Returns 401 when concurrent

[activeliang]

When access expires, if the user clicks quickly on the web page and triggers two requests at the same time, in this case, the new access can be refresh normally, but when the new access is used to request resources, it returns 401

I wrote a demo project to solve this problem：https://github.com/activeliang/try_jwt_session

To simulate the above situation, I wrote the following code:

# first login
@tokens = JSON.parse RestClient.post 'http://localhost:3000/login', name: 'user1', password: '123456'

# method
def refresh_access_and_get_posts
  new_tokens = JSON.parse RestClient.post 'http://localhost:3000/refresh', {}, { 'X-Refresh-Token': @tokens['tokens']['refresh'] }
  posts = JSON.parse RestClient.get 'http://localhost:3000/posts', { Authorization: "Bearer #{new_tokens['access']}"}
end

# it works normal
10.times {
  refresh_access_and_get_posts
}

# 401 will be returned when get posts
10.times{
  Thread.new {
    refresh_access_and_get_posts
  }
}

Is it because I did something wrong?

[tuwukee]

hi @activeliang

It's responsibility of a client code to prevent concurrent refresh requests.
Basically, the JS client should disable page refreshing while there's a pending refresh request, and enable it back afterwards.

[masterkain]

just an idea: https://github.com/lynndylanhurley/devise_token_auth/search?q=batch_request_buffer_throttle

[tuwukee]

@masterkain requests with the same access token can be sent concurrently, the gem does not add any limitations.
Refresh token requests are supposed to be limited, throttling may lead to vulnerabilities I think.