bug: Token Refresh Logic is Reversed
mitchwadair opened this issue · comments
Sorry if I'm being dumb here, but I was reading through the code to get a better idea of how tokens are stored/used etc and noticed this. If I am reading this right, the function is returning the access token if there is no refresh token or if tokens.expiresIn
is both truthy (meaning both defined and non-zero) and less than 5.
deno_kv_oauth/src/get_session_access_token.ts
Lines 30 to 36 in b4007c0
I think there is one main issue with this. If expiresIn
is a non-zero value that is less than 5, we probably do want to refresh the token right? There are two cases:
expiresIn
is negative, meaning it is already expired and we should refreshexpiresIn
indicates that the token will expire soon (the 5 second buffer mentioned in the comment) and we should refresh
With the current logic, isn't the function basically only refreshing the token if it is not going to expire soon or if expiresIn
is exactly 0
? Should that <
actually be a >
? Or am I crazy
This would definitely be problematic because there would likely be a large number of requests being made to oauth providers and a bunch KV writes that are unnecessary
I believe I have also figured out why tests are passing with this logic:
In the genTokens
helper, refreshToken
is not defined
deno_kv_oauth/src/test_utils.ts
Lines 20 to 25 in b4007c0
Because of this, the test for long-expiry passes because this function automatically returns the access token when
refreshToken
is undefinedI am happy to PR a fix to this problem (and regression tests) if my assessment here is correct, lmk
Actually even more issues here than I thought.
The expiresIn
property is documented as the time in seconds, but it is multiplied by SECOND
, making the condition here off by a factor of 1000 in addition to what I already mentioned here.
Also, when calculating expiresIn
it is reversed as well
Lines 146 to 147 in b4007c0
Here, the
expiresIn
should be calculated by the current time subtracted from the expiresAt
timeSorry if I'm being dumb here, but I was reading through the code to get a better idea of how tokens are stored/used etc and noticed this. If I am reading this right, the function is returning the access token if there is no refresh token or if
tokens.expiresIn
is both truthy (meaning both defined and non-zero) and less than 5.deno_kv_oauth/src/get_session_access_token.ts
Lines 30 to 36 in b4007c0
I think there is one main issue with this. If
expiresIn
is a non-zero value that is less than 5, we probably do want to refresh the token right? There are two cases:
expiresIn
is negative, meaning it is already expired and we should refresh
expiresIn
indicates that the token will expire soon (the 5 second buffer mentioned in the comment) and we should refreshWith the current logic, isn't the function basically only refreshing the token if it is not going to expire soon or if
expiresIn
is exactly0
? Should that<
actually be a>
? Or am I crazyThis would definitely be problematic because there would likely be a large number of requests being made to oauth providers and a bunch KV writes that are unnecessary
You're not crazy. That's a bug. Yes, please do feel free to open a PR 🙂
Actually even more issues here than I thought.
The
expiresIn
property is documented as the time in seconds, but it is multiplied bySECOND
, making the condition here off by a factor of 1000 in addition to what I already mentioned here.Also, when calculating
expiresIn
it is reversed as wellLines 146 to 147 in b4007c0
Here, the
expiresIn
should be calculated by the current time subtracted from theexpiresAt
time
Ah, yes, I think you're right. Thanks for picking up on these. I'll submit fixes as soon as I can. Great work. Thank you.
I'll do a full review of the codebase to ensure there aren't any more of these silly mistakes. Thanks for pointing them out.
Ah, yes, I think you're right. Thanks for picking up on these. I'll submit fixes as soon as I can. Great work. Thank you.
I can get a PR up soon with fixes for the things mentioned in this issue soon so you can focus on other things 👍
Great! Thank you. I believe these issues deserve 2 PRs. Please be sure to provide an explanation of the issues too 🙂
PRs are up!