Fixes for browserCookiePersistence#10125
Conversation
…g REDACTED refreshToken
…ing for existing session
|
There was a problem hiding this comment.
Code Review
This pull request refactors token management and persistence handling, specifically for cookie persistence. It removes hardcoded cookie-specific redaction logic from PersistenceUserManager and centralizes the handling of 'REDACTED' refresh tokens within StsTokenManager. Additionally, it updates setPersistence to properly swap event listeners and recover existing sessions. The review feedback correctly identifies a potential race condition in setPersistence where this.boundEventHandler() is called without being awaited, and suggests awaiting the resulting promise to ensure state consistency.
| } else { | ||
| const userInNewPersistence = await this.getCurrentUser(); | ||
| if (userInNewPersistence) { | ||
| this.boundEventHandler(); | ||
| } | ||
| } |
There was a problem hiding this comment.
Issue: Floating Promise & Potential Race Condition
this.boundEventHandler binds to auth._onStorageEvent, which is an async function returning a Promise<void>. Calling it without await creates a floating promise, meaning setPersistence can resolve before the authentication state is fully updated on the auth instance. This can lead to race conditions in client applications where subsequent operations are executed before the state transition completes.
Recommendation
Await the promise returned by this.boundEventHandler(). Since boundEventHandler is typed as returning void, you can cast it to unknown and then Promise<void> to satisfy the TypeScript compiler.
Additionally, note that _onStorageEvent internally calls getCurrentUser() again. If you want to optimize performance by avoiding double asynchronous storage reads, you could consider refactoring the test setup to allow calling this.boundEventHandler() directly without the pre-check, as _onStorageEvent already handles the null-user case gracefully.
| } else { | |
| const userInNewPersistence = await this.getCurrentUser(); | |
| if (userInNewPersistence) { | |
| this.boundEventHandler(); | |
| } | |
| } | |
| } else { | |
| const userInNewPersistence = await this.getCurrentUser(); | |
| if (userInNewPersistence) { | |
| await (this.boundEventHandler() as unknown as Promise<void>); | |
| } | |
| } |
""is sufficient is the client cannot reach the backend