New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refresh should redirect to login page on fail #289
Comments
What about doing something like this? line 72@auth.js
|
What version are you using?
…On Nov 14, 2017 7:15 PM, "José Antonio Pérez" ***@***.***> wrote:
What about doing something like this?
line ***@***.***
if (this.options.refreshData.enabled && this.options.tokenExpired.call(this)) {
this.options.refreshPerform.call(this, {
success: function () {
this.options.checkAuthenticated.call(_this, cb);
},
error: function () {
this.options.logoutProcess.call(this, null, {});
}
});
return;
}
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#289 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABkcy74aevJWJTEWq4QC9x4323iZVzlmks5s2YRJgaJpZM4QdMTc>
.
|
Just created a new project (as a proof of concept) with the minimal required components using the current software versions:
|
So actually what you described "either logout (to clear the current
non-valid token) or redirect again to the login page.", actually the plugin
should already be doing both.
But hard to say what could be going on without more details.
…On Wed, Nov 15, 2017 at 1:52 PM, José Antonio Pérez < ***@***.***> wrote:
Just created a new project (as a proof of concept) with the minimal
required components using the current software versions:
***@***.***/vue-auth": "^2.20.4-beta",
"vue": "^2.5.2",
"vue-axios": "^2.0.2",
"vue-router": "^3.0.1"
"vue-loader": "^13.3.0",
$ npm -v
5.5.1
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#289 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABkcyw99uqQm4jWQYtS_lyjbWE6nyfUXks5s2opLgaJpZM4QdMTc>
.
|
In order to test this issue, I am generating a deliberately short-living JWT token, with an expiration time of 180 seconds. Token generation is ok, and manual refresh is OK, too. The vue application seems to ignore the expiration time of the token. Instead, it seems to be trying to refresh at some given instants (hardcoded, maybe?), not related to the expiration claim in the token. So, the result is the application trying to refresh the token too late, when the token has already expired, and the refreshing request is rejected with a 401 error code. |
Ok,
So I'm not sure what the specific issue is here.
Are you saying it's not doing a logout/redirect in general?
Or just specifically based on the jwt expiration time?
…On Wed, Nov 15, 2017 at 3:15 PM, José Antonio Pérez < ***@***.***> wrote:
In order to test this issue, I am generating a deliberately short-living
JWT token, with an expiration time of 180 seconds. Token generation is ok,
and manual refresh is OK, too.
The vue application seems to ignore the expiration time of the token.
Instead, it seems to be trying to refresh at some given instants
(hardcoded, maybe?), not related to the expiration claim in the token.
So, the result is the application trying to refresh the token too late,
when the token has already expired, and the refreshing request is rejected
with a 401 error code.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#289 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABkcy3jgABE7ovEIPBs9GpwtPFK3_qJQks5s2p2TgaJpZM4QdMTc>
.
|
After the token expiration, when I try to access any route requiring authentification, the application, first of all, tries to refresh the token. This refresh operation fails (401) and the application just stops, so it does not perform a logout. The application gets hung with the auth component in a non-ready state. I mean it shows the
|
vue-auth tries to refresh the token every 30 min, independently of the expiration claim contained in the token. The software should consider the posibility of not being successful in the refresh operation, assuming in such case that the user has been logged out from the application. What I can see in the logs of the API who provides the initial JWT tokens as well as the refresh tokens is this (real token contents has been shortened). Notice the 30 min time between requests, even when the expiration time claim for our JWT tokens is just 180 s:
|
Are you sure you do not have any other interceptors setup?
This should be working out of the box for a 401. I just tested it, it logs
out and redirects me to the login page.
…On Wed, Nov 15, 2017 at 7:19 PM, José Antonio Pérez < ***@***.***> wrote:
vue-auth tries to refresh the token every 30 min, independently of the
expiration claim contained in the token. The software should consider the
posibility of not being successful in the refresh operation, assuming in
such case that the user has been logged out from the application.
