connect icon indicating copy to clipboard operation
connect copied to clipboard

Published 20 hours ago verified publisher icon anvilresearch

Model - AccessToken - refresh

Open ikb42 opened this issue 9 years ago • 2 comments
trafficstars

This currently does

AccessToken.insert({
      iss: settings.issuer,
      uid: at.uid,
      cid: at.cid,
      ei: at.ei,
      rt: random(settings.refresh_token_bytes_range)(),
      scope: at.scope
    }, function (err, token) {
      if (err) { return callback(err) }

      // we should destroy the current token
      AccessToken.delete(at.at, function (err) {
        if (err) { return callback(err) }
        callback(null, token)
      })
    })

The problem with doing the delete after the insert is that if for example the rt or perhaps even the at is the same as before then it would be deleted right after being created - or worse perhaps parts could be deleted, such as the rt. In my case this is happening because I am preserving the rt but it could happen in the general case too, although unlikely.

ikb42 avatar Feb 12 '16 15:02 ikb42

I also have problem with refresh tokens, but I don't see how rt or at can be same. Will be great if you provide unit test.

PetrSnobelt avatar Aug 29 '16 17:08 PetrSnobelt

Can't remember the reason, but I needed to keep the refresh token the same which lead to a bug for me with my refresh token being deleted after the new access token was created. With the random refresh token this should not happen.

ikb42 avatar Sep 28 '16 19:09 ikb42