Handling expired access token

[zhughes3]

Scenario:

I am on the homepage as a signed-in user. I step away from my computer and come back.

At this point, I try to create a timeline. Currently, the backend parses the JWT access token, realizes that the token is expired and returns a 400 Bad Request.

Potential solutions:

1. Frontend fields the 400 Bad Request and sends a post request to the Refresh endpoint, gets a new access token and signals to the user with a status message to retry.
2. Before sending the 400 Bad Request, backend uses the existing refresh token to try to get a new access token. If Refresh token isn't expired, set the new cookies with new access token and allow the request to go through with the new cookies set.

[zhughes3]

Ok, I have something that looks like solution 2 implemented on my local computer. The problem is:

• if the user sends a request with expired access/ good refresh. I will set a good access token cookie and send a 400 bad request.
• if the user sends a request with expired access/ expired refresh, I basically do the same logic as the Logout Handler to purge those cookies from the frontend.

In both cases, its hard to truly know what the intent of the user is. Does the user want to create a timeline as an anonymous user or a logged in user? Regardless of the situation above, they will be able to click "Create Timeline" and continue after the 400 Bad Request. So regardless, I think we need to signal to the user whats going on...

We should talk about this more.