[Human App] fix: refresh token race condition (#2824)

Author: mpblocky

packages/apps/human-app/frontend/src/api/api-client.ts

@@ -1,4 +1,3 @@
-// eslint-disable-next-line import/no-cycle -- cause by refresh token retry
 import { createFetcher } from '@/api/fetcher';
 import { env } from '@/shared/env';
 

packages/apps/human-app/frontend/src/api/fetch-refresh-token.ts

@@ -0,0 +1,29 @@
+import { apiPaths } from '@/api/api-paths';
+import { browserAuthProvider } from '@/shared/helpers/browser-auth-provider';
+import { signInSuccessResponseSchema } from '@/api/services/worker/sign-in/schema';
+
+export const fetchTokenRefresh = async (baseUrl: string) => {
+  const response = await fetch(
+    `${baseUrl}${apiPaths.worker.obtainAccessToken.path}`,
+    {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        // eslint-disable-next-line camelcase -- camel case defined by api
+        refresh_token: browserAuthProvider.getRefreshToken(),
+      }),
+    }
+  );
+
+  if (!response.ok) {
+    return null;
+  }
+
+  const data: unknown = await response.json();
+
+  const refetchAccessTokenSuccess = signInSuccessResponseSchema.parse(data);
+
+  return refetchAccessTokenSuccess;
+};

packages/apps/human-app/frontend/src/api/fetcher.ts

@@ -1,12 +1,10 @@
 import merge from 'lodash/merge';
 import { ZodError, type ZodType, type ZodTypeDef } from 'zod';
 import type { ResponseError } from '@/shared/types/global.type';
-import type { SignInSuccessResponse } from '@/api/services/worker/sign-in';
-// eslint-disable-next-line import/no-cycle -- cause by refresh token retry
-import { signInSuccessResponseSchema } from '@/api/services/worker/sign-in';
-import { apiClient } from '@/api/api-client';
-import { apiPaths } from '@/api/api-paths';
 import { browserAuthProvider } from '@/shared/helpers/browser-auth-provider';
+import { env } from '@/shared/env';
+import { type SignInSuccessResponse } from '@/api/services/worker/sign-in/types';
+import { fetchTokenRefresh } from './fetch-refresh-token';
 
 const appendHeader = (
   fetcherOptionsWithDefaults: RequestInit | undefined,
@@ -67,6 +65,29 @@ export type FetcherOptions<SuccessInput, SuccessOutput> =
 
 export type FetcherUrl = string | URL;
 
+let refreshPromise: Promise<SignInSuccessResponse | null> | null = null;
+
+export async function refreshToken(): Promise<{
+  access_token: string;
+  refresh_token: string;
+} | null> {
+  if (!refreshPromise) {
+    refreshPromise = fetchTokenRefresh(env.VITE_API_URL);
+  }
+
+  const result = await refreshPromise;
+
+  refreshPromise = null;
+
+  if (result) {
+    browserAuthProvider.signIn(result, browserAuthProvider.authType);
+  } else {
+    browserAuthProvider.signOut({ triggerSignOutSubscriptions: true });
+  }
+
+  return result;
+}
+
 export function createFetcher(defaultFetcherConfig?: {
   options?: RequestInit | (() => RequestInit);
   baseUrl: FetcherUrl | (() => FetcherUrl);
@@ -153,33 +174,16 @@ export function createFetcher(defaultFetcherConfig?: {
       fetcherOptions.authenticated &&
       fetcherOptions.withAuthRetry
     ) {
-      let refetchAccessTokenSuccess: SignInSuccessResponse | undefined;
-      try {
-        refetchAccessTokenSuccess = await apiClient(
-          apiPaths.worker.obtainAccessToken.path,
-          {
-            successSchema: signInSuccessResponseSchema,
-            options: {
-              method: 'POST',
-              body: JSON.stringify({
-                // eslint-disable-next-line camelcase -- camel case defined by api
-                refresh_token: browserAuthProvider.getRefreshToken(),
-              }),
-            },
-          }
-        );
-        browserAuthProvider.signIn(
-          refetchAccessTokenSuccess,
-          browserAuthProvider.authType
-        );
-      } catch {
-        browserAuthProvider.signOut({ triggerSignOutSubscriptions: true });
+      const refetchAccessTokenSuccess = await refreshToken();
+
+      if (!refetchAccessTokenSuccess) {
         return;
       }
 
