Fix awaiting of token refresh request before making any further API requests #20383
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
Reproduction
in all the recordings below, I have artificially added a 5 seconds delay for
/auth/refresh
API endpoint just to reproduce this issue easier & show the "queueing" clearer. Particularly adding the following code:right before this line:
directus/api/src/controllers/auth.ts
Line 105 in 09edc03
as well as setting
ACCESS_TOKEN_TTL="45s"
to make the access token expire faster.Admittedly I also had to use Edge's sleeping tab function to prevent the constant periodic token refresh in the background, I believe an alternative way to test this would be to disable said periodic token refresh by removing the setTimeout here:
directus/app/src/auth.ts
Lines 129 to 131 in 09edc03
Context
Currently there is a logic added by #8827 to await token refresh request before any further requests are fired:
directus/app/src/api.ts
Lines 28 to 36 in 09edc03
However the
resolve(requestConfig)
isn't really a blocking code, soqueue.start()
gets calls within milliseconds afterqueue.pause()
, as if it was never paused at all. Here's a look at all the requests firing even when the/auth/refresh
request is still pending:msedge_sAvkqicBkq.mp4
The first commit c9f517c of this PR makes sure requests are queued after the refresh request completes:
msedge_mITAvK3uK1.mp4
However as seen in the video, they are still failing. This is because when they were queued, they were still using the old token, so they will still fail. This is why the second commit f436985 of this PR is meant to make it so they will use the new token:
directus/app/src/auth.ts
Lines 120 to 121 in 3f3db2c
and make sure it's updated in the queued requestConfig when
p-queue
does call the arrow function:msedge_gHqS5cN301.mp4
Scope
What's changed:
Potential Risks / Drawbacks
/auth/refresh
to finish, even if the old access token has a long valid duration.Review Notes / Questions
None at the moment
Fixes #18016