What I can see in the logs of the API who provides the initial JWT tokens
as well as the refresh tokens is this (real token contents has been
shortened). Notice the 30 min time between requests, even when the
expiration time claim for our JWT tokens is just 180 s:
[2017-11-15 11:26:21] slim-app.WARNING: Expired token ["eyJ0eXAi...Iq8"] {"uid":"22c0302"}
[2017-11-15 11:56:21] slim-app.WARNING: Expired token ["eyJ0eXAi...Iq8"] {"uid":"304ce45"}
[2017-11-15 12:26:21] slim-app.WARNING: Expired token ["eyJ0eXAi...lq8"] {"uid":"3073f2b"}
[2017-11-15 12:56:21] slim-app.WARNING: Expired token ["eyJ0eXAi...Iq8"] {"uid":"b30ac8b"}
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#289 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABkcy1Lyj999Jk2V1PwSULgkwyz7mjnuks5s2tbEgaJpZM4QdMTc>
.
|
I am not sure about interceptors setup. I am rather new to vue.js and I still have a lot of doubts about it. This is what I have in the main.js file:
|
What happens if you remove that tokenExpired method. This could cause
issues if you just send false back as it then wont handle the 401. You
should set this method to null if you want to completely ignore the check.
…On Nov 16, 2017 13:56, "José Antonio Pérez" ***@***.***> wrote:
I am not sure about interceptors setup. I am rather new to vue.js and I
still have a lot of doubts about it. This is what I have in the main.js
file:
import Vue from 'vue'
import App from './App'
import router from './router'
import axios from 'axios'
import VueAxios from 'vue-axios'
Vue.use(VueAxios, axios)
Vue.axios.defaults.baseURL = 'http://10.36.156.154:8089/api/v1/'
Vue.router = router
// Token refresh disabled ATM
// #289
// https://stackoverflow.com/a/39897838
***@***.***/vue-auth'), {
auth: ***@***.***/vue-auth/drivers/auth/bearer.js'),
http: ***@***.***/vue-auth/drivers/http/axios.1.x.js'),
router: ***@***.***/vue-auth/drivers/router/vue-router.2.x.js'),
tokenExpired: () => {
return false
}
})
Vue.config.productionTip = false
/* eslint-disable no-new */
new Vue({
el: '#app',
router,
template: '<App/>',
components: { App }
})
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#289 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABkcy_ZRnFXq7_u-mXDH_oQ8FHfhb6Cwks5s29yDgaJpZM4QdMTc>
.
|
I added this method just a few hours ago according to the solution to a similar question from stackoverflow: Without this method, the application hangs when tokens expire. With this method, the application does not call the refresh method, but at least, the user gets logged out and redirected to the login form. |
You are using axios, which could also be an issue with that driver
…On Nov 16, 2017 2:30 PM, "José Antonio Pérez" ***@***.***> wrote:
I added this method just a few hours ago according to the solution to a
similar question from stackoverflow:
VueJS (resource, router and @websanova/vue-auth) login with JWT tokens
refresh token error <https://stackoverflow.com/a/39897838>
Without this method, the application hangs when tokens expire. With this
method, the application does not call the refresh method, but at least, the
user gets logged out and redirected to the login form.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#289 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABkcy0Hwa6ZJFmMug-OFQ68UoSnd-pcQks5s2-SXgaJpZM4QdMTc>
.
