fix: prevent race condition in unauthorized handler

adfinis · Apr 20, 2023 · dd4e63c · dd4e63c
1 parent b7994b5
commit dd4e63c
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/addon/unauthorized.js b/addon/unauthorized.js
@@ -1,5 +1,5 @@
 import { getOwner } from "@ember/application";
-import { next } from "@ember/runloop";
+import { later } from "@ember/runloop";
 import { isTesting, macroCondition } from "@embroider/macros";
 
 import { getConfig } from "ember-simple-auth-oidc/config";
@@ -15,13 +15,13 @@ export default function handleUnauthorized(session) {
   if (macroCondition(isTesting())) {
     // don't redirect in tests
   } else {
-    // defer the redirect, so the first unauthenticated request can trigger
-    // the redirect to the login page before another request will intercept
-    // the process and a race condition would start.
-    next(() => {
+    // Defer the redirect, so we can collect all unauthorized requests and trigger a final
+    // redirect. We don't want to interrupt calls to the authorization endpoint nor create race
+    // conditions when multiple requests land in this unauthorized handler.
+    later(() => {
       location.replace(
         getAbsoluteUrl(getConfig(getOwner(session)).afterLogoutUri || "")
       );
-    });
+    }, 1000);
   }
 }