search

vickychijwani / quill

:ghost: [MOVED TO https://github.com/TryGhost/Ghost-Android] The beautiful Android app for your Ghost blog.
MIT License
553 stars 84 forks source link

Handle unexpected token invalidation gracefully #92

Closed vickychijwani closed 8 years ago

vickychijwani commented 9 years ago

Right now we're relying on the expiration time, which is not a good idea for 2 reasons:

  1. The expiration time could change anytime in Ghost
  2. The user (or Ghost) might explicitly invalidate all tokens in an emergency / unexpected scenario.

The issue should prove simple to reproduce, there are 3 cases:

Case 1

  1. Login
  2. Open the DB and delete the access token manually
  3. Try to refresh

In this case, the refresh token can be used to renew the access token and proceed with no impact.

Case 2

  1. Login
  2. Open the DB and delete the refresh token manually
  3. Invalidate the access token by editing hasAccessTokenExpired
  4. Try to refresh

In this case, the password can be used to generate a new token pair and proceed with no impact.

Case 3

  1. Login
  2. Open the DB and delete the access and refresh tokens
  3. Try to refresh

In this case, the password can be used to generate a new token pair and proceed with no impact.