Menu
We've recently discussed an axios' interceptor for OAuth authentication token refresh in this question.
What the interceptor should do is intercept any response with the 401 status code and try to refresh the token. With that in mind, the next thing to do is to return a Promise from the interceptor, so that any request which would have normally fail, would run as nothing happens after a token refresh.
The main problem is, that an interceptor checks only the 401 status code, which is not enough, as the refreshToken will also return the 401 status code when it fails - and we have a loop.
There are two possible scenarios I have in mind:
/auth/refresh it shouldn't try to refresh the token;refreshToken logic is calledThe first option looks a bit "not dynamic" to me. The second option looks promising, but I'm not sure if it's even possible.
The main question is then, how can we differentiate/identify calls in an interceptor and run different logic for them without "hardcoding" it specifically, or is there any way to omit the interceptor for a specified call? Thank you in advance.
The code for an interceptor might help to understand the question:
Axios.interceptors.response.use(response => response, error => { const status = error.response ? error.response.status : null if (status === 401) { // will loop if refreshToken returns 401 return refreshToken(store).then(_ => { error.config.headers['Authorization'] = 'Bearer ' + store.state.auth.token; error.config.baseURL = undefined; return Axios.request(error.config); }) // Would be nice to catch an error here, which would work if the interceptor is omitted .catch(err => err); } return Promise.reject(error); }); and token refreshing part:
function refreshToken(store) { if (store.state.auth.isRefreshing) { return store.state.auth.refreshingCall; } store.commit('auth/setRefreshingState', true); const refreshingCall = Axios.get('get token').then(({ data: { token } }) => { store.commit('auth/setToken', token) store.commit('auth/setRefreshingState', false); store.commit('auth/setRefreshingCall', undefined); return Promise.resolve(true); }); store.commit('auth/setRefreshingCall', refreshingCall); return refreshingCall; } 
951
To use the refresh token, make a POST request to the service's token endpoint with grant_type=refresh_token , and include the refresh token as well as the client credentials if required.
Refresh Token are typically longer lived than Access Tokens and used to request a new Access Token without forcing user authentication. Unlike Access Tokens, Refresh Tokens are only used with the Authorization Server and are never sent to a web service.
I may have found a way much simpler to handle this : use axios.interceptors.response.eject() to disable the interceptor when I call the /api/refresh_token endpoint, and re-enable it after.
The code :
createAxiosResponseInterceptor() { const interceptor = axios.interceptors.response.use( response => response, error => { // Reject promise if usual error if (error.response.status !== 401) { return Promise.reject(error); } /* * When response code is 401, try to refresh the token. * Eject the interceptor so it doesn't loop in case * token refresh causes the 401 response */ axios.interceptors.response.eject(interceptor); return axios.post('/api/refresh_token', { 'refresh_token': this._getToken('refresh_token') }).then(response => { saveToken(); error.response.config.headers['Authorization'] = 'Bearer ' + response.data.access_token; return axios(error.response.config); }).catch(error => { destroyToken(); this.router.push('/login'); return Promise.reject(error); }).finally(createAxiosResponseInterceptor); } ); } If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
