hlu2
commented
5 years ago @harshayburadkar I will add a new function with allow you to pass refresh_token as a parameters. Thanks for letting us know!
Closed harshayburadkar closed 5 years ago
hlu2
commented
5 years ago @harshayburadkar I will add a new function with allow you to pass refresh_token as a parameters. Thanks for letting us know!
abisalehalliprasan
commented
5 years ago @harshayburadkar ,
The Client is designed in such a way that for every instance of the OAuth Library / SDK, there would be a Token object which would store the token information that is associated with the particular instace of library.
One of the benefits of this Token object is it would manage the lifetime of the tokens and could validate if the AccessToken is valid during refresh
I do understand your point when you use one instance of the OAuth Library to connect to multiple companies, it could become a problem as the token object would always refer to the latest authorized company.
To provide a fix, I have added a new method named refreshUsingToken(refresh_token) which accepts the refresh_token ( string ) as a param.
For more information please ref to the below: https://github.com/intuit/oauth-jsclient/blob/master/src/OAuthClient.js#L235
Hope this helps!
harshayburadkar
commented
5 years ago That is not what I mean @abisalehalliprasan. The issue that I mention is a more serious one and the example app provided in the repo also has that problem.
Imagine a node server (backend server) is deployed which uses this library. It can get requests from multiple users through a client application (running in the browser). These are totally different users. The requests can come in any sequence. For e.g. User 1 does login User 2 does login User 1 fetches some data, hence access token validation happened User 2 fetches some data, hence access token validation happened // assume that user 1 token is expired now User 3 does login User 1 fetches data, access token validation fails, refresh is called User 2 fetches data, access token is validated
In all this scenario the server is using the OAuth library instance (it's in backend) so each user does not have its own instance copy and thus token variable value is of last user's token and it will be used for the operation of a totally different user.
I am currently using a workaround since this cannot be solved. What this forces me to do is call set token before each and every operation to make sure I set that user's token in that library. This is very deceptive to users and unsuspecting users of the library are going to miss this problem and end up in issues. Hope they do not launch into production without understanding and accounting for this.
The passing of tokens should be made mandatory in all API calls. Currently, when I test out the app with multiple users, the refresh happens for the last user's token regardless of whichever user requests it.
This problem is going to happen with other APIs too since library acts on this.token which will have the value of the last logged in user.