-
-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong Token and Data Returned #127
Comments
@asadamatic are you using any REST caching plugins? |
The same thing happened to me and it returned a valid token even with no It turns out that you (or your app) are probably carrying on the This is basically another side effect of the same issue found in #128. So, it would be a good idea if for the |
@dominic-ks I'm not using any such plugin. For now, I switched to the JWT Authentication and it seems to be working fine. @pinoceniccola I checked the Rest API logs and it does contain the |
OK, so do we think this is the same issue as #128? |
@dominic-ks Yes, it seems so |
@dominic-ks definitely. Only difference is if the The problem lies in these lines: Lines 181 to 192 in f99ca5a
Where the |
@sun do you agreed that logic should be switched for this? If so, I'll have a look at that. Only thought is if people have apps that are currently relying on the refresh cookie taking priority over login details, but I can't imagine why they would be.... |
Having username/password take precedence in case a refresh token is also passed is fine. If a client is passing both then we can safely assume that the intention was to log in with user credentials. We can change that. 👍 What I don’t understand is why the client would prompt the user to log in manually with credentials if the client still has a refresh token cookie. Normally I’d expect a client with refresh token to first try that and if it is rejected the refresh token should be deleted before the client reauthenticates. But I guess there can be edge case scenarios in which that is not as clean as in theory. Sorry for not thinking of such possibilities. |
Yeah I think the problem is that in this case the browser is retaining the refresh token itself, so perhaps app logic says user is logged out, e.g. deleted any stored tokens from local storage, but then when logging in again the browser is still sending the cookie. Could be wrong, anyway, PR created. |
Hi there, I'm facing a pretty weird issue with the
/token
request. That is, no matter what credentials I pass ( even invalid ), I get the data of a particular user and when I use that token for the/users/me
request, it returns the data for that particular user.The text was updated successfully, but these errors were encountered: