Ensure token refresh is always scheduled #6802
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There appears to have been an oversight in setting up token refreshes, in particular how/when refreshes are scheduled. In particular the
_schedule_refresh
function was only ever called when a user was either:In the case where a user was revisiting the application after their token had already been refreshed once we did not schedule another refresh. If you revisited after a long time when your token was already expired you'd be forced through the auth flow again and everything would be fine too but if you got unlucky and visited while a refreshed token was stilled just barely valid you could end up with the token expiring without any refresh having been scheduled. Here we now ensure that we ALWAYS schedule the tokens to be refreshed.
Additionally we also now update the cookies when a user revisits the application ensuring that the access_token, oauth_expiry and refresh_token cookies reflect the latest refresh values. However if a token is refreshed while a session is running these cookies may still be out-of-date until the next time the user visits the application:
Fixes #6684