Credentials expiry is broken
KlausVii opened this issue · 3 comments
Description
When using ClientCredentials for auth, the token is not cached properly because the expires_in amount is treated as milliseconds instead of seconds
Version of SDK
0.2.6
Version of OpenFGA (if known)
N/A
Reproduction
Run the client with ClientCredentials enabled and observe how many requests are made to your auth token service.
The issue is (here)[https://github.com/openfga/js-sdk/blob/main/credentials/credentials.ts#L155]
this.accessTokenExpiryDate = new Date(Date.now() + response.data.expires_in);
Date.now() returns the time in milliseconds, expires_in is in seconds -> the expiry gets set 1000 times too soon!
Expected behavior
I do not DDOS my auth service because of openFGA
Additional context
Add any other context about the problem here.
We would really appreciate having a prompt review of the PR, since at the moment we are sending thousands of request to our authentication server and risk being blocked. At the same time we cannot disable authentication as it imposed a security risk. Also, the change is really minimal.
Thank you in advance!
@KlausVii @VeskoPavlov v0.2.7 is out with the fix. Thanks for reporting and the contribution!
Thanks for the quick turnaround