SalesforceCommerceCloud / pwa-kit

React-based JavaScript frontend framework to create a progressive web app (PWA) storefront for Salesforce B2C Commerce.
https://developer.salesforce.com/docs/commerce/pwa-kit-managed-runtime/guide/pwa-kit-overview.html
BSD 3-Clause "New" or "Revised" License
285 stars 138 forks source link

[BUG] pwa-kit does not refresh token with an invalid access token #1475

Open clavery opened 1 year ago

clavery commented 1 year ago

Summary

According to SLAS When a shopper changes their password, any access tokens that were granted before the password change are rejected. So if a shopper has two sessions on a site (such as a mobile/desktop, second computer, or incognito window) and changes the password on one of those sessions the access token from all others will be invalidated.

In PWA today this causes 401s to occur on shopper endpoints and hard errors. It seems that if the token seems valid (i.e. it is not expired) it will continue to be used and the refresh token flow will not occur until it expires. i.e. a customer may be locked out of the site on those devices for up to 30 minutes: https://github.com/SalesforceCommerceCloud/pwa-kit/blob/develop/packages/commerce-sdk-react/src/auth/index.ts#L388-L390

There may be other situations where a shopper access token may become invalid that could exacerbate this behavior. For instance if a client (other than PWA) uses SLAS logoutCustomer with hint=all-sessions all access tokens are invalidated. The SLAS team may be able to lend insight if there are other situations.

Steps To Reproduce

  1. Use two windows (incognito and regular) to login to https://pwa-kit.mobify-storefront.com/
  2. On one of the sessions change the password (note there is currently an unrelated password issue that may muck with this: #1469 )
  3. On the other session navigate to different pages

Expected result

All sessions continue to be navigable

Actual result

Observe errors and 401s in the console on the other session. The response for these 401s indicate the root cause:

{
    "title": "Unauthorized",
    "type": "https://api.commercecloud.salesforce.com/documentation/error/v1/errors/unauthorized",
    "detail": "Customer credentials changed after token was issued"
}

System Information (as applicable)

Browser: Node version: pwa-kit version: latest Desktop OS: Mobile Device Info:

Additional information

Screenshot 2023-10-13 at 11 37 25 AM

vcua-mobify commented 1 year ago

I don't know if there is a way to preemptively know if a token is invalidated because of a password change but if a 401 does occur the PWA should discard the current access token and acquire a new one via the refresh token.

git2gus[bot] commented 1 year ago

This issue has been linked to a new work item: W-14508782

bendvc commented 10 months ago

Hey @clavery , We recently released a new version of the template-retail-react-app with the password change fixes that you called out in the description.

I followed your steps to repo, but I didn't see the errors. I'm thinking maybe that change fixed the issue. Do you mind taking it for a spin to validate if you still see this issue?

Thanks