在KTOR客户端中重新攻击loadTokens的正确方法
在我的移动应用程序中,我有一个Singleton KTOR httpclient带有以下配置的承载身份验证:
HttpClient(…) {
install(Auth) {
bearer {
sendWithoutRequest { requestBuilder -> some condition }
loadTokens(tokensStorage::getTokens)
refreshTokens {
performTokenRefresh(oldTokens.refreshToken)
}
}
}
}
现在考虑以下流程:
- 用户在我的
tokenstorage中存储的令牌时打开应用程序 。无效。 httpclient从tokenstorage加载令牌,并且请求以401失败。httpclient试图执行刷新,但也会失败,因为它刷新了,令牌无效。- 将用户重定向到登录页面,登录,新有效令牌存储在
TokenStorage中。 - 现在,从应用程序中,用户可以在第2-3点重试呼叫。但是,这将永远失败,直到应用程序关闭为止,因为
httpclient再也不会尝试调用loadTokens。实际上,据我从源代码中看到,loadTokens仅被调用一次,然后再也不会被调用。
我发现了一些解决问题的方法。
第一个是从httpclient中手动检索bearerauthprovider,并清除以下片段中的令牌,但似乎是一个hacky的解决方法:
httpClient.plugin(Auth).providers
.filterIsInstance<BearerAuthProvider>()
.first().clearToken()
另一个是手动加载当前令牌来自我的tokenStorage refreshtoken ,而无视[email&nbsp; nbsp; procected] code> </
refreshTokens {
val currentRefreshToken = tokenStorage.getTokens().refreshToken
performTokenRefresh(currentRefreshToken)
}
>登录)。
所以我的问题是:是否有一种更干净的方法来处理这种情况?我在滥用KTOR吗?
In my mobile app, I have a singleton Ktor HttpClient with bearer authentication configured as such:
HttpClient(…) {
install(Auth) {
bearer {
sendWithoutRequest { requestBuilder -> some condition }
loadTokens(tokensStorage::getTokens)
refreshTokens {
performTokenRefresh(oldTokens.refreshToken)
}
}
}
}
Now consider the following flow:
- The user opens the app while the tokens stored in my
tokenStorageare not valid. - The
HttpClientloads the tokens fromtokenStorageand the request fails with a 401. - The
HttpClienttries to perform a refresh but it fails too because the refresh token is invalid. - The user is redirected to the login page, logs in, and the new valid tokens are stored in
tokenStorage. - Now from the app the user can retry the call that failed in points 2-3. However this will fail forever until the app is closed, because the
HttpClientnever tries to callloadTokensanymore. Indeed, as far as I can see from the source code,loadTokensis called only once and then never again.
I found out a couple of ways to solve the issue.
The first one is to manually retrieve BearerAuthProvider from the HttpClient and clear the token myself like in the following snippet, but it seems like a hacky workaround:
httpClient.plugin(Auth).providers
.filterIsInstance<BearerAuthProvider>()
.first().clearToken()
Another one is to manually load the current token from my tokenStorage in refreshToken and disregard what get passed in [email protected]:
refreshTokens {
val currentRefreshToken = tokenStorage.getTokens().refreshToken
performTokenRefresh(currentRefreshToken)
}
However this means that the client will do an unnecessary call to the refresh API, while having already a valid token pair (obtained from the login).
So my question is: is there a cleaner way to handle the situation? Am I misusing Ktor?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我们在两个地方手动清除它:
我们有“注销”用例,无论用户手动注销还是401踢出,它将始终触发。因为我们还需要清除其他缓存数据。
因此,该注销用例的第一行是通知HTTP客户端的,它的模具所缓存不再有效。
您必须确保将其调用。
当我们可以通过应用程序链接打开登录屏幕时,我们面临着案例,因此可能是用户正在记录的时候,而其他用户仍被记录或 HTTP客户端具有空的令牌,并且不知道它们是无效的。
在这种情况下,我们还需要清除登录时的缓存,因此KTOR的LoadTokens {}在需要时再次致电。
We clear it manually in 2 places:
We have the "Logout" use case which will be always triggered no matter if user logout manually or by 401 kick out. Because we need to clear other cached data as well.
So the first lines of that logout use case is to notify the http client that whatever tokens it cached are not valid anymore.
You must make sure it will be called.
We faced the case when we can open Login screen via app links, so potentially a user is logging while other user is still logged or the http client has empty tokens and doesn't know they are not valid.
In that case we also needed to clear the cache on Login, so ktor's loadTokens{} called again when needed.