Best way to track token/session expiry ?

[max-l]

If have stumbled on a case where AuthenticationManager.authenticated is true, but the underlying tokens expired, and had a failure after calling an api method.

Calling refreshTokens() worked, after calling it, api methods are once again returning expected results.

I wish I could get the exact error I received for "stale tokens", but I have to wait for them to expire, not sure how long that is.

To avoid expired token errors, I need to call "refreshTokens" before every call, wich is unelegant.

I saw that it has a filed named "expires_in", described here : https://docs.globus.org/api/auth/reference/#token-introspect

however, maybe the SDK provides a way to track expiry.

My other question is interpreting the result of refreshTokens, the response is a list of tokens with status, it seems that "fulfilled" means the refresh was successful :

            authorizationManager.refreshTokens().then(res => {
                for (let i = 0; i < res; i++) {
                    if(res[i].status !== "fulfilled") {
                        setIsAuthenticated(false)
                        return
                    }
                }
                setIsAuthenticated(true)
            })

In my case, i treat the existence of a single invalid (or expired) token as "needing to login again".

[jbottigliero]

The TokenManager has a static method that can help you identify whether or not a token is expired, your usage might look something like:

import { TokenManager } from '@globus/sdk/core/authorization/TokenManager';
const isExpired = Token.isTokenExpired(manager.tokens.transfer);

You can also refresh individual tokens with AuthorizationManager.refreshToken.

One option would be on application bootstrapping to iterate through the tokens and triggering a refresh if you hit an expiration.

const areTokensValid = manager.tokens.getAll().every((token) => TokenManager.isTokenExpired(token));

We do something similar in the Globus Web Application, but iterate through a list of required services instead of the tokens themselves (you don't need a token for everything for some access).

My other question is interpreting the result of refreshTokens, the response is a list of tokens with status, it seems that "fulfilled" means the refresh was successful

Correct, if the individual Promises return "fulfilled" it means that token refresh request did not have an error.

What that means for the authentication state of your application will vary based on whether or not you care about all or some of the tokens.

I think in another issue you referenced using React, it might be worth taking a look at https://github.com/globus/react-auth-context

[max-l]

Thanks will try TokenManager.isTokenExpired.

Somehow I had missed the react-auth-context project, I ended up doing something very similar.

I've written over the years a few react Providers for token or cookie based authentications, and I always end up needing the following callbacks :

                <TokenSessionProvider
                    afterLogoutFunc={logoutFunc}
                    onSessionExpired={sessionExpiredFunc}
                >
                ...
                </TokenSessionProvider>

And a context stored object with a field like isAuthenticated, that can be used to trigger a useEffect hook :

       const session = useTokenSession()

       useEffect(() => { 
            if(session.isAuthenticated) {
               ... fetch stuff like user info...
            }
       },[session.isAuthenticated])

      

The above callbacks (onSessionExpired, afterLogoutFunc) get triggered just before the token expiry, to update the value of isAuthenticated, can be used to affect display based on auth status.

I've yet to write an authenticated single page app that doesn't require this, so I checked react-auth-context to see it provides the same functionality, it's not clear that it does, because looking at the code I have not found the use of the browser functions setInterval, or setTimout,

and I don't think it's possible to implement the functionality (automatic logout upon expiry) without using one of the functions.

But perhaps I missed something !