Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not try to auto refresh a token on a revoked user #4747

Merged
merged 3 commits into from
Jun 16, 2021
Merged

Do not try to auto refresh a token on a revoked user #4747

merged 3 commits into from
Jun 16, 2021

Conversation

ironage
Copy link
Contributor

@ironage ironage commented Jun 8, 2021

Fixes #4745

The auto refresh would recursively try to refresh the token every 10 seconds which would loop endlessly on a user who had been revoked by an admin. Eventually this would have caused a stack overflow.

☑️ ToDos

  • 📝 Changelog update
  • 🚦 Tests (or not relevant)

@ironage ironage requested review from jbreams and fealebenpae June 8, 2021 18:54
@ironage ironage self-assigned this Jun 8, 2021
nirinchev
nirinchev reviewed Jun 8, 2021
View reviewed changes
src/realm/object-store/sync/sync_session.cpp Outdated Show resolved Hide resolved
src/realm/object-store/sync/sync_session.cpp Outdated
if (session->m_config.error_handler) {
auto user_facing_error = SyncError(
realm::sync::ProtocolError::permission_denied,
"Unable to refresh the user access token; has this user been disabled by an admin?", true);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the error message is a bit misleading here - the UI for revoking sessions is just that - it revokes all refresh tokens for that user but doesn't disable the user. So if they reauthenticate with their credentials, they should be able to obtain a new valid refresh token and restart sync.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Turns out I was actually testing the disable feature and not the revoke feature, but I've updated the tests to include revoke as well which as you pointed out is different from disabling a user because logging in again will issue a new refresh token. I've also updated the message emitted here.

jbreams
jbreams approved these changes Jun 8, 2021
View reviewed changes
Copy link
Contributor

@jbreams jbreams left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @nirinchev's comments, but otherwise LGTM!

Love that the admin API stuff is getting more broadly used and that there's a real integration test.

@ironage ironage requested a review from nirinchev June 10, 2021 00:18
@ironage ironage force-pushed the js/handle-refresh-failure branch from 53b6393 to 1224637 Compare June 16, 2021 18:21
@ironage ironage merged commit 56570dd into master Jun 16, 2021
@ironage ironage deleted the js/handle-refresh-failure branch June 16, 2021 21:41
@nirinchev nirinchev mentioned this pull request Jun 24, 2021
Closed
1 task
@cmelchior cmelchior mentioned this pull request Jun 25, 2021
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 22, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jbreams jbreams jbreams approved these changes

@fealebenpae fealebenpae Awaiting requested review from fealebenpae

@nirinchev nirinchev Awaiting requested review from nirinchev

Assignees

@ironage ironage

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Handle error 401 Unauthorized
3 participants
@ironage @jbreams @nirinchev