feat: Add explicit refresh token callable. #1230 #1555
Conversation
mturoci
changed the title
There was a problem hiding this comment.
Thank you. Just some minor comments with discussion potential and one question:
What are potential performance implications?
Apps that will required this will need to call this with every outgoing request. This is IMHO ok for the internal channel to waved. But I am not sure what TokenSource implementation is effectively used so my concern is whether there is a potential of spamming the identity with a lot of token requests.
Good point. According to docs - TokenSource returns a TokenSource that returns t until t expires, automatically refreshing it as necessary using the provided context. which seems good to me, but feel free to correct me if I am missing something.
wdyt @zoido? |
Agree. Clicked trough it once again and got to the same conclusion. Thanks.
I don't think it's necessary for the explicit endpoint. Reasoning: you explicitly call something that can fail. If it fails you should be able to recover. But I do not see deep into the interaction between the app and waved so I cannot foresee all of the potential side-effects. |
|
Thanks for the review @zoido! |
Adds
force_token_refreshcallable toq.auth. Upon calling, theq.auth.access_tokenis updated, and waved session is synced.Since this is server-to-server communication, no cookies are stored (in comparison to server-to-browser) so I had to keep the session ID in the app to make sure I could identify and sync the correct session during refresh. Open to better ideas/suggestions.
Open question: Shall we purge the session in case of an unsuccessful refresh attempt?
Closes #1230