Comments (11)
Any update or workaround for this?
This is a critical problem for my project.
from nhost-js-sdk.
@noverby Interesting, I've been debugging a similar error in React Native. When the app is backgrounded, and then put into a low battery mode / dormant state, when then opened again there's a double try sometimes with the same token causing a logout.
Been really hard to debug and get a reproducible example, but this can very well be a similar case so if this is solved then it should also solve the RN case!
from nhost-js-sdk.
We don't sync refresh token request across tabs. You're probably experience a race condition.
How can we solve this?
One way would allow refresh tokens to be active for a few seconds after they've been used.
from nhost-js-sdk.
That's a possible solution, would it lead to multiple valid refresh tokens per "session" though?
Another solution would require saving the JWT to localstorage but then you could use localstorage to sync browser tabs using localstorage events. You would have to introduce some "jitter" to your auto refresh timer so two browser tabs don't try and refresh at the same time.
from nhost-js-sdk.
That could work. Or a simple boolean flag indicating if a refresh token request is in transit or not?
from nhost-js-sdk.
I think that could work. So if the second tab tried to refresh the JWT while the first was refreshing, it could retry with the new refresh token retrieved from the first tab's refresh?
The downside being more token refreshes (one per tab, every refresh) but the upside being you don't have to persist the JWT.
from nhost-js-sdk.
Ah now I understand the problem better. Each tab have a separate JWT token (in memory per tab) but they share the refresh token via localStorage.
How many tabs do you have open of the same application for this to be a problem? :D
I'll think about this problem during the weekend. If you have some more ideas just post it here! 👍
from nhost-js-sdk.
I had ran into it with just two tabs! Thanks for your time!
from nhost-js-sdk.
I'm able to have multiple tabs open at the same time without having this issue.
The only thing I can think about causing this issue would be some kind of race condition, similar to this:
https://github.com/nhost/nhost-js-sdk/blob/master/src/Auth.ts#L564-L567
I could do is to replace the internal variable with clientStorage
(localStoarge
in the browser) so the lock would be tied to all tabs in a browser.
Any other ideas on what would cause this?
from nhost-js-sdk.
@elitan it is definitely a race condition.
I can only reproduce the issue, if I open 2 additional tabs (other than the original tab) at the same time.
The cause of the issue is that tab 2 and tab 3 tries to use the same refreshToken from tab 1 to run _refreshToken().
One of them will run httpClient.get("/token/refresh") first and be successful, and the other will fail since it uses the now outdated token from tab 1.
When the other tab fails, it will trigger a logout.
I tried to create a locking solution with localStorage, as you suggested, but it does not work, since the locking variable is not properly synched between the tabs.
We would need to use IndexedDB to have a locking variable, that is properly synched between tabs.
from nhost-js-sdk.
@noverby @elitan I've been thinking about this. What about doing the edit on the backend that if the same token is received within a certain time window (e.g. 5 seconds) then the second request is ignored / silent fail.
If a 401 isn't sent back, then it won't cause a logout and the client can just try again with a different token?
from nhost-js-sdk.
Related Issues (20)
- putString method returns sample image.
- Check second parameter of `storage.put(path, file)`
- Uncaught TypeError: auth.requestPasswordChange is not a function HOT 4
- [FEATURE REQUEST] User Role helper
- Refresh lock seems to not work HOT 5
- Are source maps being generated correctly?
- Add CI
- module has no exported defaults
- change password endpoint response HOT 5
- Improve robustness of expired token handling
- AUTO_ACTIVATE_NEW_USERS is false but user still get logged in on register HOT 2
- Question: Handling errors in response HOT 3
- HttpOnly Cookies auth flow is flawed. HOT 1
- Setting a timer for a long period of time HOT 1
- `/refresh_token` gets called twice when reloading a page
- API Response object HOT 2
- onAuthStateChanged
- onAuthStateChanged Callback parameter HOT 1
- Database backups
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nhost-js-sdk.