Skip to content

Commit

Permalink
Merge branch 'master' into STCOR-835
Browse files Browse the repository at this point in the history
  • Loading branch information
ryandberger authored Oct 16, 2024
2 parents 038ac3d + cc8ef65 commit 2e9829d
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 4 deletions.
2 changes: 1 addition & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
* Reword error message "Error: server is forbidden, unreachable or down. VPN issue?". Refs STCOR-893.
* Move session timeout banner to the bottom of the page. Refs STCOR-883.
* Conditionally use `/users-keycloak/_self` endpoint when `users-keycloak` interface is present. Refs STCOR-835.

* Wait longer before declaring a rotation request to be stale. Refs STCOR-895.

## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
[Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.0...v10.1.1)
Expand Down
15 changes: 14 additions & 1 deletion src/components/Root/token-util.js
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import { isEmpty } from 'lodash';
import ms from 'ms';

import { getTokenExpiry, setTokenExpiry } from '../../loginServices';
import { RTRError, UnexpectedResourceError } from './Errors';
Expand All @@ -18,6 +19,18 @@ export const RTR_IS_ROTATING = '@folio/stripes/core::rtrIsRotating';
* RTR_MAX_AGE (int)
* How long do we let a refresh request last before we consider it stale?
*
* WARNING: The implementation described below is naive and short timeouts
* (e.g. 2 seconds) have led to problems in production where slow responses
* are interpreted as stale, leading to a second request, which then fails
* when the first (slooooow) request completes. This looks like a token-
* replay attack from the backend's view, so it will then terminate all
* active sessions for a given user. A better approach would be to handle
* rotation in a worker thread, allowing more careful tracking of the
* rotation request since it would only be happening in a single thread.
* But ... that's a lot more work. The quick fix is to use a long value,
* which might not provide an ideal UX, but at least it won't be a broken
* UX.
*
* When RTR begins, the current time in milliseconds (i.e. Date.now()) is
* cached in localStorage and the existence of that value is used as a flag
* in subsequent requests to indicate that they just need to wait for the
Expand All @@ -32,7 +45,7 @@ export const RTR_IS_ROTATING = '@folio/stripes/core::rtrIsRotating';
*
* Time in milliseconds
*/
export const RTR_MAX_AGE = 2000;
export const RTR_MAX_AGE = ms('20s');

/**
* resourceMapper
Expand Down
4 changes: 2 additions & 2 deletions src/components/Root/token-util.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -180,7 +180,7 @@ describe('rtr', () => {

expect(ex).toBe(null);
// expect(window.removeEventListener).toHaveBeenCalled();
});
}, 25000); // timeout must be longer than token-util's RTR_MAX_AGE

it('multiple window (storage event)', async () => {
const logger = {
Expand Down Expand Up @@ -214,7 +214,7 @@ describe('rtr', () => {

expect(ex).toBe(null);
// expect(window.removeEventListener).toHaveBeenCalledWith('monkey')
});
}, 25000); // timeout must be longer than token-util's RTR_MAX_AGE
});

it('on known error, throws error', async () => {
Expand Down

0 comments on commit 2e9829d

Please sign in to comment.