pwa-kit icon indicating copy to clipboard operation
pwa-kit copied to clipboard

Published 20 hours ago verified publisher icon SalesforceCommerceCloud

[BUG] pwa-kit does not refresh token with an invalid access token

Open clavery opened this issue 2 years ago • 3 comments

Summary

According to SLAS When a shopper changes their password, any access tokens that were granted before the password change are rejected. So if a shopper has two sessions on a site (such as a mobile/desktop, second computer, or incognito window) and changes the password on one of those sessions the access token from all others will be invalidated.

In PWA today this causes 401s to occur on shopper endpoints and hard errors. It seems that if the token seems valid (i.e. it is not expired) it will continue to be used and the refresh token flow will not occur until it expires. i.e. a customer may be locked out of the site on those devices for up to 30 minutes: https://github.com/SalesforceCommerceCloud/pwa-kit/blob/develop/packages/commerce-sdk-react/src/auth/index.ts#L388-L390

There may be other situations where a shopper access token may become invalid that could exacerbate this behavior. For instance if a client (other than PWA) uses SLAS logoutCustomer with hint=all-sessions all access tokens are invalidated. The SLAS team may be able to lend insight if there are other situations.

Steps To Reproduce

  1. Use two windows (incognito and regular) to login to https://pwa-kit.mobify-storefront.com/
  2. On one of the sessions change the password (note there is currently an unrelated password issue that may muck with this: #1469 )
  3. On the other session navigate to different pages

Expected result

All sessions continue to be navigable

Actual result

Observe errors and 401s in the console on the other session. The response for these 401s indicate the root cause:

{
    "title": "Unauthorized",
    "type": "https://api.commercecloud.salesforce.com/documentation/error/v1/errors/unauthorized",
    "detail": "Customer credentials changed after token was issued"
}

System Information (as applicable)

Browser: Node version: pwa-kit version: latest Desktop OS: Mobile Device Info:

Additional information

Screenshot 2023-10-13 at 11 37 25 AM

clavery avatar Oct 13 '23 15:10 clavery

I don't know if there is a way to preemptively know if a token is invalidated because of a password change but if a 401 does occur the PWA should discard the current access token and acquire a new one via the refresh token.

vcua-mobify avatar Nov 16 '23 01:11 vcua-mobify

This issue has been linked to a new work item: W-14508782

git2gus[bot] avatar Nov 17 '23 01:11 git2gus[bot]

Hey @clavery , We recently released a new version of the template-retail-react-app with the password change fixes that you called out in the description.

I followed your steps to repo, but I didn't see the errors. I'm thinking maybe that change fixed the issue. Do you mind taking it for a spin to validate if you still see this issue?

Thanks

bendvc avatar Jan 24 '24 18:01 bendvc

Thank you for raising this issue/feedback. We have resolved this issue in v3.8 with the following PR #2028. If you have any further questions and or concerns please do not hesitate to reach out again. Thank you!

echessman avatar Dec 04 '24 20:12 echessman