search

GetStream / stream-chat-js

JS / Browser Client - Build Chat with GetStream.io
https://getstream.io/chat/
Other
182 stars 76 forks source link

Revoke user token not always working #1214

Closed amercado-ws closed 9 months ago

amercado-ws commented 9 months ago

I wrote a script to see if revoking a user token results in an error. And half of the time it will return the correct 401 unauthorized error and the other half of the time it will succeed in sending the message.

let messageCount = 0;
const serverClient = StreamChat.getInstance(env.GETSTREAM_APP_IDENTIFIER, env.GETSTREAM_API_KEY);

async function sendMessage(channel: Channel<DefaultGenerics>) {
  try {
    await channel.sendMessage({ text: `This is message test ${messageCount++}` });
    console.log(`sent a message`);
  } catch (error) {
    console.error(error);
  }
}

async function testRevoke() {
  const userId = 'revoke_test';
  const userId2 = 'other_user_test';
  const issuedAt = Math.floor(Date.now() / 1000);
  const token = serverClient.createToken(userId, undefined, issuedAt);

  const client = StreamChat.getInstance(env.GETSTREAM_APP_IDENTIFIER);
  client.connectUser({ id: userId }, token);
  const channel = await client.channel('messaging', {
    members: [userId, userId2],
  });
  await channel.create();
  await sendMessage(channel);
  const tokenResponse = await client.revokeUserToken(userId1);
  console.log(tokenResponse);

  // do I need to wait after revoking the token?
  setTimeout(async () => {
    await sendMessage(channel);
    client.disconnectUser();
  }, 5000);
}

the token response has revoke_tokens_issued_before

{
  users: {
    'revoke_test': {
      id: 'revoke_test',
      role: 'user',
      created_at: '2023-12-05T19:33:58.037525Z',
      updated_at: '2024-01-25T20:27:04.846881Z',
      last_active: '2024-01-25T20:26:05.703624Z',
      banned: false,
      online: true,
      revoke_tokens_issued_before: '2024-01-25T20:27:04.756Z'
    }
  },
  duration: '13.64ms'
}

I know the token should be created server side but just for the sake of the script I'm doing it inline here. In the actual app it is hitting a server for the token.

Do I need to wait a certain time before calls know about the token being revoked?

amercado-ws commented 9 months ago

For my test to work I needed to set the revoke date a little in the future. I misunderstood the docs