search

parse-community / parse-server

Parse Server for Node.js / Express
https://parseplatform.org
Apache License 2.0
20.93k stars 4.78k forks source link

Wrongly deleted sessions #6749

Closed SebC99 closed 3 years ago

SebC99 commented 4 years ago

Issue Description

We do log a big number of INVALID_SESSION_TOKEN errors for our users, appearing without any apparent logic: sessions are not expired, the user hasn't changed the password, sometimes it happens multiple times in the same day, and we can't figure out why. Is there any way for us to better detect the reason for this? Are we the only one with this weird behavior?

I know there's multiple places in the code where Sessions are deleted (or session caches) but I can't see why it could explain that.

Any help would be appreciated :)

SebC99 commented 3 years ago

the password being sent was an issue on our side, so it has been fixed, but we still have the deleted session issues (just a bit less), and we have not a single clue about it.

mtrezza commented 3 years ago

@SebC99 could it have something to do with expiration of 3rd party tokens? Have you observed this only with FB access token for example? Do you have any customization related to the auth adapter or access token / Parse session handling?

SebC99 commented 3 years ago

No customization on this, but I think there's room for improvement yes: typically, as parse-server only test the token on login, when the FB token expires, you can have an active Parse user (with a valid session) but with an invalid Facebook token. So if your app uses the FB token to retrieve data (like friends, profile info or anything), Facebook will show an alert (if you use the FB SDK) whereas it's still valid for parse-server. I guess I would have check FB Token validity at each request on parse-server, invalidating parse sessions when the token is expired. But it's a difficult (and an other) subject.

But to answer your question, it's more often with FB access, but it is also happening with email access. What we sometimes observed with FB access, is that if you are login with FB on the mobile app, and on the web app, and you logout from the web app, it sometimes log you out from the mobile app too. It seems to be less the case at the moment, but we never understood why. It seems like multiple sessions were deleted, but as it was hard to reproduce, it was hard to understand

mtrezza commented 3 years ago

I guess I would have check FB Token validity at each request on parse-server, invalidating parse sessions when the token is expired. But it's a difficult (and an other) subject.

I am not sure whether/how the parse session validity should be related to the 3rd party token validity. It would be interesting to see what's best practice.

But to answer your question, it's more often with FB access, but it is also happening with email access.

Then I'd still leave the issue open for now.

mtrezza commented 3 years ago

I'm closing this due to lack of information for further investigation.