean, the logic's so tight! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main fix: preventing stale auth check results from overwriting fresh ones in the settings refresh flow.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/auth-refresh-race-condition

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}