-
Notifications
You must be signed in to change notification settings - Fork 979
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth?method=getToken happening 5x per page request (using dbAuth) #4739
Comments
Using dbAuth? cc @cannikin |
You'll get one for every I've theorized it would be nice to somehow only make one of these requests per "page" but I don't know how we'd go about doing that...the way the auth code is currently written when you use the You might be able to get around this today by doing a single |
I've been trying to figure out useContext, this is a great excuse for that. |
And yes, this is using dbAuth. |
The thing is there's already But when calls are made to It might this line right here that calls |
I believe the call to When I first looked at the code you linked above, I also thought it was for each I think the If a token becomes "stale", due to not refreshing properly, the graphql api will still attempt to use the stale token and authentication will fail as if they're logged out. But since I hope all of this was useful... :) I was considering creating a custom auth provider and these are some of the things I was considering. I'd much rather use what's already there, if possible. |
Hmm I'll have to do some more tracing at some point...so you think you only see multiple I created dbAuth specifically to avoid the access/refresh tokens that are so prevalent in the JWT world! Ever since my first OAuth implementation, probably 15 years ago, I've wanted to overthrow the access token regime. 😄 Not to mention the security concerns of putting stuff in LocalStorage. And it seems like other folks are coming around: Supabase is re-doing their third party auth to use cookies instead of LocalStorage! Here's the first Google result for "localstorage security": https://dev.to/rdegges/please-stop-using-local-storage-1i04 So I don't think we'll be updating dbAuth to use tokens any time soon, but I feel like there's a solution that will save us these multiple authentication requests for a single page, I just haven't had time to look into it! |
Yes, at least with the default So, if there are multiple cells in a page, there are multiple requests being made.
I see now, and it does make sense. I almost didn't mention localStorage, but my initial thoughts where, if someone compromised the system to get the token from localStorage, they could also call the auth endpoint to get the token. It would still require more knowledge of the system, so it wouldn't be as easy I guess. Also, I thought the main auth code was storing something in localStorage, but when I looked again, it was the
Supabase (and gotrue/netlify) is the other auth provider that I was specifically thinking of. This is probably because I still have a gotrue token in my localhost localStorage from when I used netlify auth as I was going through the redwood tutorial. After all of that :) ... I agree that it's correct to use secure, http-only cookies for the session token, but I think there could be something done to keep the token in memory. Even if it's for a short amount of time. Currently, the only way the session token will be invalid, without the user logging out, is if the user record is deleted. I just had another thought, but I haven't looked into what would be involved yet. When the main graphql handler calls |
I can clearly see that happening on https://superstore-redwood-stripe.netlify.app/ (from https://github.com/redwoodjs/example-store-stripe) and we also see calls to the cell being 2x and the first call being canceled by the second one, something not clean is going on |
This has been a deterrent for me as well. While it's probably completely fine I don't want to use this auth solution since it's making so many extraneous calls. Maybe I can try to dig into this and see if there's a way to:
|
Yeah, I also wasn't too happy at those extra API calls, you can see a pretty comprehensive alternative which does what you're talking about here: https://github.com/orta/redwood-jwt-2phase-auth |
If you're looking at creating major structural changes please open an RFC issue so we can discuss! 🙂 You're welcome to create a new kind of auth client (cookieTokenAuth?) but I want dbAuth itself to stay as is—simple, single cookie authentication. I'd rather look into a way to batch these multiple I purposefully built dbAuth to not use access/refresh tokens or JWTs like our other auth clients (you can find all kinds of issues with JWTs and usage of LocalStorage on the internet) and get back to good ol' cookie storage, which has worked for hundreds of years (slight exaggeration). I know you weren't suggesting using JWTs, but just a little background on where I was coming from! |
I just upgraded to canary to test this out. Works great for me thank you @cannikin ! |
I wanted to log this as I was having trouble finding anything about it.
When I go to a page with two cells I'm getting 5x auth calls.
Is this normal?
The text was updated successfully, but these errors were encountered: