-
Notifications
You must be signed in to change notification settings - Fork 396
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add autoSave
/touchSession
for rolling session expiry management
#1116
Conversation
@aovens-quantifi is attempting to deploy a commit to the Auth0 Team on Vercel. A member of the Team first needs to authorize it. |
5300131
to
e9fc85a
Compare
Thanks for raising this @aovens-quantifi - it's a nice idea Your option will not have any effect if eg. withApiAuthRequired(function(req, res) { // cookie already updated
const session = await getSession(req, res, false);
});
// or
function(req, res) {
const at = await getAccessToken(req, res); // cookie already updated
await getSession(req, res, false);
}; I think it would potentially be a good feature, so I'm happy to work on a solution with you. Just so I know the background, what problem are you trying to solve that you can't just use rolling=false? Presumably you want the session duration to be based on the user's last activity but don't want every request to update the cookie expiry? What is your criteria for requests that should update the cookie expiry and requests that should't? |
Hey @adamjmcgrath, thanks for the reply. Good catch on the request caching. You're right that every session access for a patlrticular route would need this flag set to false. Ultimately I only need a single route to have this set to false. I need to be able to retreive the current session expiry without causing it to roll forward. We're using a SPA written in next, and so any async chatter to the server or activity in another tab will not update my tab's session expiry value. Therefore, before I show the session expiry modal, I need to figure out if it is actually about to expire. To do this I need to get the current value without affecting the current value |
I think allowing this via a request header might makef the most sense. Another use case would be if a page has infinite polling. I would argue the polling should not count as "user activity" for the purposes of session timeout |
Hi @aovens-quantifi - thanks for sharing that. Yep, definitely agree this would be a useful feature.
They then both expose a I would be happy to go for something like that. e.g. // autoSave default is true (and should only be set to `false` when rolling=true)
const sessionConfig: SessionConfig = { rolling: true, autoSave: false };
// if autoSave is `false` you need to call `touchSession` to update the session
import { touchSession } from '@auth0/nextjs-auth0';
export default api = (req, res) => {
await touchSession(req, res);
return { ... };
} |
I like it! I'll implement :) |
Great! Thanks @aovens-quantifi! Feel free to reach out on this thread if you have any questions |
e785812
to
ba920a8
Compare
@adamjmcgrath This is ready to go :) |
That was quick - and it looks great! Thanks @aovens-quantifi! I wont be able to get to this today, but I'll look at it first thing next week (also I'm travelling next week, so it may be a little slow - apologies). In the meantime, could you remove the |
This reverts commit ba920a8.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @aovens-quantifi!
autoSave
/touchSession
for manual rolling session expiry management
autoSave
/touchSession
for manual rolling session expiry managementautoSave
/touchSession
for rolling session expiry management
Thanks for your work on this @aovens-quantifi - it got released in https://github.com/auth0/nextjs-auth0/releases/tag/v2.4.0 |
@adamjmcgrath @aovens-quantifi This fixes an issue I am having with adding an auth0 token onto a graphql call from a server component. But I was wondering if this will impact refresh tokens. |
Can you explain your use case a bit more? This feature shouldn't have much effect since the default (when using rolling sessions) is to "touch" the session every time it is accessed. This feature inverts that by only "touching" the session when touchSession is explicitly called |
Yeah no problem. I'm having the same issue but with using getAccessToken() in apolloClient.ts. I am setting up an auth link and using getAccessToken() to get the token to set on the header.
I'm fetching an GraphQL query in one of my server components. I came across the PR from this stackoverflow |
📋 Changes
The library does not currently allow getting a session without touching that session (assuming rolling is enabled). In order to properly implement a session expiry modal, there needs to be an ability to get the session expiry time without causing the expiry to be updated. This PR adds a config setting (
autoSave
) that allows disabling automatically updating the session when getting a session. To restore rolling capabilities, atouchSession
function has been added that will allow control over when the session expiry is updated📎 References
🎯 Testing
Unit tests should fully cover this change