An expired token is not "authorized"

[bramski]

Part of initialization checks for the token, and can get it from session storage. When it does so, it really needs to check for expiration. An expired token is definitely not valid.

Optionally, it would be good to allow for a check of the token which would ensure it's validity. But simply checking the expiry would be a really easy step. I will likely have a PR for this very soon.

[m00s]

@bramski Would be great! Thanks man!

[piotrb]

Well, it seems like oauth:authorized isn't actually authorized. It seems its called super early in the cycle, its almost just oauth:fetchedTokenFromStorage, it even may be expired at this point.

There is no good final callback that you can use to "guarantee" that the token is good to use, if we start running code out of oauth:authorized it seems like it would potentially attempt things with an invalid token, then told to abort when oauth:logout, oauth:expired fire ..

[bramski]

Yeah. I think the check of validity before oauth:authorized would be good. I have that in the local fork @piotrb. It would be good to have an oauth:valid callback to know that the token's validity has been checked against the oauth server ... and consequently oauth:invalid when it's discovered to not be any longer.

[piotrb]

it seems like oauth:expired fires on oauth:invalid which is not terrible, just a bit gross. I guess the smallest increment here would be to add oauth:valid that fires after the call to the session-path

[piotrb]

oauth:authorized just seems to be unfortunately named, but perhaps should stay for legacy sake, perhaps also side by side a newer event oauth:loaded or something .. and eventually deprecate listening to oauth:authorized

[bramski]

PR: #116