|
I am experiencing this same problem even with your demo sample out of the box. If the endpoint API provides a token with an expiration time under the preset 30 minutes, the refresh operation fails. Any subsequent operation fails too (as trying to get auth/user) but the user is not logged out. Screenshot attached. You can recreate the problem using your Laravel API. Just configure the tokens to have an expiration time under 30 minutes. In the first refresh you will see the problem. |
Ok, Well I found one issue where the refresh was still running even after a logout (with the refresh interval). So that should be fixed now in But why you aren't being logged out on a 401 response is a bit strange. Can you double check everything you have running locally is latest? Is the demo you are running a fresh install? |
Just tested everything with v2.20.8-beta. The problem of the requests for refresh tokens after logout (and before login) is now fixed, but the logout problem persists. I will keep doing some additional tests. |
Tested again with v2.20.9-beta. Same problem. Refresh token error should remove the Our scenario: An employee logs into the corporate intranet. After finished working, many of them do not logout properly, but just close the browser tab. So, the frontend is unable to keep refreshing the token, and after a given period of time the token is not valid anymore. After a while (maybe several hours later) another different employee tries to log into the corporate intranet using the same computer. We do not want the browser to refresh the previous token (belonging to another user, and already expired). What we want is just to redirect the user to the website login page. |
@jap1968 by your description, maybe you want to logout the user as soon as it closes the browser. If that is your case, make sure you are using |
I want to log out the user once the token has expired. The users sometimes close the browser, or just close the browser tab of the corporate website, or even they close nothing and suspend the computer. When somebody else wakes the computer up again (maybe next day) I want the previous user being logged out immediately. I have tested setting |
This part sounds like what is the
In that case, you don't want to run the auto refresh each X minutes, but only by routing or after some user action. To this case, looks like there is a way to disable the auto refresh by setting: And then you can manually refresh the token by calling: |
I will have to take more thorough look at this over the weekend. |
Any updates on this"? |
Any update? |
Just tested this again with vue-resource and the auto logout on refresh fail is working just fine. If there are issues it's likely with the response being sent back. The default if you look at vue-resource driver is to check for a 401 https://github.com/websanova/vue-auth/blob/master/drivers/http/vue-resource.1.x.js#L21 You can override this method, but note that you need to override the drivers method not the plugins method. |
Not sure if this is exactly what you're talking about, but axios produces an uncaught error when response status on refresh is 401. Probably this causes further problems. _http: function (data) {
var http = this.options.Vue.axios(data)
// data.error is undefined on refresh
// not happening, when adding: data.error = data.error || function () {}
http.then(data.success, data.error)
return http
} NodeJS: 10.15.3 @websanova/vue-auth: 2.21.14-beta |
Any update?? |
The problem is still there. Opening an app where a user was previously logged in, but with an expired token does not work. |
@service-paradis do u have solution for this issue |
Hello, Problem: If the token gets expired and we call refresh API, an application gets stuck Solution: In my case this is happening because of Axios driver present in this package (node_module/@websanova/vue-auth/drivers/http/axios.1.x.js). The Axios is not catching the server error response, it just catching a javascript's errors. So we need to add checkpoint manually inside axios.1.x.js (node_module/@websanova/vue-auth/drivers/http/axios.1.x.js).
So update axios.1.x.js as shown above. Now if token gets expired or deleted somehow, we are now able to receive server error response (Unauthorized) which will make a user logout. Testing: Double-check: Again reload the page and checked network tab, there was no more refresh API calling I hope this will help somebody. |
To make it work and redirect to login page when token expired/blacklisted I added the status code 500 into the check for invalidation @
|
Bumped into this issue today, my problem was with the integration of this library and Laravel jwt-auth. The refresh endpoint calls Solution for me was to catch the exception and call |
You can actually check if the user is logged-in and manually clear the token session if a 500 error is retrieved. There might be better solutions but this provided a positive result. |
Please note the plugin in fact does not handle 500 cases or any number of many responses that the api may return. This should be handled by the http library and any logic like, logout, or whatever needs to be done can be set there. Otherwise by default for now it's only handling 401 which will logout the user. With the 500 cases it's not clear it should logout or not, so should be up to app to handle that. |
@websanova is there a way to prevent user logout with error code |
@kosratdev the scenario you're describing sounds like the server should return 403 (forbidden) instead of 401 (unauthorized). Iirc this library won't log the user out on a 403. More info here: https://stackoverflow.com/a/6937030 |
Under some circumstances, the token in the browser can expire, so there is not possible anymore to refresh it. The call to the refresh method on the API will return a 401 (unauthorized) code.
In these cases, the application should either logout (to clear the current non-valid token) or redirect again to the login page.
Currently, the application gets hung on pages requiring authorization if the token has already expired. The only solution (that I have found so far) is to clear the local storage in the browser in order to be able to authenticate again.
The text was updated successfully, but these errors were encountered: