infinite loop if refresh function returns an invalid token #3
Comments
|
This issue makes prototyping and debugging difficult. |
|
This is a pretty big issue which causes clients to effectively DOS your token endpoint with infinite requests if their session has expired. Fair warning to anyone who uses or plans to use this library in production; even if you patch it, you may be dealing with clients with an outdated copy of your frontend in a long-lived browser session. |
|
in the case of DOSing yourself, consider adding parameters to the token request to help debug the source of the spam (lokka version, your project's git sha, whatever) |
Open
|
In case anyone wants a quick fix to prevent DDoS: import Lokka from 'lokka'
import Transport from 'lokka-transport-jwt-auth'
// Refresh function returns the bearer token string or undefined
import refresh from './refresh'
// Creates a promise that simply resolves after 10 seconds
const delay = () => new Promise((resolve) => setTimeout(resolve, 10 * 1000))
// Waits for 10 seconds before firing the refresh function again
const transport = new Transport(url, async () => refresh() || await delay() || refresh())
// Don't create a new Lokka instance until your refresh authentication is ready
// since the transport immediately attempts to refresh the JWT
const lokka = new Lokka({ transport }) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
it keeps trying even if the refresh function returns an invalid token or has an error - causing an infinite loop
The text was updated successfully, but these errors were encountered: