Details

    • Type: Task
    • Status: Backlog
    • Priority: Unset
    • Resolution: Unresolved
    • Affects versions: None
    • Fix versions: None
    • Components: None
    • Labels:
      None

      Description

      As part of ARCH-873 Done , it was discovered that calls to `authClient.getAuthenticationState()` were unreliable. We "think" it may be due to the cookie expiring immediately after it was used for authentication, but we aren't certain.

      The fix implemented for ARCH-873 Done was to pass the token used to authenticate in the callback passed to `authClient.ensureAuthenticationAndCookies()`. The `user_id` is pulled from the returned token, and passed to the frontend-analytics `identifyAuthenticatedUser` call, in place of calling `authClient.getAuthenticationState()` directly from inside frontend-analytics.

      Although this seemed to fix this particular bug, it has the following problems:
      1. We still expose `getAuthenticationState()` which is known to be buggy. Applications continue to use this call in other locations.
      2. The frontend-analytics call `identifyAuthenticatedUser` no longer encapsulates the user_id call, and thus no longer ensures consistency of implementation around the user's identity, which was a past problem we were trying to fix.
      3. Additionally, a separate but related bug might be that `isRoutePublic` doesn't check-for authentication, and thus doesn't return anything to the callback. I would imagine it is possible to have a route be public, but still want to know whether it is being viewed by an anonymous or an authenticated user.
      4. Also separate but related, ensurePublicOrAuthenticationAndCookies sometimes returns a promise and sometimes returns the result of callback. This should either be clearly documented, or we should simply remove all the returns. (Not sure if the returns were used to help unit testing though?)

      A potential solution might look like:
      1. Make `getDecodedAccessToken` private to frontend-auth, so it can only be used immediately before checking the token as part of the authentication code, like `ensureAuthenticationAndCookies` and any other locations in the library.
      2. Whenever we have a token that passes authentication according to the library, we should cache it so that it could be returned later by `getAuthenticationState`.
      3. Restore the old frontend-analytics code that used `getAuthenticationState` to get the user_id.

      Another potential solution would be to either drop the function `getAuthenticationState`, and force users to check authentication every time they want the state.

      NOTE: Please remove any `TODO: ARCH-948` comments from the code after implementing this.

        Attachments

          Issue links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                rraposa Robert Raposa
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: