Add OAuthModel InternetAccount token refresh #3175
Conversation
github-actions
bot
added
the
needs label triage
andrzejgrzelak
changed the title
cmdcolin
added
bug
| @@ -152,9 +153,17 @@ const stateModelFactory = (configSchema: OAuthInternetAccountConfigModel) => { | |||
|
|
|||
| if (!response.ok) { | |||
| self.removeToken() | |||
| let errorMessage | |||
| const contentType = response.headers.get('Content-Type') | |||
There was a problem hiding this comment.
there is a chance this could trigger CORS warnings, but it might be ok. one alternative could be using response.json() despite content-type or something i've done elsewhere where i don't know if the response will be json let text = await response.text(); try { let obj= JSON.parse(text); /* do json stuff here */ } catch(e) { /* just text */; }
There was a problem hiding this comment.
random link saying Content-Type might be an explicit Access-Control-Allow-Headers CORS header https://stackoverflow.com/questions/5027705/error-content-type-is-not-allowed-by-access-control-allow-headers
There was a problem hiding this comment.
went ahead with adding this, and then merged to main :) if interested can test out main branch!
There was a problem hiding this comment.
Hi, @cmdcolin that example you linked is about setting Content-Type in a request, not reading it off a response.
But I think I know what you mean. AFAIK this could be a problem in the "no-cors" request, but since this is oAuth and we need to send an Authorization header it shouldn't be a problem.
Sorry for a late reply
|
I don't have a system to test this but I imagine it should be fine to go. I added a small review comment about parsing json response |
|
Making the assembly loading go through the auth pipeline in a more standard way could be a useful follow up PR. Two options would be 1)making everthing in general less dependent on having it go through RPC system to do the auth stuff, or Originally (way back in very early versions) we did (2), but then made it not use a worker for loading assembly because it incurred downloading an extra worker js file which was large. We've since done a lot of bundle size work so we could possibly try out putting assembly loading in rpc again |
|
Hi, @cmdcolin. I was looking at 1), but as we spoke on gitter I realized the potential issue with interaction with a user from web worker thread. Currently, there still could be an issue if user:
This may result in an error, but now refreshing the page after this error at least will request a new token. |
|
went ahead and made this a new issue in #3194 ! |
OAuthModel is supporting refresh tokens, but because of how getToken() is implemented it exchanges refresh token only once and does not pull new one when currently used one expires.
This change adds a validator that checks the currently used auth token for expiration and tries to use refresh token to get a new one. If that fails it removes refresh token to force full re-authorization.
There still might be a problem if a user will re-start a previous (authorized) session exactly on the assembly selection page because assemblies do not use the same data loading flow and thus do not use getPreAuthorizationInformation(), but this is a very specific example and I didn't encounter it last week I was testing this change since local file caching seems to bypass this problem.