New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add token exchange #110
Add token exchange #110
Conversation
Add a new method `sdk.exchangeToken()` that reads the current access token, and uses that together with the configured client secret to exchange the auth token into another token for privileged transitions.
*/ | ||
export default class AddClientSecretToParams { | ||
enter({ clientSecret, params, ...ctx }) { | ||
return { ...ctx, clientSecret, params: { ...params, client_secret: clientSecret } }; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If client secret is not set, this could throw an error saying that client secret is missing. I hit this couple of times in my tests yesterday and was wondering why things don't work. The downside then is that client secret is made mandatory, which it today is yes, but maybe not for all token exchanges in the future?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added the check.
If in the future we add token exchanges that don't require a client secret, I think we can make the check based on the params given to this interceptor.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, but test carefully! It's quite easy to get these things wrong Imo. Retries and all are quite hard and complex to understand.
One comment/change request: I'd love to see some tests for this. Have a look at https://github.com/sharetribe/flex-sdk-js/blob/master/src/fake/auth.js . Testing against fake implementation of the server is a bit meh but it's still better than no tests imo.
I have tested locally against the production API that an expired access token will fetch a new access token with the refresh token, and retry the token exchange. I added a separate card for proper tests for this, so those will come later. |
Add a new method
sdk.exchangeToken()
that reads the current accesstoken, and uses that together with the configured client secret to
exchange the auth token into another token for privileged transitions.