Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2 hour OAuth token refresh timer is probably unreliable #81

Open
eatyourgreens opened this issue Feb 12, 2018 · 4 comments
Open

2 hour OAuth token refresh timer is probably unreliable #81

eatyourgreens opened this issue Feb 12, 2018 · 4 comments

Comments

@eatyourgreens
Copy link
Contributor

eatyourgreens commented Feb 12, 2018
edited
Loading

panoptes-javascript-client/lib/oauth.js

Lines 245 to 247 in 965580b

var refresh = this._refreshBearerToken.bind(this);
var timeToRefresh = (tokenDetails.expires_in * 1000) - TOKEN_EXPIRATION_ALLOWANCE;
this._bearerRefreshTimeout = setTimeout(refresh, timeToRefresh);

The OAuth module sets a 2 hour javascript timer when it receives a new token, basically to remind itself to refresh the token when that timer expires. @shaunanoordin raised a good point about this in conversation on Slack. Suppose the timer starts, runs for an hour or so, then my computer goes to sleep. Is timer state preserved when the computer wakes again? If the computer wakes after the timer has expired, will the refresh function still run?

A better solution would be to either hand off responsibility for checking the token to the client app, as per #80, or use a much shorter timer eg. check token validity every few minutes or so, renewing the timer (if the token is still valid) until the token expires or the browser tab closes.
@eatyourgreens
Copy link
Contributor Author

Once #80 merges, I think this just becomes a case of running a timer that pings checkBearerToken() every few minutes or so. Probably not a big worry if the client app is already polling that method regularly.

@shaunanoordin
Copy link
Member

Sounds like a good solution. 👍 As long as it's just a local timer checking every, say, 2 minutes(?) if the local token.expiryDatetime >= Date.now(), then there should be no performance issues that I can think of.

JavaScript timers/timeouts do appear to suspend when the computer goes to sleep/hibernate mode, (i.e. time asleep doesn't count) and to be sure, I'm running this code - setTimeout(function() { alert("Hey Shaun you set this reminder at 18:05 on Monday"); }, 5 * 60 * 1000) - and then taking a break. If the alert isn't the first thing I see when I start my laptop later, this hypothesis is super confirmed.

@eatyourgreens
Copy link
Contributor Author

Thanks for testing this @shaunanoordin. I'm wondering if some of the errors you are seeing from long sessions on www.antislaverymanuscripts.org come from this timer not working as intended.

@shaunanoordin
Copy link
Member

👌 OK, I can super confirm the hypothesis. Set timeout for 3 minutes at 18:08, then put computer to sleep. Woke computer up at 18:22, timeout's alert() kicked in at 18:25. Time asleep doesn't count towards timers/timeouts.

@eatyourgreens eatyourgreens mentioned this issue Feb 13, 2018
Merged
@shaunanoordin shaunanoordin mentioned this issue Feb 13, 2018
Merged
@shaunanoordin shaunanoordin mentioned this issue Feb 23, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eatyourgreens @shaunanoordin