mary-ext
commented
1 month ago I suppose moving resolveFromIdentity to refresh method might be the answer? So long as we're not doing it in-between it seems fine.
Open mary-ext opened 1 month ago
mary-ext
commented
1 month ago I suppose moving resolveFromIdentity to refresh method might be the answer? So long as we're not doing it in-between it seems fine.
Describe the bug
As in the title, token refreshes are very likely to fail resulting in a log out if the user happens to be reload the page at the wrong moment.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
It shouldn't be likely for reloads to sign you out
Details
While this is entirely unavoidable, this seems to be mostly happening because the client needs to verify whether the new access tokens are received from the right issuer.
https://github.com/bluesky-social/atproto/blob/319aa7cf6dd7de0262a40d69f695c9a0eb0b5179/packages/oauth/oauth-client/src/oauth-server-agent.ts#L145
Since this happens in between a request to refresh tokens and actually storing that token, this leaves quite a gap, one that's especially big on slow networks, on said tokens potentially getting lost before it makes its way into IndexedDB
As we aren't doing a stale-while-refresh approach for identity and metadata resolution, this is bound to happen every 10 minutes, as that's what the cache expiry time is currently configured at.