-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OAuthModel InternetAccount token refresh #3175
Conversation
@@ -152,9 +153,17 @@ const stateModelFactory = (configSchema: OAuthInternetAccountConfigModel) => { | |||
|
|||
if (!response.ok) { | |||
self.removeToken() | |||
let errorMessage | |||
const contentType = response.headers.get('Content-Type') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there is a chance this could trigger CORS warnings, but it might be ok. one alternative could be using response.json() despite content-type or something i've done elsewhere where i don't know if the response will be json let text = await response.text(); try { let obj= JSON.parse(text); /* do json stuff here */ } catch(e) { /* just text */; }
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
random link saying Content-Type might be an explicit Access-Control-Allow-Headers CORS header https://stackoverflow.com/questions/5027705/error-content-type-is-not-allowed-by-access-control-allow-headers
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
went ahead with adding this, and then merged to main :) if interested can test out main branch!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, @cmdcolin that example you linked is about setting Content-Type in a request, not reading it off a response.
But I think I know what you mean. AFAIK this could be a problem in the "no-cors" request, but since this is oAuth and we need to send an Authorization header it shouldn't be a problem.
Sorry for a late reply
I don't have a system to test this but I imagine it should be fine to go. I added a small review comment about parsing json response |
Making the assembly loading go through the auth pipeline in a more standard way could be a useful follow up PR. Two options would be 1)making everthing in general less dependent on having it go through RPC system to do the auth stuff, or Originally (way back in very early versions) we did (2), but then made it not use a worker for loading assembly because it incurred downloading an extra worker js file which was large. We've since done a lot of bundle size work so we could possibly try out putting assembly loading in rpc again |
Hi, @cmdcolin. I was looking at 1), but as we spoke on gitter I realized the potential issue with interaction with a user from web worker thread. Currently, there still could be an issue if user:
This may result in an error, but now refreshing the page after this error at least will request a new token. |
went ahead and made this a new issue in #3194 ! |
OAuthModel is supporting refresh tokens, but because of how getToken() is implemented it exchanges refresh token only once and does not pull new one when currently used one expires.
This change adds a validator that checks the currently used auth token for expiration and tries to use refresh token to get a new one. If that fails it removes refresh token to force full re-authorization.
There still might be a problem if a user will re-start a previous (authorized) session exactly on the assembly selection page because assemblies do not use the same data loading flow and thus do not use getPreAuthorizationInformation(), but this is a very specific example and I didn't encounter it last week I was testing this change since local file caching seems to bypass this problem.