Open clavery opened 1 year ago
I don't know if there is a way to preemptively know if a token is invalidated because of a password change but if a 401 does occur the PWA should discard the current access token and acquire a new one via the refresh token.
This issue has been linked to a new work item: W-14508782
Hey @clavery , We recently released a new version of the template-retail-react-app
with the password change fixes that you called out in the description.
I followed your steps to repo, but I didn't see the errors. I'm thinking maybe that change fixed the issue. Do you mind taking it for a spin to validate if you still see this issue?
Thanks
Summary
According to SLAS
When a shopper changes their password, any access tokens that were granted before the password change are rejected
. So if a shopper has two sessions on a site (such as a mobile/desktop, second computer, or incognito window) and changes the password on one of those sessions the access token from all others will be invalidated.In PWA today this causes 401s to occur on shopper endpoints and hard errors. It seems that if the token seems valid (i.e. it is not expired) it will continue to be used and the refresh token flow will not occur until it expires. i.e. a customer may be locked out of the site on those devices for up to 30 minutes: https://github.com/SalesforceCommerceCloud/pwa-kit/blob/develop/packages/commerce-sdk-react/src/auth/index.ts#L388-L390
There may be other situations where a shopper access token may become invalid that could exacerbate this behavior. For instance if a client (other than PWA) uses SLAS
logoutCustomer
withhint=all-sessions
all access tokens are invalidated. The SLAS team may be able to lend insight if there are other situations.Steps To Reproduce
Expected result
All sessions continue to be navigable
Actual result
Observe errors and 401s in the console on the other session. The response for these 401s indicate the root cause:
System Information (as applicable)
Browser: Node version: pwa-kit version: latest Desktop OS: Mobile Device Info:
Additional information