Bots disappear from UI after x time

Question

Bots disappear from UI after x time

gaugau3000 opened this issue 2 years ago · 3 comments

Hi,

After x time a part of my bots disappear (like 2-3 from 10 running) from frequi and i have to re-add it. Is there any timeout associated or i can configure (I have not seen anything special in local storage fields) ?

PS : I don't delete anything in my cache browser that make the behaviour expected.

I am on chrome Version 107.0.5304.110 on linux and V 0.4.6 and frequi.

Many tks.

Have a nice day.

Answer 1 · 2022-11-17T06:26:58.000Z

the most likely reason is the refresh token timeout - which is set to 30 days for security reasons - which effectively requires a re-login after 30 days (this is set in the bot backend, and can't be configured).

If you're sure the bots have been added more recently than 30 days ago (and you made no time-jumps with your system, or adjusted time settings by more than a few hours) - we'll need the browser console output from the time the bots disappeared (they'll be removed when you open the page - opening the browser tools BEFORE a page refresh should still contain the output).

Answer 2 · 2022-11-23T15:08:12.000Z

Hi,

Many tks for the response here seems the reason is the 30 days refresh token timeout. When you say it can't be configured meaning it is hard code in a library or smt ?

i am not familiar with auth but when a token is about to expire, the client should ask a new one to the server/api (if the token is stolen he don't have access to the app for long time) ?

When you have many bots that are not added at the same time if someone disappear from UI you can just forget it is still running has he is not anymore in the UI witch can lead to some kinds of surprises :-)

See you.

Answer 3 · 2022-11-23T16:17:27.000Z

i am not familiar with auth but when a token is about to expire, the client should ask a new one to the server/api (if the token is stolen he don't have access to the app for long time) ?

That's correct - and that's how the regular access token works.
It expires every 15 minutes, and will be refreshed based on a refresh token, which is valid for a longer period of time (and is only valid to get a new access token).

Now this refresh token has an expiry too - which is 30 days.
Changing this timeout to something longer is problematic to some degree. Technically - it's credentials stored in the browser - which would grant everyone with this token access for 30 days. Neither the spec, nor any security recommendation will tell you to have this valid forever.

i guess we can change behavior here slightly to log the user out - but keep the bot in the UI (so it's there, but no longer working) - so it'll simply re-require the password - but changing the timeout is something i don't see.