auth0-react icon indicating copy to clipboard operation
auth0-react copied to clipboard

Published 20 hours ago verified publisher icon auth0

Payload added by e.g. rules not updating state on changes due to updated_at check

Open AndreasA opened this issue 3 years ago • 4 comments

Describe the problem

Because you check for user updates to update the state or not: https://github.com/auth0/auth0-react/blob/v1.9.0/src/reducer.tsx#L38

any other changes e.g. due to rules (or actions) do not refresh the react state and components that use those values are not updated.

So e.g. if external data is added and that data changes, the state will not update and the SPA will still show the previous content.

What was the expected behavior?

Update the state on getAccessTokenSilently if any of its data changes. Either check accordingly all properties, if there have been changes or just update the data always.

Reproduction

Simplest would be:

  • Create a rule that adds custom data that changes, e.g. to the idToken using the corresponding application scope.
  • Easiest would be to just add the current timestamp.
  • Output that value.
  • Add a button that forces a token refresh using getAccessTokenSilently.
  • The values will stay the same as before until a full page refresh is done.

Not 100% sure if it depends if the additional data is added to the id token or the access token - have not gone into that much detail.

Environment

  • Version of auth0-react used: 1.9.0
  • Which browsers have you tested in? Chrome, Firefox, etc.

AndreasA avatar Mar 30 '22 07:03 AndreasA

I ran into this issue as well. I did a little research and it looks like the updated_at check was added to resolve this issue. However, in my testing, updating the user does not cause getAccessTokenSilently to be redefined -- which makes sense since useCallback is used. I think it would be safe to remove that check entirely.

inv8der avatar Mar 30 '22 19:03 inv8der

@AndreasA - thanks for raising this

I wonder if we can use the raw ID Token, or Access Token since they always change, even in the Refresh Grant - rather than the updated_at claim which clearly doesn't. Will investigate.

I did a little research and it looks like the updated_at check was added to resolve this https://github.com/auth0/auth0-react/issues/210.

@inv8der The updated_at check was added before that issue to prevent unintentional renders when using the SDK with localStorage enabled and is required

adamjmcgrath avatar Mar 31 '22 08:03 adamjmcgrath

@adamjmcgrath Checking the raw tokens - probably both to be safe- sounds like a good bet. It avoids unnecessary re-renderings but re-renders things if anything changes..

AndreasA avatar Mar 31 '22 09:03 AndreasA

FYI, this update is waiting on some changes in the upstream spa js sdk

adamjmcgrath avatar Sep 06 '22 08:09 adamjmcgrath