-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When using token auth with client-side signing, renewing a token is broken #350
Comments
It's normal for the library to attempt to include credentials in the token request if it has valid credentials; and if it has a token, but doesn't know that the token is expired, then it's expected that this request will be rejected in this way. The library should re-submit the request without the token header. Did you see whether or not this was happening? |
But it issued that token so should know.
It's reusing the same token bearer header each time so not handling the expired failure correctly and trying with a new token. |
No, it's not -- see eg full log here
But it does know that the token has expired. That's why it's getting a new token. And anyway -- why should it be normal to include (token) credentials in a token request? Only someone with a key should be able to get a token, which means either an unsigned token request done with basic auth, or a signed token request with no auth -- realtime rejects unsigned token requests done with bearer auth anyway, even if the token is valid. (At least, it should. If not then that's a security hole). So at no time does it make sense to send token credentials with a token request, surely |
Yes, correct. In principle you can have an unsigned token request with basic auth, or a signed token request with no auth. I don't think any libs support the former. |
We were not returning it but also not removing it, which caused the subsequent call to requestToken to still use it instead of the key. Fixes #350.
AFAICT from the log, the issue seems to be that it's sending an
authorization: bearer
header in the/requestToken
request with the old token, which realtime then rejects for outdated auth.E.g.
The text was updated successfully, but these errors were encountered: