-
Notifications
You must be signed in to change notification settings - Fork 396
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix silent error in token refresh #581
Conversation
…ken is present there is a silent failure If `AccessTokenRequest` is requested with `refresh: true` and no refresh_token is present in the session, there is no error thrown esp if there is an existing session, this causes a silent error.
@kanalo-shrek is attempting to deploy a commit to the Auth0 Team on Vercel. A member of the Team first needs to authorize it. |
// There is an edge case where we might have some clock skew where our code assumes the token is still valid. | ||
// Adding a skew of 1 minute to compensate. | ||
if (!session.refreshToken && session.accessTokenExpiresAt * 1000 - 60000 < Date.now()) { | ||
throw new AccessTokenError( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @kanalo-shrek - can you fix the case where The access token expired and a refresh token is not available
and also add a test case for the scenario that you've introduced
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah I was relying on both the cases, but your comment on detecting the errors early makes sense, just for the sake of readability though do you feel like the SDK should declare variables as const hasAccessTokenExpired = ...
etc, instead of repeating the same logic everywhere?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, thats true, although you don't need to touch that part of the code for your change (just add a couple of lines for the !refreshToken && refresh
if statement and a single test case for it)
// Check if the token has expired. | ||
// There is an edge case where we might have some clock skew where our code assumes the token is still valid. | ||
// Adding a skew of 1 minute to compensate. | ||
if (!session.refreshToken) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, for readability, rather than nesting these if branches, can you create a top level one, along the lines of
if (!session.refreshToken && accessTokenRequest?.refresh) {
throw new AccessTokenError('no_refesh_token', ...)
}
Hi @kanalo-shrek - let me know if you'd like to continue this review, if not - we'll add something to our backlog to fix |
Hey @adamjmcgrath haven't had a chance to update your comments, might take this out this week-ish. |
Superseded by #624 |
This fixes the Scenario where if
refresh
is passed astrue
and no refresh token is present there is a silent failureIf
AccessTokenRequest
is requested withrefresh: true
and no refresh_token is present in the session, there is no error thrown esp if there is an existing session, this causes a silent error.