       const newHeaders = appendHeader(fetcherOptionsWithDefaults, {
         Authorization: `Bearer ${refetchAccessTokenSuccess.access_token}`,
       });
+
       response = await fetch(fetcherUrl, newHeaders);
 
       if (!response.ok) {

packages/apps/human-app/frontend/src/api/services/common/use-access-token-refresh.ts

@@ -1,13 +1,11 @@
 import { useMutation, useQueryClient } from '@tanstack/react-query';
 import { useNavigate } from 'react-router-dom';
-import { apiClient } from '@/api/api-client';
-import { apiPaths } from '@/api/api-paths';
-import { signInSuccessResponseSchema } from '@/api/services/worker/sign-in';
 import { useAuth } from '@/auth/use-auth';
 import { browserAuthProvider } from '@/shared/helpers/browser-auth-provider';
 import type { AuthType } from '@/shared/types/browser-auth-provider';
 import { useWeb3Auth } from '@/auth-web3/use-web3-auth';
 import { routerPaths } from '@/router/router-paths';
+import { refreshToken } from '@/api/fetcher';
 
 export function useAccessTokenRefresh() {
   const queryClient = useQueryClient();
@@ -32,19 +30,11 @@ export function useAccessTokenRefresh() {
       throwExpirationModalOnSignOut?: boolean;
     }) => {
       try {
-        const refetchAccessTokenSuccess = await apiClient(
-          apiPaths.worker.obtainAccessToken.path,
-          {
-            successSchema: signInSuccessResponseSchema,
-            options: {
-              method: 'POST',
-              body: JSON.stringify({
-                // eslint-disable-next-line camelcase -- camel case defined by api
-                refresh_token: browserAuthProvider.getRefreshToken(),
-              }),
-            },
-          }
-        );
+        const refetchAccessTokenSuccess = await refreshToken();
+
+        if (!refetchAccessTokenSuccess) {
+          throw new Error('Failed to refresh access token.');
+        }
 
         if (authType === 'web2') {
           signInWeb2(refetchAccessTokenSuccess);

packages/apps/human-app/frontend/src/api/services/worker/sign-in/schema.ts

@@ -0,0 +1,19 @@
+import { z } from 'zod';
+import { t } from 'i18next';
+
+export const signInDtoSchema = z.object({
+  email: z.string().email(t('validation.invalidEmail')),
+  password: z
+    .string()
+    .min(1, t('validation.passwordMissing'))
+    .max(50, t('validation.max', { count: 50 })),
+  // eslint-disable-next-line camelcase -- export vite config
+  h_captcha_token: z.string().min(1, t('validation.captcha')).default('token'),
+});
+
+export const signInSuccessResponseSchema = z.object({
+  // eslint-disable-next-line camelcase -- data from api
+  access_token: z.string(),
+  // eslint-disable-next-line camelcase -- data from api
+  refresh_token: z.string(),
+});

packages/apps/human-app/frontend/src/api/services/worker/sign-in.ts renamed to packages/apps/human-app/frontend/src/api/services/worker/sign-in/sign-in.ts

