test / handle token renewal failure when disabled 3rd party cookies

[camallen]

Related zooniverse/panoptes-javascript-client#76

Currently users blocking 3rd party cookies can't log in. After the above client fix is deployed and included into this app those users will be able to log in but won't be able to refresh a token using the iframe technique we currently use (it uses a 3rd party cookie).

I believe that this will leave the UI appearing logged in but the API will have no authentication token. This will impact on the subjects we show a user and may lead to many duplicates being show.

If my understanding is correct the app only emits the auth:loginChange event from signIn() through a page reload (relys on location.assigns in the oauth.js lib?) and SignOut() event emitting directly for the on change function to update the user data.

If what i believe is correct (I will be very happy to be wrong) then we need a way to subscribe to the failure to renew token event in the panoptes-javscript oauth code and update the user details through the on change function above.

This will need to be tested once zooniverse/panoptes-javascript-client#76 is in and we can decide the best way to address it then.

[VVH]

I think this current state of affairs also explains why some users counters get stuck. Is that right?

[camallen]

I can't see how the current code could trigger this. Before the recent changes for the the client (not sure if it's deployed), then the affected users could not log in at all.

However the issue of token expiration without a renewal explains all the bugs folks are experiencing on the site, I can't get any definitive timing from users unfortunately. I plan to test the new changes when they are deployed to see if my fears are real. If so we will have to expand the client / coupling with the calling app to provide a way to signal that the user is logged out to the UI.

[eatyourgreens]

Cam's right. Volunteers who disabled third-party cookies could not log in at all, so they won't have any count of pages done so far. I've just updated www.shakespearesworld.org to fix the initial log-in problem, but they won't stay logged in if they're on the site for two hours or more without logging in again.

[camallen]

I've tested on SW running the updated client to allow blocked 3rd party cookies to login. I can confirm that a session left open for longer than 2 hours will not renew the token, the UI does not update to signify i am logged out and the api client still uses the old token for all API requests.

[VVH]

Interesting, thanks both. Is it possible for the user to see a pop-up every 1.5 hours asking them to sign in again? Not elegant, but it would work, right? Or are the other ideas you're discussing better solutions longterm?

[eatyourgreens]

👍 to alerting the user if the token refresh fails. A question for @simoneduca in terms of actual implementation, though. The API client has a beforeEveryRequest() hook that could be used to check logged-in status.

[simoneduca]

Aha, that looks good. It already checks token! Thanks, @eatyourgreens

[simoneduca]

Even more useful, oauth module exposes a isTokenStillValid method.

[eatyourgreens]

That isTokenStillValid method always returns false, because tokenDetails.started_at is undefined.