Skip to content

Commit

Permalink
fix: remove redundant removeToken calls
Browse files Browse the repository at this point in the history
  • Loading branch information
porcellus committed Jul 12, 2024
1 parent 2d9b7c3 commit bb74ebb
Show file tree
Hide file tree
Showing 3 changed files with 89 additions and 121 deletions.
7 changes: 0 additions & 7 deletions lib/src/dio-interceptor-wrapper.dart
Original file line number Diff line number Diff line change
Expand Up @@ -180,13 +180,6 @@ class SuperTokensInterceptorWrapper extends Interceptor {
type: DioExceptionType.unknown,
error: e),
);
} finally {
LocalSessionState localSessionState =
await SuperTokensUtils.getLocalSessionState();
if (localSessionState.status == LocalSessionStateStatus.NOT_EXISTS) {
await AntiCSRF.removeToken();
await FrontToken.removeToken();
}
}
}

Expand Down
2 changes: 2 additions & 0 deletions lib/src/front-token.dart
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import 'package:mutex/mutex.dart';
import 'package:shared_preferences/shared_preferences.dart';
import 'package:supertokens_flutter/src/utilities.dart';
import 'package:supertokens_flutter/supertokens.dart';
import 'package:supertokens_flutter/src/anti-csrf.dart';

class FrontToken {
static String? tokenInMemory;
Expand Down Expand Up @@ -148,6 +149,7 @@ class FrontToken {
await _removeTokenFromStorage();
await Utils.setToken(TokenType.ACCESS, "");
await Utils.setToken(TokenType.REFRESH, "");
await AntiCSRF.removeToken()
if (_tokenInfoMutex.isLocked) {
_tokenInfoMutex.release();
}
Expand Down
201 changes: 87 additions & 114 deletions lib/src/supertokens-http-client.dart
Original file line number Diff line number Diff line change
Expand Up @@ -74,107 +74,98 @@ class Client extends http.BaseClient {
return _innerClient.send(customRequest.request);
}

try {
while (true) {
await _refreshAPILock.acquireRead();
// http package does not allow retries with the same request object, so we clone the request when making the network call
http.BaseRequest copiedRequest;
LocalSessionState preRequestLocalSessionState;
http.StreamedResponse response;
try {
copiedRequest = SuperTokensUtils.copyRequest(customRequest.request);
copiedRequest =
await _removeAuthHeaderIfMatchesLocalToken(copiedRequest);
preRequestLocalSessionState =
await SuperTokensUtils.getLocalSessionState();
String? antiCSRFToken = await AntiCSRF.getToken(
preRequestLocalSessionState.lastAccessTokenUpdate);

if (antiCSRFToken != null) {
copiedRequest.headers[antiCSRFHeaderKey] = antiCSRFToken;
}

SuperTokensTokenTransferMethod tokenTransferMethod =
SuperTokens.config.tokenTransferMethod;
copiedRequest.headers["st-auth-mode"] =
tokenTransferMethod.getValue();

// Adding Authorization headers
copiedRequest =
await Utils.setAuthorizationHeaderIfRequired(copiedRequest);

// Add cookies to request headers
String? newCookiesToAdd = await Client.cookieStore
?.getCookieHeaderStringForRequest(copiedRequest.url);
String? existingCookieHeader =
copiedRequest.headers[HttpHeaders.cookieHeader];

// If the request already has a "cookie" header, combine it with persistent cookies
if (existingCookieHeader != null && existingCookieHeader != "") {
copiedRequest.headers[HttpHeaders.cookieHeader] =
_generateCookieHeader(existingCookieHeader, newCookiesToAdd);
} else {
copiedRequest.headers[HttpHeaders.cookieHeader] =
newCookiesToAdd ?? "";
}

// http package does not allow retries with the same request object, so we clone the request when making the network call
response = await _innerClient.send(copiedRequest);
await Utils.saveTokenFromHeaders(response);
String? frontTokenInHeaders = response.headers[frontTokenHeaderKey];
SuperTokensUtils.fireSessionUpdateEventsIfNecessary(
wasLoggedIn: preRequestLocalSessionState.status ==
LocalSessionStateStatus.EXISTS,
status: response.statusCode,
frontTokenFromResponse: frontTokenInHeaders,
);

// Save cookies from the response
String? setCookieFromResponse =
response.headers[HttpHeaders.setCookieHeader];
await Client.cookieStore?.saveFromSetCookieHeader(
copiedRequest.url, setCookieFromResponse);
} finally {
_refreshAPILock.release();
while (true) {
await _refreshAPILock.acquireRead();
// http package does not allow retries with the same request object, so we clone the request when making the network call
http.BaseRequest copiedRequest;
LocalSessionState preRequestLocalSessionState;
http.StreamedResponse response;
try {
copiedRequest = SuperTokensUtils.copyRequest(customRequest.request);
copiedRequest =
await _removeAuthHeaderIfMatchesLocalToken(copiedRequest);
preRequestLocalSessionState =
await SuperTokensUtils.getLocalSessionState();
String? antiCSRFToken = await AntiCSRF.getToken(
preRequestLocalSessionState.lastAccessTokenUpdate);

if (antiCSRFToken != null) {
copiedRequest.headers[antiCSRFHeaderKey] = antiCSRFToken;
}

if (response.statusCode == SuperTokens.sessionExpiryStatusCode) {
/**
* An API may return a 401 error response even with a valid session, causing a session refresh loop in the interceptor.
* To prevent this infinite loop, we break out of the loop after retrying the original request a specified number of times.
* The maximum number of retry attempts is defined by maxRetryAttemptsForSessionRefresh config variable.
*/
if (customRequest.sessionRefreshAttempts >=
SuperTokens.config.maxRetryAttemptsForSessionRefresh) {
throw SuperTokensException(
"Received a 401 response from ${customRequest.request.url}. Attempted to refresh the session and retry the request with the updated session tokens ${SuperTokens.config.maxRetryAttemptsForSessionRefresh} times, but each attempt resulted in a 401 error. The maximum session refresh limit has been reached. Please investigate your API. To increase the session refresh attempts, update maxRetryAttemptsForSessionRefresh in the config.");
}
customRequest.sessionRefreshAttempts++;

customRequest.request =
await _removeAuthHeaderIfMatchesLocalToken(copiedRequest);

