Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix silent error in token refresh #581

Closed
wants to merge 2 commits into from

Conversation

kanalo-shrek
Copy link

This fixes the Scenario where if refresh is passed as true and no refresh token is present there is a silent failure

If AccessTokenRequest is requested with refresh: true and no refresh_token is present in the session, there is no error thrown esp if there is an existing session, this causes a silent error.

…ken is present there is a silent failure

If `AccessTokenRequest` is requested with `refresh: true` and no refresh_token is present in the session, there is no error thrown esp if there is an existing session, this causes a silent error.
@kanalo-shrek kanalo-shrek requested a review from a team as a code owner January 22, 2022 02:48
@vercel
Copy link

vercel bot commented Jan 22, 2022

@kanalo-shrek is attempting to deploy a commit to the Auth0 Team on Vercel.

A member of the Team first needs to authorize it.

// There is an edge case where we might have some clock skew where our code assumes the token is still valid.
// Adding a skew of 1 minute to compensate.
if (!session.refreshToken && session.accessTokenExpiresAt * 1000 - 60000 < Date.now()) {
throw new AccessTokenError(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @kanalo-shrek - can you fix the case where The access token expired and a refresh token is not available

and also add a test case for the scenario that you've introduced

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah I was relying on both the cases, but your comment on detecting the errors early makes sense, just for the sake of readability though do you feel like the SDK should declare variables as const hasAccessTokenExpired = ... etc, instead of repeating the same logic everywhere?

Copy link
Contributor

@adamjmcgrath adamjmcgrath Jan 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, thats true, although you don't need to touch that part of the code for your change (just add a couple of lines for the !refreshToken && refresh if statement and a single test case for it)

// Check if the token has expired.
// There is an edge case where we might have some clock skew where our code assumes the token is still valid.
// Adding a skew of 1 minute to compensate.
if (!session.refreshToken) {
Copy link
Contributor

@adamjmcgrath adamjmcgrath Jan 27, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, for readability, rather than nesting these if branches, can you create a top level one, along the lines of

if (!session.refreshToken && accessTokenRequest?.refresh) {
  throw new AccessTokenError('no_refesh_token', ...)
}

@adamjmcgrath
Copy link
Contributor

Hi @kanalo-shrek - let me know if you'd like to continue this review, if not - we'll add something to our backlog to fix

@kanalo-shrek
Copy link
Author

Hey @adamjmcgrath haven't had a chance to update your comments, might take this out this week-ish.

@adamjmcgrath
Copy link
Contributor

Superseded by #624

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants