-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace _checkPanoptesSession with _getNewToken #86
Conversation
Replaces _checkPanoptesSession() with _getNewToken(), which attempts to get a new token from Panoptes via an iframe. Stored tokens are not returned, since we should only be calling this method when the stored token is about to expire.
Is that the same problem I was refer to in your older PR #85 (comment)? |
Could be. It's hard to tell, since the token issued by Panoptes is valid for 2 hours and the console logs don't tell us if that token came from a network call to Panoptes, or from session storage. |
No wait, 'Found existing Panoptes session' is printed out when a token is obtained from the iframe URL. panoptes-javascript-client/lib/oauth.js Lines 201 to 204 in 595e694
|
This context wasn't properly set in the catch block for refresh errors, so the token was never deleted.
The code update looks good and my initial testing looks OK so far, but I was trying to follow up by checking out if there were any other function()s that require And then I saw how the .bind()s were use in the lib components and thought, 😳 OK, never mind then. I'll continue with standard user testing, but out of curiosity, why does the PJC bind functions when they're being called/returned instead of binding at the function declaration, or equivalent? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PR Review
This PR fixes two issues (with the current 2.9.4, if I'm correct?) which basically meant that tokens weren't being refreshed properly:
- when a token is about to expire and supposed to be refreshed, it isn't - an old token is returned instead.
oauth._refreshBearerToken()
(or rather, one of the functions in it) wasn't bind()-ed properly so throws an error when referring tothis
; basically, the error-catching mechanism caused an error.
Testing
Basic testing looks OK:
- User can log in and stay logged in
- User can log out and stay logged out
Primary testing looks good, at least for the success conditions:
- when a user is logged in for a period of time, their login session is auto-refreshed with a new token after a period of time.
//Replicated by setting the refresh time to a few seconds, then monitoring that continuity of login state is maintained. New tokens at each refresh() call. 👍
I avoided doing too much testing for fail states, however (e.g. sudden network down, etc) as that's a bit of a rabbit hole if I don't go in prepared with a list of possible fail conditions.
Status
LGTM, since far as I can see, this PR handles the issue with token not refreshing properly. I'm happy to give this a 👍 but I'll refrain from merging just yet in case anybody else has more tests to run.
The use of .bind(), particularly nested bound calls, makes some of the auth code really hard to follow. Without it, _getNewToken()
.then(this._handleNewBearerToken)
.catch(this._deleteBearerToken); which would get rid of a couple of those .bind() calls. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This works well for me too.
I'll wait until tomorrow before merging to see if @camallen wants to add anything to this. |
Add _handleExpiredToken, which only clears your session if it has actually expired. This should allow you to continue to use the Panoptes API, if refresh fails but you still have a few minutes left on your old token.
Seems like a better name, since it returns true slightly before the token actually expires.
I've added a couple of changes that should keep your Auth headers intact until the Panoptes session has actually expired, so you can continue to make API calls in the last 5 minutes of your session. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This works well for me. Tested on SW.
No problems here either, browsing SW on localhost in Firefox with no restrictions and Chrome with third-party cookies blocked. |
Replaces
_checkPanoptesSession()
with_getNewToken()
, which attempts to get a new token from Panoptes via an iframe (and should do only that.) Stored tokens are not returned, since we should only be calling this method when the stored token is about to expire.Fixes a problem mentioned in zooniverse/shakespeares_world#366 (comment) which is that the client would always return an expired token, if it was stored in session storage.
Also fixes a bug where
checkBearerToken
throws an error when getting a new token, becausethis._deleteBearerToken
is undefined in the catch block herepanoptes-javascript-client/lib/oauth.js
Lines 279 to 284 in 595e694