UnauthorisedResponse shouldRetry =
await onUnauthorisedResponse(preRequestLocalSessionState);
if (shouldRetry.status == UnauthorisedStatus.RETRY) {
// Here we use the original request because it wont contain any of the modifications we make
return await _sendWithRetry(customRequest);
} else {
if (shouldRetry.exception != null) {
throw SuperTokensException(shouldRetry.exception!.message);
} else
return response;
}
SuperTokensTokenTransferMethod tokenTransferMethod =
SuperTokens.config.tokenTransferMethod;
copiedRequest.headers["st-auth-mode"] =
tokenTransferMethod.getValue();

// Adding Authorization headers
copiedRequest =
await Utils.setAuthorizationHeaderIfRequired(copiedRequest);

// Add cookies to request headers
String? newCookiesToAdd = await Client.cookieStore
?.getCookieHeaderStringForRequest(copiedRequest.url);
String? existingCookieHeader =
copiedRequest.headers[HttpHeaders.cookieHeader];

// If the request already has a "cookie" header, combine it with persistent cookies
if (existingCookieHeader != null && existingCookieHeader != "") {
copiedRequest.headers[HttpHeaders.cookieHeader] =
_generateCookieHeader(existingCookieHeader, newCookiesToAdd);
} else {
return response;
copiedRequest.headers[HttpHeaders.cookieHeader] =
newCookiesToAdd ?? "";
}

// http package does not allow retries with the same request object, so we clone the request when making the network call
response = await _innerClient.send(copiedRequest);
await Utils.saveTokenFromHeaders(response);
String? frontTokenInHeaders = response.headers[frontTokenHeaderKey];
SuperTokensUtils.fireSessionUpdateEventsIfNecessary(
wasLoggedIn: preRequestLocalSessionState.status ==
LocalSessionStateStatus.EXISTS,
status: response.statusCode,
frontTokenFromResponse: frontTokenInHeaders,
);

// Save cookies from the response
String? setCookieFromResponse =
response.headers[HttpHeaders.setCookieHeader];
await Client.cookieStore?.saveFromSetCookieHeader(
copiedRequest.url, setCookieFromResponse);
} finally {
_refreshAPILock.release();
}
} finally {
LocalSessionState localSessionState =
await SuperTokensUtils.getLocalSessionState();
if (localSessionState.status == LocalSessionStateStatus.NOT_EXISTS) {
await AntiCSRF.removeToken();
await FrontToken.removeToken();

if (response.statusCode == SuperTokens.sessionExpiryStatusCode) {
/**
* An API may return a 401 error response even with a valid session, causing a session refresh loop in the interceptor.
* To prevent this infinite loop, we break out of the loop after retrying the original request a specified number of times.
* The maximum number of retry attempts is defined by maxRetryAttemptsForSessionRefresh config variable.
*/
if (customRequest.sessionRefreshAttempts >=
SuperTokens.config.maxRetryAttemptsForSessionRefresh) {
throw SuperTokensException(
"Received a 401 response from ${customRequest.request.url}. Attempted to refresh the session and retry the request with the updated session tokens ${SuperTokens.config.maxRetryAttemptsForSessionRefresh} times, but each attempt resulted in a 401 error. The maximum session refresh limit has been reached. Please investigate your API. To increase the session refresh attempts, update maxRetryAttemptsForSessionRefresh in the config.");
}
customRequest.sessionRefreshAttempts++;

customRequest.request =
await _removeAuthHeaderIfMatchesLocalToken(copiedRequest);

UnauthorisedResponse shouldRetry =
await onUnauthorisedResponse(preRequestLocalSessionState);
if (shouldRetry.status == UnauthorisedStatus.RETRY) {
// Here we use the original request because it wont contain any of the modifications we make
return await _sendWithRetry(customRequest);
} else {
if (shouldRetry.exception != null) {
throw SuperTokensException(shouldRetry.exception!.message);
} else
return response;
}
} else {
return response;
}
}
}
Expand Down Expand Up @@ -302,28 +293,10 @@ class Client extends http.BaseClient {
status: UnauthorisedStatus.API_ERROR,
error: SuperTokensException("Some unknown error occured"));
} finally {
LocalSessionState localSessionState =
await SuperTokensUtils.getLocalSessionState();

if (localSessionState.status == LocalSessionStateStatus.NOT_EXISTS) {
await FrontToken.removeToken();
await AntiCSRF.removeToken();
}

_refreshAPILock.release();
}
}

static Future clearTokensIfRequired() async {
LocalSessionState preRequestLocalSessionState =
await SuperTokensUtils.getLocalSessionState();
if (preRequestLocalSessionState.status ==
LocalSessionStateStatus.NOT_EXISTS) {
await AntiCSRF.removeToken();
await FrontToken.removeToken();
}
}

static String _cookieMapToHeaderString(Map<String, dynamic> cookieMap) {
return cookieMap.keys.map((e) => "$e=${cookieMap[e]}").join(";");
}
Expand Down

0 comments on commit bb74ebb

Please sign in to comment.