[PM-11476] Prevent parallel refreshToken calls #10799
Conversation
|
Thank you for your contribution! We've added this to our internal Community PR board for review. |
bitwarden-bot
changed the title
|
Any feedback ? |
|
Thanks @Timshel for the fix! Is there anything contributors can do to get a faster review/feedback on this PR? |
|
Anything new? |
|
Hello! Thank you for your contribution. The team will be taking this into review soon, and we'll be able to perform a full assessment at that time and provide feedback on any required changes. |
|
Any news ? |
|
@trmartin4 do you have a schedule for this PR review? |
|
@Timshel thank you for checking in. We have pulled this into our next sprint for review, so it should be soon. Thank you for your patience. We realize that this has been open for a while, but the team has had to balance a lot of different priorities in the interim. |
trmartin4
requested review from
Patrick-Pimentel-Bitwarden
and removed request for
rr-bw
|
|
|
Fixed Issues (1)Great job! The following issues were fixed in this Pull Request
|
|
Handing this off to our QA team to finish the review process. |
|
Just passed through QA with all ✅ Thank you so much for taking the time to contributing. This should be rolled into our next release. |
|
Great 😍! Thanks @Timshel |
|
@Patrick-Pimentel-Bitwarden thank you :) |
📔 Objective
The goal of this PR is to prevent the clients from making parallel refresh token calls.
This can introduce issues if the provider is rolling the refresh token and invalidating the old ones after use.
This is simply done by keeping the
Promiseof the current refresh call as long as it's not finished and returning it again if another call is made.Since I'm working with
VaultwardenI'm unsure how pertinent it is with the official server, but I believe it might make sense since it's probably way easier to handle in the client and not in the server.First time I encountered the issue is with a refresh token validity set to 5 min or less (which the client consider expired then) which then trigger a flood to refresh calls which might result in invalidating the user session.
More recently someone had the issue with the browser extension and Authentik not liking receiving the same refresh_token twice.