feat: add setSession support for a SSR context
#445
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hf
commented
Sep 21, 2022
hf
force-pushed
the
hf/add-set-session-ssr-support-v1
branch
from
d8f83b1
to
b8ddf6e
Compare
kangmingtay
requested changes
Sep 21, 2022
There was a problem hiding this comment.
I think we're trying to do too much here and i'm not sure what this PR is trying to change - the current method just requires a refresh token, forces a refresh and then sets the current session.
Why do we also want to support setting a session via an access token? If no refresh token is being passed in, it could result in a incomplete session returned.
|
Here's a Mermaid description of the issue: sequenceDiagram
participant G as GoTrue
participant S as Server
participant B as Browser
participant C as Cookies
participant L as Local Storage
B-->>S: GET /login
S-->>B: 200 OK Render /login
B-->>G: POST /sign-in { email, password }
G-->>B: 303 See Other server/authenticate...
B-->>S: GET /authenticate
S-->>B: 200 OK Render /authenticate
activate B
B-->>B: getSessionFromURL
B-->>L: putItem(session, ...)
B-->>C: document.cookie = 'my-access-token...'
B-->>C: document.cookie = 'my-refresh-token...'
deactivate B
note over G, L: After 1 week the user comes back to /route on server -- no issues
activate B
B-->>S: GET /route
B-->>S: Cookie: my-access-token ...
B-->>S: Cookie: my-refresh-token ...
activate S
S-->>S: setSession(req.cookies['my-refresh-token'])
S-->>G: POST /verify?grant_type=refresh_token
G-->>S: 200 OK access token, refresh token
S-->>S: return session information to app
S-->>B: 200 OK prerendered content
deactivate S
B-->>B: _refreshSession
B-->>L: getItem(session)
L-->>B: session { access_token, refresh_token, expires_at }
B-->>G: POST /verify?grant_type=refresh_token
G-->>B: 200 OK access token, refresh token
B-->>L: putItem(session)
deactivate B
note over G, L: Immediately after login user navigates to /route -- issue after 1 hour
activate B
B-->>S: GET /route
B-->>S: Cookie: my-access-token ...
B-->>S: Cookie: my-refresh-token ...
activate S
S-->>S: setSession(req.cookies['my-refresh-token'])
S-->>G: POST /token?grant_type=refresh_token
G-->>S: 200 OK access token, refresh token
S-->>S: return session information to app
note over B, S: Start reuse timer!
S-->>B: 200 OK prerendered content
deactivate S
B-->>B: _refreshSession
B-->>L: getItem(session)
L-->>B: session { access_token, refresh_token, expires_at }
note over L, B: now is before expires_at!
note over L, B: No need to renew refresh token
note over G, L: 1 hour passes, app notices expires_at and tries to refresh token
B-->>G: POST /token?grant_type=refresh_token
G-->>B: 401 Unauthorized refresh token already used
note over G, B: 1 hour passed after the first validation of the refresh token!
deactivate B
note over G, L: With setSession({ access_token, refresh_token }) fix -- no-issue
activate B
B-->>S: GET /route
B-->>S: Cookie: my-access-token ...
B-->>S: Cookie: my-refresh-token ...
activate S
S-->>S: setSession({ refresh_token: req.cookies['my-refresh-token']), access_token: ... })
S-->>S: access token is not expired no post to GoTrue
S-->>S: return session information to app
note over B, S: Start reuse timer!
S-->>B: 200 OK prerendered content
deactivate S
B-->>B: _refreshSession
B-->>L: getItem(session)
L-->>B: session { access_token, refresh_token, expires_at }
note over L, B: now is before expires_at!
note over L, B: No need to renew refresh token
note over G, L: 1 hour passes, app notices expires_at and tries to refresh token
B-->>G: POST /token?grant_type=refresh_token
G-->>B: 200 OK access_token, refresh_token
note over G, B: 1 hour passed after the first validation of the refresh token!
B-->>L: putItem(session, ...)
B-->>C: document.cookie = 'my-access-token...'
B-->>C: document.cookie = 'my-refresh-token...'
note over L, G: Ok but what if the user closes the tab until 1 hour passes and then navigates to /route
B-->>S: GET /route
B-->>S: Cookie: my-access-token ...
B-->>S: Cookie: my-refresh-token ...
activate S
S-->>S: setSession({ refresh_token: req.cookies['my-refresh-token']), access_token: ... })
S-->>S: access token IS expired, refreshing in GoTrue
S-->>G: POST /token?grant_type=refresh_token
G-->>S: 200 OK access token, refresh token
S-->>S: return session information to app
note over B, S: Start reuse timer!
S-->>B: 200 OK prerendered content
deactivate S
B-->>B: _refreshSession
B-->>L: getItem(session)
L-->>B: session { access_token, refresh_token, expires_at }
B-->>B: now is after expires_at!
B-->>G: POST /token?grant_type=refresh_token
note over B, G: this occurs milliseconds after the refresh from the server
note over B, G: thus the refresh_token although used is within a reuse period
G-->>B: 200 OK access_token, refresh_token
B-->>L: putItem(session, ...)
B-->>C: document.cookie = 'my-access-token...'
B-->>C: document.cookie = 'my-refresh-token...'
note over G, L: All is good in the world!
deactivate B
|
hf
force-pushed
the
hf/add-set-session-ssr-support-v1
branch
from
b8ddf6e
to
9bc250c
Compare
Merged
kangmingtay
requested changes
Oct 4, 2022
hf
force-pushed
the
hf/add-set-session-ssr-support-v1
branch
from
9bc250c
to
1813591
Compare
kangmingtay
previously approved these changes
Oct 4, 2022
hf
force-pushed
the
hf/add-set-session-ssr-support-v1
branch
2 times, most recently
from
a610ec3
to
0d33675
Compare
hf
dismissed
kangmingtay’s stale review
I need to improve the types still, I don't want someone merging this accidentally. :D
kangmingtay
approved these changes
Oct 4, 2022
hf
force-pushed
the
hf/add-set-session-ssr-support-v1
branch
from
0d33675
to
e8a5355
Compare
hf
force-pushed
the
hf/add-set-session-ssr-support-v1
branch
from
e8a5355
to
be413ca
Compare
kangmingtay
reviewed
Oct 4, 2022
|
🎉 This PR is included in version 1.24.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 2.0.0-rc.11 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds support for calling
setSession()in a server-side rendering context. When used in SSR, the access and refresh tokens are typically sent from the browser to the server. Both of them represent the user's session.Users can thus call:
To correctly extract the session information from the two cookies. The client can then be used to call other APIs and automatic refresh token management will take place.