fix: improve websocket error handling with proper error classification and actionable messages

Stop infinite retry loops on permanent websocket errors (permission denied,
auth failures). Detect error type and show clear, actionable messages instead
of raw websocket close frames.

Changes:
- Add shared error classifier (IsPermissionError, IsPermanentCloseError, IsInternalServerError)
- Attempt token refresh once on 1008 auth errors (JWT only, not env tokens)
- Gate dial-level refresh on HTTP 401/403 to avoid corrupting stored credentials
- Reset refresh guards after successful connection for long-lived sessions
- Show minimum required role (Deployer) on permission denied
- Show cluster health message on 1011 (treated as transient, retries)
- Stop retry loop and exit cleanly on permanent errors (1007, 1008)
- Replace log.Fatal with log.Errorf in port-forward (don't kill listener)
- Handle SIGINT alongside SIGTERM, Ctrl+C support when not connected
- Drain done channel after write/ping errors to capture real close frame

Author: Guimove

pkg/log.go

@@ -2,6 +2,7 @@ package pkg
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"github.com/gorilla/websocket"
 	"github.com/qovery/qovery-cli/utils"
@@ -28,9 +29,16 @@ type LogMessage struct {
 }
 
 func ExecLog(req *LogRequest) {
-	wsConn, err := createLogWebsocket(req)
+	wsConn, resp, err := createLogWebsocket(req)
 	if err != nil {
-		log.Fatal("error while creating websocket connection", err)
+		if !utils.IsUsingEnvToken() && IsAuthDialError(resp) {
+			if _, refreshErr := utils.ForceRefreshAccessToken(); refreshErr == nil {
+				wsConn, _, err = createLogWebsocket(req)
+			}
+		}
+		if err != nil {
+			log.Fatal(ConnectionFailedMessage(err))
+		}
 	}
 	defer func() {
 		if err := wsConn.Close(); err != nil {
@@ -42,7 +50,14 @@ func ExecLog(req *LogRequest) {
 	for {
 		_, msg, err := wsConn.ReadMessage()
 		if err != nil {
-			if e, ok := err.(*websocket.CloseError); ok {
+			if IsPermanentCloseError(err) {
+				log.Fatal(PermanentErrorMessage(err, "Logs"))
+			}
+			if IsInternalServerError(err) {
+				log.Fatal(ServiceUnavailableMessage("Logs"))
+			}
+			var e *websocket.CloseError
+			if errors.As(err, &e) {
 				log.Error("connection closed by server: ", e)
 				return
 			}
@@ -62,7 +77,7 @@ func ExecLog(req *LogRequest) {
 	}
 }
 
-func createLogWebsocket(req *LogRequest) (*websocket.Conn, error) {
+func createLogWebsocket(req *LogRequest) (*websocket.Conn, *http.Response, error) {
 	wsURL, err := url.Parse(fmt.Sprintf(
 		"%s/service/logs?service=%s&cluster=%s&environment=%s&organization=%s&project=%s",
 		utils.WebsocketUrl(),
@@ -73,20 +88,20 @@ func createLogWebsocket(req *LogRequest) (*websocket.Conn, error) {
 		req.ProjectID,
 	))
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	tokenType, token, err := utils.GetAccessToken()
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	headers := http.Header{"Authorization": {utils.GetAuthorizationHeaderValue(tokenType, token)}}
-	wsConn, _, err := websocket.DefaultDialer.Dial(wsURL.String(), headers)
+	wsConn, resp, err := websocket.DefaultDialer.Dial(wsURL.String(), headers)
 	if err != nil {
-		return nil, err
+		return nil, resp, err
 	}
-	return wsConn, nil
+	return wsConn, resp, nil
 }
 
 type Timestamp struct {

pkg/port-forward.go

@@ -40,6 +40,9 @@ func (w WebsocketPortForward) Read(p []byte) (n int, err error) {
 	for {
 		msgType, msg, err := w.ws.ReadMessage()
 		if err != nil {
+			if IsPermanentCloseError(err) {
+				log.Error(PermanentErrorMessage(err, "Port-forward"))
+			}
 			return 0, err
 		}
 
@@ -55,32 +58,32 @@ func (w WebsocketPortForward) Read(p []byte) (n int, err error) {
 	}
 }
 
-func mkWebsocketConn(req *PortForwardRequest) (*WebsocketPortForward, error) {
+func mkWebsocketConn(req *PortForwardRequest) (*WebsocketPortForward, *http.Response, error) {
 	command, err := query.Values(req)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	wsURL, err := url.Parse(fmt.Sprintf("%s/shell/portforward", utils.WebsocketUrl()))
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	pattern := regexp.MustCompile("%5B([0-9]+)%5D=")
 	wsURL.RawQuery = pattern.ReplaceAllString(command.Encode(), "[${1}]=")
 
 	tokenType, token, err := utils.GetAccessToken()
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	headers := http.Header{"Authorization": {utils.GetAuthorizationHeaderValue(tokenType, token)}}
-	wsConn, _, err := websocket.DefaultDialer.Dial(wsURL.String(), headers)
+	wsConn, resp, err := websocket.DefaultDialer.Dial(wsURL.String(), headers)
 	if err != nil {
-		return nil, err
+		return nil, resp, err
 	}
 
 	ws := WebsocketPortForward{ws: wsConn}
-	return &ws, nil
+	return &ws, resp, nil
 }
 
 func ExecPortForward(req *PortForwardRequest) {
@@ -122,9 +125,17 @@ func handleConnection(con net.Conn, req *PortForwardRequest) {
 		}
 	}()
 
-	wsConn, err := mkWebsocketConn(req)
+	wsConn, resp, err := mkWebsocketConn(req)
 	if err != nil {
-		log.Fatal("error while creating websocket connection", err)
+		if !utils.IsUsingEnvToken() && IsAuthDialError(resp) {
+			if _, refreshErr := utils.ForceRefreshAccessToken(); refreshErr == nil {
+				wsConn, _, err = mkWebsocketConn(req)
+			}
+		}
+		if err != nil {
+			log.Error(ConnectionFailedMessage(err))
+			return
+		}
 	}
 	defer func() {
 		if err := wsConn.ws.Close(); err != nil {