A few refreshes after login gives me a blank access token and expiry, logging me out

[djvs]

When posting issues, please include the following information to speed up the troubleshooting process:

• Version: which version of this gem (and ng-token-auth, jToker or Angular2-Token if applicable) are you using?

Using redux-token-auth which autorefreshes the token on validateCredentials. Seems to mostly work fine until an invalid response.

• Request and response headers: these can be found in the "Network" tab of your browser's web inspector.

First one:

Request URL:http://localhost:3000/api/auth/validate_token?access-token=JP7aoQJ0JCy50ksfdsF42Q&client=A72aCNAduLuSDjx0rGTVTA&[email protected]
Request Method:GET
Status Code:200 OK
Remote Address:127.0.0.1:3000
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
access-token:Hlc_RCopM1QX9a0NWegU3A
Cache-Control:max-age=0, private, must-revalidate
client:A72aCNAduLuSDjx0rGTVTA
Content-Type:application/json; charset=utf-8
ETag:W/"93ce4582abd43b223155086735015a04"
expiry:1525370698

Second one:

Request URL:http://localhost:3000/api/auth/validate_token?access-token=Hlc_RCopM1QX9a0NWegU3A&client=A72aCNAduLuSDjx0rGTVTA&[email protected]
Request Method:GET
Status Code:200 OK
Remote Address:127.0.0.1:3000
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
access-token:
Cache-Control:max-age=0, private, must-revalidate
client:A72aCNAduLuSDjx0rGTVTA
Content-Type:application/json; charset=utf-8
ETag:W/"93ce4582abd43b223155086735015a04"
expiry:

• Rails Stacktrace: this can be found in the log/development.log of your API.

n/a

• Environmental Info: How is your application different from the reference implementation? This may include (but is not limited to) the following details:
  • Routes: are you using some crazy namespace, scope, or constraint?

No

• Gems: are you using MongoDB, Grape, RailsApi, ActiveAdmin, etc.?

Nothing unusual

• Custom Overrides: what have you done in terms of custom controller overrides?

n/a

• Custom Frontend: are you using ng-token-auth, jToker, Angular2-Token, or something else?

[djvs]

Additionally, manually verifying the token and client shows it's valid:

irb(main):005:0> @resource = User.first
  User Load (0.4ms)  SELECT  "users".* FROM "users" ORDER BY "users"."id" ASC LIMIT $1  [["LIMIT", 1]]
=> #<User id: 1, provider: "email", uid: "[email protected]", allow_password_change: false, name: nil, nickname: nil, image: nil, email: "[email protected]", created_at: "2018-04-18 15:26:05", updated_at: "2018-04-19 18:17:55">
irb(main):006:0> token = 'rlPSr55yIXRx_53BqweWCA'
=> "rlPSr55yIXRx_53BqweWCA"
irb(main):007:0> client = '0j3S5XUk5j4AX347cmJYgQ'
=> "0j3S5XUk5j4AX347cmJYgQ"
irb(main):008:0> @resource.valid_token?(token, client)
=> true

Request URL:http://localhost:3000/api/auth/validate_token?access-token=rlPSr55yIXRx_53BqweWCA&client=0j3S5XUk5j4AX347cmJYgQ&[email protected]
Request Method:GET
Status Code:200 OK
Remote Address:127.0.0.1:3000
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
access-token:
Cache-Control:max-age=0, private, must-revalidate
client:0j3S5XUk5j4AX347cmJYgQ
Content-Type:application/json; charset=utf-8
ETag:W/"93ce4582abd43b223155086735015a04"
expiry:
[.....]

[djvs]

Also, if I change the initializer as so:

  config.change_headers_on_each_request = false

I no longer get the issue (at the cost of stopping token refreshes).

[krzysiek1507]

Hi @djvs It is connected to #703 (comment)

[lightninglu10]

@djvs we're getting the same issue, but changing the initializer doesn't help us.

@krzysiek1507 any ETA on a fix? this package is pretty much busted until this is fixed.

[krzysiek1507]

@lightninglu10 I have no idea. I'm not a maintainer of the gem.

[djvs]

@lightninglu10 I didn't have time to go in-depth so I just added a 1 second delay on all page loads before rendering the stuff inside the router, it seems to have done the trick

[lightninglu10]

Actually @djvs we set the initializer in the wrong place, that does actually help. No more refresh token but at least users aren't erroneously logged out!

[ludazhao]

Seeing this issue as well!

[lightninglu10]

hey @ludazhao , in config/initializers/devise_token_auth.rb just stick

  config.change_headers_on_each_request = false

I think you won't be able to get the refresh token so after 2 weeks or however long your auth session lasts for your user will be logged out, but at least they'll be logged in for 2 weeks.

[LeoGardel]

A blank access-token means that the token has not changed. You can still send the same token at the next request. That's all.

If it is logging you out, that's something that you should fix in your frontend, which should consider that you can still consider your last token as the current one.

[lightninglu10]

Oh wow, that's the case? There's no docs about that anywhere. Are you using this gem as such @LeoGardel ?

[MaicolBen]

and the subsequent requests in the batch will not return a token.
that's said in https://devise-token-auth.gitbook.io/devise-token-auth/conceptual

But should we set change_headers_on_each_request the default to false? Because it's causing more troublesome and confusion as enabled.

[jeremylynch]

I just spend a whole day debugging this issue. It would be great to add this to the docs.

[K-Sato1995]

Spent a decent amount of time debugging this as well. It should be added to the doc.

[ziaulrehman40]

So we have a PR up on redux-toen-auth, as this is their issue 🤷🏼‍♂️ ,
stale now: kylecorbelli/redux-token-auth#52