Nodejs SDK: Auth Token Of A User Does Not Expire (Bug)
clarnx opened this issue · comments
The official Userbase Nodejs SDK here can be used to sign up , log in, sign out, e.t.c a user on a backend.
When a user is logged, a user object is returned with an authToken property. This can be sent to the client side so that the authToken can be used for signing in automatically without re-entering credentials.
After testing, I noticed that if you logout and then Login again, the user object is returned with a new authToken.
However if you use the old authToken to check if the user's authToken is valid by using the Admin API, you get a response containing the user ID. This means the old Auth Token does not expire and is valid even though a new one is generated.
Same result for old Auth Tokens generated after several subsequent logout and sign-in.
Interesting, we specifically have a test case for this here. Looking into it
Could you share your code?
I'm not able to reproduce with this:
// NEED TO SET THESE YOURSELF
const ACCESS_TOKEN = ''
const APP_ID = ''
const userbase = require('userbase-js-node')
const https = require('https')
const username = Math.random().toString()
const password = Math.random().toString()
const verifyAuthToken = (authToken) => new Promise((resolve, reject) => {
const options = {
hostname: 'v1.userbase.com',
path: '/v1/admin/auth-tokens/' + authToken,
method: 'GET',
headers: {
'Authorization': 'Bearer ' + ACCESS_TOKEN
}
}
const req = https.request(options, res => {
res.on('data', d => {
const resp = JSON.parse(d.toString())
if (res.statusCode !== 200) reject(resp)
else resolve(resp)
})
})
req.on('error', error => {
reject(error)
})
req.end()
})
const main = async () => {
await userbase.init({ appId: APP_ID })
// Signing up and testing auth token...
const { authToken, userId } = await userbase.signUp({ username, password })
// should successfully verify auth token
const successResponse = await verifyAuthToken(authToken)
if (successResponse.userId !== userId) throw new Error('User ids not equal')
// verifying auth token should fail after signing out
await userbase.signOut()
try {
await verifyAuthToken(authToken)
throw new Error("Should have failed")
} catch (e) {
console.log('Should error with Auth token invalid. ', e)
}
// signing in again to make sure old auth token still failing
const signInResponse = await userbase.signIn({ username, password })
// should fail trying to use old auth token
try {
await verifyAuthToken(authToken)
throw new Error("Should have failed")
} catch (e) {
console.log('Trying to reuse old token after signing out, then signing in again should error with Auth token invalid. ', e)
}
// using second auth token should succeed
const successResponse2 = await verifyAuthToken(signInResponse.authToken)
if (successResponse2.userId !== userId) throw new Error('User ids not equal')
console.log('Success!')
}
main()
Outputs:
Should error with Auth token invalid. { message: 'Auth token invalid.' }
Trying to reuse old token after signing in again should error with Auth token invalid. { message: 'Auth token invalid.' }
Success!
For some unknown reason, the Auth Token was working as expected all of a sudden after 12 hours. Once I logged out the old Auth Token becomes invalid.
But I was very very very sure that on Tuesday 11 May 2021 that was not the case. I was even having Login issues where the response was cannot connect to server and then when I tried again it logged in.
Maybe on that day there was downtime with your servers.
Thanks for the response
Glad to hear it's working for you now!
It sounds like there may have been some connectivity issues, which may have caused signOut to fail. Will look into it on our end. If signOut does fail, the session's authToken would automatically expire at the end of the session (24 hours is the default session length, though you can modify the duration of a session using advanced parameters to signIn, signUp, and init).