jwt_sessions icon indicating copy to clipboard operation
jwt_sessions copied to clipboard

Published 20 hours ago verified publisher icon tuwukee

Returns 401 when concurrent

Open activeliang opened this issue 4 years ago • 3 comments

When access expires, if the user clicks quickly on the web page and triggers two requests at the same time, in this case, the new access can be refresh normally, but when the new access is used to request resources, it returns 401

I wrote a demo project to solve this problem:https://github.com/activeliang/try_jwt_session

To simulate the above situation, I wrote the following code:

# first login
@tokens = JSON.parse RestClient.post 'http://localhost:3000/login', name: 'user1', password: '123456'

# method
def refresh_access_and_get_posts
  new_tokens = JSON.parse RestClient.post 'http://localhost:3000/refresh', {}, { 'X-Refresh-Token': @tokens['tokens']['refresh'] }
  posts = JSON.parse RestClient.get 'http://localhost:3000/posts', { Authorization: "Bearer #{new_tokens['access']}"}
end

# it works normal
10.times {
  refresh_access_and_get_posts
}

# 401 will be returned when get posts
10.times{
  Thread.new {
    refresh_access_and_get_posts
  }
}

Is it because I did something wrong?

activeliang avatar Dec 17 '20 12:12 activeliang

hi @activeliang

It's responsibility of a client code to prevent concurrent refresh requests. Basically, the JS client should disable page refreshing while there's a pending refresh request, and enable it back afterwards.

tuwukee avatar Dec 17 '20 19:12 tuwukee

just an idea: https://github.com/lynndylanhurley/devise_token_auth/search?q=batch_request_buffer_throttle

masterkain avatar Aug 16 '21 08:08 masterkain

@masterkain requests with the same access token can be sent concurrently, the gem does not add any limitations. Refresh token requests are supposed to be limited, throttling may lead to vulnerabilities I think.

tuwukee avatar Aug 26 '21 18:08 tuwukee