Hey guys, we just deployed an app and a lot of our...
# helps
ShaneTheKing
05/02/2022, 2:18 AMHey guys, we just deployed an app and a lot of our users are experiencing issues where their tokens aren't being refreshed correctly, being timed out while actively using the app and they start receiving 401s until they refresh and log in again. Has anyone experienced anything like this?
n
Needle
05/02/2022, 2:18 AMHello @ShaneTheKing!
This thread has been automatically created from your message in #843999948717555735 a ``few seconds ago``.
Pinging @User so that they see this as well!
Want to unsubscribe from this thread?
Right-click the thread in Discord (or use the ... menu) and select Leave Thread to unsubscribe from future updates.
Want to change the title?
Use the
/titleNeedle
05/02/2022, 2:18 AM🆕 refresh token issue
s
ShaneTheKing
05/02/2022, 2:19 AMTrying to force it locally by setting the refresh time to an extremely short interval, but I've only recreated this issue once successfully and it was a 524 issue from supabase when the token tried to refresh (which the internet tells me is a cloudflare response when a server doesn't respond on time), which then caused the token to expire because it couldn't refresh in time.
g
garyaustin
05/02/2022, 2:33 AMYou might want to post an issue on github with what you know. Are you using auth-helpers? That has an issue with using the app on the client and token refresh is turned off. There is also an issue I've been looking at with mobile devices.
https://github.com/supabase/supabase/issues/6464
https://github.com/supabase-community/supabase-auth-helpers/pull/78
There is active work going on with gotrue.js and token refresh.
n
Needle
05/02/2022, 2:33 AMrefresh token issue
s
ShaneTheKing
05/02/2022, 2:44 AMWe're not using auth-helpers, our project is Angular and we're able to use just base supabase stuff. It's weird because most of the time refreshing works fine for most people, but some people were being kicked out pretty much every time the token was supposed to refresh. I'm not sure if they were on mobile or not, it's possible.
g
garyaustin
05/02/2022, 2:47 AMBasically the big issue is that if gotrue.js tries the refresh and it does not work for any reason, it does not retry. Also if the timer gets shut off when tab is asleep (even for just a minute) of closing device and coming back, it won't get refreshed. It is not a length of time, but when it occurs that matters. For the time being, IMO, you have to check for it, or handle the error, and deal with the refresh.
garyaustin
05/02/2022, 3:01 AMAlso if your app security is a casual thing (versus banking records kind of thing) you might turn your jwt expire time up to a day instead of an hour until you get resolution on the issue.
s
ShaneTheKing
05/02/2022, 3:17 AMI did consider this as a work around. How do you refresh the token if gotrue fails to?
g
garyaustin
05/02/2022, 3:27 AMIt really depends on if you know the cause of failure. In my issue I showed a work around just for the sleeping issue with a javascript visibility handler. I also showed a more robust work around with a "shell" around any supabase database call needing a token that checks if token is about to expire and if so refreshes thru gotrue, then does the operation. Both with minimal testing though. You could also just catch the token error on your db calls as it comes back saying that is the reason, refresh thru gotrue, then reissue the call.
None of these (except maybe the vis handler) are minor though and I've only done testing in a limited test at the moment. I'm not in production, so sort of hoping SB solves it so I don't have to...
s
ShaneTheKing
05/02/2022, 3:39 AMAh, gotcha, thanks!