Merge pull request #250 from leancodepl/fix/login-manager-concurrent-token-fix

fix: fix usage of stale token in login manager

Author: kumalg

packages/login-manager/__tests__/test.spec.ts

@@ -102,6 +102,50 @@ describe("LoginManager", () => {
       expect(globalThis.fetch).toHaveBeenCalledTimes(1)
     })
 
+    it("should not refresh again if token was already refreshed by another tab", async () => {
+      const manager1 = new SyncLoginManager(storage, "https://api.example.com", undefined, "client1", "openid")
+      const manager2 = new SyncLoginManager(storage, "https://api.example.com", undefined, "client1", "openid")
+
+      await manager1.tryRefreshToken()
+      expect(globalThis.fetch).toHaveBeenCalledTimes(1)
+
+      const result = await manager2.tryRefreshToken()
+      expect(result).toBe(true)
+      expect(globalThis.fetch).toHaveBeenCalledTimes(1)
+    })
+
+    it("should re-read token from storage inside lock to avoid using stale refresh token", async () => {
+      let fetchCallCount = 0
+      globalThis.fetch = vi.fn(() => {
+        fetchCallCount++
+        if (fetchCallCount === 1) {
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: () =>
+              Promise.resolve({
+                access_token: "new_access_token",
+                refresh_token: "new_refresh_token",
+                expires_in: 3600,
+              }),
+          } as Response)
+        }
+        return Promise.resolve({
+          ok: false,
+          status: 400,
+        } as Response)
+      })
+
+      const manager1 = new SyncLoginManager(storage, "https://api.example.com", undefined, "client1", "openid")
+      const manager2 = new SyncLoginManager(storage, "https://api.example.com", undefined, "client1", "openid")
+
+      await manager1.tryRefreshToken()
+
+      const result = await manager2.tryRefreshToken()
+      expect(result).toBe(true)
+      expect(globalThis.fetch).toHaveBeenCalledTimes(1)
+    })
+
     it("should handle failed refresh", async () => {
       globalThis.fetch = vi.fn(() =>
         Promise.resolve({

packages/login-manager/src/lib/baseLoginManager.ts

@@ -114,6 +114,14 @@ export abstract class BaseLoginManager<TStorage extends TokenStorage> {
         return await this.waitForLockRelease()
       }
 
+      if (token === null) {
+        return false
+      }
+
+      if (token.expirationDate >= new Date()) {
+        return true
+      }
+
       try {
         const result = await this.acquireToken(this.buildRefreshRequest(token))
         return result.type === "success"
@@ -124,7 +132,7 @@ export abstract class BaseLoginManager<TStorage extends TokenStorage> {
   }
 
   private async waitForLockRelease(): Promise<boolean> {
-    return await navigator.locks.request(refreshLockKey, async () => {
+    return await navigator.locks.request(refreshLockKey, { mode: "shared" }, async () => {
       const currentToken = await this.storage.getToken()
       return currentToken !== null
     })

tsconfig.json

@@ -101,6 +101,9 @@
     },
     {
       "path": "./packages/logger"
+    },
+    {
+      "path": "./packages/nx-plugins"
     }
   ]
 }