Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can sessions persist, or do they need to be constantly refreshed? #1057

Closed
GreenFootballs opened this issue May 17, 2023 · 8 comments
Closed

Can sessions persist, or do they need to be constantly refreshed? #1057

GreenFootballs opened this issue May 17, 2023 · 8 comments

Comments

@GreenFootballs
Copy link

I've noticed that sessions created with atproto.server.createSession only last for a short time, and then need to be refreshed with the refreshJwt token and atproto.server.refreshSession.

Is there a way to make a session persist longer, or indefinitely? If not, would there be any problem with always calling atproto.server.refreshSession and saving the new tokens before any other operation?
@Matrix89
Copy link
Contributor

I assume you're not using the default @atproto/api client as it automatically refreshes the session for you.

No, access token expiration time is handled server side and by default it's set to 120 minutes, same goes for the refresh token but it's set for 90 days.

Ideally you shouldn't call refreshSession needlessly, because:

  • It's wasteful
  • It adds latency because you have to make multiple calls
  • It eats up your quota, currently 3000 requests per 5 minutes IIRC

But if you're just testing that shouldn't be a problem

@GreenFootballs
Copy link
Author

So the way to handle this would be to attempt to call atproto.repo.createRecord (for example) and if it fails with an expired token, then do the refresh?

I guess atproto.server.getSession could be used to check for expired tokens, but again that's another call.

@thepudds
Copy link

It eats up your quota, currently 3000 requests per 5 minutes IIRC

Quick side question: is there any documentation of the quota? And might it return 403 errors if the quota is exceeded? (I saw some 403 errors that stopped happening after a few minutes).

(And sorry, probably wrong place to ask).

@Matrix89
Copy link
Contributor

@GreenFootballs Yep, that's how @atproto/api does it

@Matrix89
Copy link
Contributor

@thepudds That's all I know #697 (reply in thread)

@GreenFootballs
Copy link
Author

Thanks. (BTW I really appreciate the quick responses to questions.)

@dholms
Copy link
Collaborator

dholms commented May 17, 2023

Yup @Matrix89 nailed it

When we get around to doing an auth revamp, we'll add in something for longstanding tokens, for something like bots.

But access tokens are stateless and therefore must have a short expiration time.

I believe we do return 403 when being rate-limited. Did you receive something else?

(closing for now, but feel free to continue chatting)

@dholms dholms closed this as completed May 17, 2023
@thepudds
Copy link

Hi @dholms

I believe we do return 403 when being rate-limited. Did you receive something else?

I received a set of 403s while testing some things, and my guess was I was being rate limited, but I wasn't sure of the cause at the time.

Thanks @dholms and @Matrix89 for the quick answers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@GreenFootballs @dholms @Matrix89 @thepudds