@@ -1,33 +1,11 @@
-import { z } from 'zod';
 import { useMutation, useQueryClient } from '@tanstack/react-query';
 import { useNavigate } from 'react-router-dom';
-import { t } from 'i18next';
-// eslint-disable-next-line import/no-cycle -- cause by refresh token retry
 import { apiClient } from '@/api/api-client';
 import { apiPaths } from '@/api/api-paths';
 import { routerPaths } from '@/router/router-paths';
 import { useAuth } from '@/auth/use-auth';
-
-export const signInDtoSchema = z.object({
-  email: z.string().email(t('validation.invalidEmail')),
-  password: z
-    .string()
-    .min(1, t('validation.passwordMissing'))
-    .max(50, t('validation.max', { count: 50 })),
-  // eslint-disable-next-line camelcase -- export vite config
-  h_captcha_token: z.string().min(1, t('validation.captcha')).default('token'),
-});
-
-export type SignInDto = z.infer<typeof signInDtoSchema>;
-
-export const signInSuccessResponseSchema = z.object({
-  // eslint-disable-next-line camelcase -- data from api
-  access_token: z.string(),
-  // eslint-disable-next-line camelcase -- data from api
-  refresh_token: z.string(),
-});
-
-export type SignInSuccessResponse = z.infer<typeof signInSuccessResponseSchema>;
+import { type SignInDto } from './types';
+import { signInSuccessResponseSchema } from './schema';
 
 function signInMutationFn(data: SignInDto) {
   return apiClient(apiPaths.worker.signIn.path, {

packages/apps/human-app/frontend/src/api/services/worker/sign-in/types.ts

@@ -0,0 +1,9 @@
+import { type z } from 'zod';
+import {
+  type signInDtoSchema,
+  type signInSuccessResponseSchema,
+} from './schema';
+
+export type SignInDto = z.infer<typeof signInDtoSchema>;
+
+export type SignInSuccessResponse = z.infer<typeof signInSuccessResponseSchema>;

packages/apps/human-app/frontend/src/auth-web3/web3-auth-context.tsx

@@ -3,7 +3,7 @@ import { useState, createContext, useEffect } from 'react';
 import { jwtDecode } from 'jwt-decode';
 import { z } from 'zod';
 import { useQueryClient } from '@tanstack/react-query';
-import type { SignInSuccessResponse } from '@/api/services/worker/sign-in';
+import type { SignInSuccessResponse } from '@/api/services/worker/sign-in/sign-in';
 import { browserAuthProvider } from '@/shared/helpers/browser-auth-provider';
 import { useModalStore } from '@/components/ui/modal/modal.store';
 

packages/apps/human-app/frontend/src/auth/auth-context.tsx

@@ -3,7 +3,7 @@ import { useState, createContext, useEffect } from 'react';
 import { jwtDecode } from 'jwt-decode';
 import { z } from 'zod';
 import { useQueryClient } from '@tanstack/react-query';
-import type { SignInSuccessResponse } from '@/api/services/worker/sign-in';
+import type { SignInSuccessResponse } from '@/api/services/worker/sign-in/sign-in';
 import { browserAuthProvider } from '@/shared/helpers/browser-auth-provider';
 import { useModalStore } from '@/components/ui/modal/modal.store';
 

packages/apps/human-app/frontend/src/pages/worker/sign-in.page.tsx

@@ -9,18 +9,16 @@ import { PageCard } from '@/components/ui/page-card';
 import { Input } from '@/components/data-entry/input';
 import { Button } from '@/components/ui/button';
 import { Password } from '@/components/data-entry/password/password';
-import type { SignInDto } from '@/api/services/worker/sign-in';
-import {
-  signInDtoSchema,
-  useSignInMutation,
-} from '@/api/services/worker/sign-in';
+import { useSignInMutation } from '@/api/services/worker/sign-in/sign-in';
 import { FetchError } from '@/api/fetcher';
 import { routerPaths } from '@/router/router-paths';
 import { defaultErrorMessage } from '@/shared/helpers/default-error-message';
 import { Alert } from '@/components/ui/alert';
 import { FormCaptcha } from '@/components/h-captcha';
 import { useResetMutationErrors } from '@/hooks/use-reset-mutation-errors';
 import { browserAuthProvider } from '@/shared/helpers/browser-auth-provider';
+import { type SignInDto } from '@/api/services/worker/sign-in/types';
+import { signInDtoSchema } from '@/api/services/worker/sign-in/schema';
 
 function formattedSignInErrorMessage(unknownError: unknown) {
   if (unknownError instanceof FetchError && unknownError.status === 400) {