[Bug] Access-token not refreshed correctly

Question

[Bug] Access-token not refreshed correctly

Closed this issue 6 months ago · 7 comments

moritzrinow commented 6 months ago

Is there an existing issue for this?

Yes, I have searched the existing issues and none of them match my problem.

Product Variant

Cloud (https://rxresu.me)

Current Behavior

It seems to me that the access-token used to access the API is not refreshed correctly. After working with the application for some time (lifetime of access-token - 15mins), there may come a point where I am editing a resume and the underlying PATCH call runs into a 401, which is not even noticable in the UI. This led to me thinking everything was fine, but actually all my edits went into the void.
Only if you refresh the page, you will notice, that you have been kicked out.

I have inspected a failed PATCH request (/api/resume/...) and saw, that a cookie "Refresh" is being sent, containing a valid refresh-token with plenty of lifetime left.

On authenticated requests, you are sending both the access-token (cookie "Authentication") and the refresh-token.

Expected Behavior

I would expect the application to properly use the currently valid refresh-token to get new access-tokens when they expire, so that I am not kicked out of the application after 15mins.

Steps To Reproduce

Log into the app.
Wait lifetime of access-token (15mins).
Edit resume -> no errors noticable in the UI, but resume is not saved.
Refresh page -> you are kicked out.

What browsers are you seeing the problem on?

Firefox

What template are you using?

None

Anything else?

No response

Answer 1 · 2024-05-07T19:23:57.000Z

Been having the same issue with both Firefox and Edge. After the inactivity period edits don't commit and if you click home it takes to to the main page thinking you're still logged in but without showing any saved resumes. You need to re-login to restore functionality.

There is no indication of this error besides saves not committing and the home page no longer displaying resumes. Even clicking settings acts normally with populated data.

This is using the rxresu.me site and haven't tested self-hosted.

Answer 2 · 2024-05-09T07:10:31.000Z

same issue on self-hosted running v4.1.0, no issue when rolled back to v4.0.9, don't know about v4.0.12 since I'm unable to build the docker image, look like issue on latest version only

Answer 3 · 2024-05-09T12:19:58.000Z

Oh, that really is unfortunate, although I don't remember messing around with any of the auth related code in the last update. And as far as I see it, I am handling the refresh token correctly on both the server and client.

See: apps/client/src/libs/axios.ts

If anyone has some screenshots of the network requests, the payloads of the reqs that didn't go through, that would be really helpful in debugging this.

Answer 4 · 2024-05-10T01:45:50.000Z

I am facing the same issue, After making a lot of edits I realised that they were not saved, There is no visible cue that I was logged out.

Answer 5 · 2024-05-10T08:36:39.000Z

Having the same issue on Arc Browser (Chromium)

Answer 6 · 2024-05-10T09:05:16.000Z

This issue should be resolved as of this release https://github.com/AmruthPillai/Reactive-Resume/releases/tag/v4.1.2.

Answer 7 · 2024-05-10T09:56:39.000Z

This issue should be resolved as of this release https://github.com/AmruthPillai/Reactive-Resume/releases/tag/v4.1.2.

Thank you, I appreciate this project a lot and constantly share it with others!