Skip to content

Artyom / Refresh Token Bugs and a Login Redirect #162

Open
Artyom-G wants to merge 8 commits intomainfrom
artyom/refresh-bug
Open

Artyom / Refresh Token Bugs and a Login Redirect #162
Artyom-G wants to merge 8 commits intomainfrom
artyom/refresh-bug

Conversation

@Artyom-G
Copy link
Member

@Artyom-G Artyom-G commented Nov 11, 2025

Notion ticket link

Ticket Name

Implementation description

  • There is a bug where the auth/refresh does not work, this is because the cookie set the Authorization token without the 'Bearer' keyword
  • There was also a bug where if the refresh token expired then the user would be softlocked on the frontend, to get unlocked they would need to delete the access_token cookie
  • I also added a redirect for when the user is not signed-in or when the refresh token expires

Steps to test

You can test for both fixed bugs with one method
You can force a refresh on every axios request

  1. Go to AuthUtils.ts on the frontend and make the validateAccessToken always return false (simulating the access token being expired)
  2. You will see a refresh post request being made whenever you do literally anything on the frontend page with status 200
  3. Another thing you should try is going to authService.ts on the backend and make the renewToken() function always through an error, this will simulate the refresh token being expired
  4. On the frontend instead of seeing status code 200, you will now see an error, you would be able to reload the page and login again (before there was literally nothing you can do but delete the cookie manually)
  5. To test the redirect, try going to /profile and you will be redirect to the /login, refreshing the page also redirects you to the login, so basically doing anything at all will redirect you

What should reviewers focus on?

  • Seeing that the refresh login is properly handled and you are not locked out anymore
  • Also check the redirect logic in the BaseAPIClient.ts, if we have more complicated permissions then it might need tweaking

Checklist

  • My PR name is descriptive and in imperative tense
  • My commit messages are descriptive and in imperative tense. My commits are atomic and trivial commits are squashed or fixup'd into non-trivial commits
  • I have run the appropriate linter(s)
  • I have requested a review from the PL, as well as other devs who have background knowledge on this PR or who will be building on top of this PR

@Artyom-G
Copy link
Member Author

Artyom-G commented Nov 11, 2025

oh yeah, the branch name was renamed so its a new PR, but the changes are mostly the same as last PR except also added a Login Redirect

@Artyom-G Artyom-G changed the title Refresh Token Bugs and a Login Redirect Artyom / Refresh Token Bugs and a Login Redirect Nov 11, 2025
matthewd-so
matthewd-so reviewed Nov 18, 2025
View reviewed changes
backend/typescript/services/implementations/authService.ts

async generateSignInLink(email: string): Promise<string> {
const actionCodeSettings = {
// Why this localhost lmao
Copy link
Contributor

@matthewd-so matthewd-so Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah we will replace this in production. It is localhost for now because firebase requires a valid url for email link sign in

matthewd-so
matthewd-so reviewed Nov 18, 2025
View reviewed changes
frontend/src/utils/AuthUtils.ts
};

// Checks if the access token has expired or not
export const validateAccessToken = (decodedToken: DecodedJWT): boolean => {
Copy link
Contributor

@matthewd-so matthewd-so Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the logic backwards?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matthewd-so matthewd-so matthewd-so left review comments

@sthuray sthuray Awaiting requested review from sthuray

@rajshah6 rajshah6 Awaiting requested review from rajshah6

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Artyom-G @matthewd-so