Tokens with outdated permissions cause 403 errors when user loads new version of app; provide way to get new token with new permissions on load

[cacabo]

Issue

We've had problems in production along the lines of:

• publish new version of app which uses updated permissions (like a new Object Type)
• user who already logged in and has a token with not updated permissions loads new version of app
• user gets a 403 when trying to load the new Object Type because their token is using old scope that does not have perms to query the new Object Type

Is there a way in my TS code/the OSDK flow I could check if the token is using old permissions (or is from an old version of the app) and, if so, refresh the token?

---

Workaround

HACK: write OSDK user agent (which includes the version) to local storage on sign in. On refresh, compare the current user agent to the one in local storage (if any). If there is a difference, then permissions might have changed, so I sign the user out.

const OSDK_USER_AGENT: string =
  $(InstallationConfig).$objectSetInternals.def.osdkMetadata.extraUserAgent
invariant(OSDK_USER_AGENT, 'Failed to find OSDK_USER_AGENT')

const OSDK_USER_AGENT_KEY = 'OSDK_USER_AGENT_KEY'

/**
 * Refresh is run when the page is first loaded; if the user agent has changed or has not been set,
 * log out to get a new token and to set the user agent in local storage.
 */
auth.addEventListener('refresh', () => {
  if (localStorage.getItem(OSDK_USER_AGENT_KEY) === OSDK_USER_AGENT) return

  // eslint-disable-next-line no-console
  console.log('User agent changed, logging out')

  void auth.signOut()
})

auth.addEventListener('signIn', () => {
  localStorage.setItem(OSDK_USER_AGENT_KEY, OSDK_USER_AGENT)
})