1. Christian Fibich Avatar Christian Fibich
  2. Untitled project
  3. OJOC
  4. Issues

Access Token refreshing not correctly implemented

Issue #1 new
Christian Fibich repo owner created an issue

Correctly implement access token refreshing using 'refresh_token' Current state is that a new registration is carried out (don't know if this has any drawbacks, though)

Comments (5)

  1. Kevin Gregull

    Has anyone figured out on how to do that yet? I imagine, sending a request to the users endpoint using the refresh token as authorization? With creating new Accounts every time, we are effectively cluttering their database with new dummy Users, which is not the worst (I guess) but could be better.

    Edit: Or do they actually check against the Device UID and dont to that?

  2. Christian Fibich reporter

    It isn't that bad in my opinion.

    A new "user" is only created if you send a "register" request to the user endpoint for each newly generated device_uid. The API replies with a valid access token, which is bound to expire after a week or so. The device_uid is stored in the keyring.

    The correct way to get a new token would be to use the refresh_token we get together with the first access token in a request (I think to some other endpoint).

    The way OJOC does this is essentially the way this is done when you remove the Jodel app from your phone and later re-install it. We send another "register" request to the user endpoint, but this time with the device_uid stored in the keyring. The API notifies us that the user already exists and sends us a new valid access token.

    As this behavior did not break anything up to now, I did not address this issue until now.

    tl;dr: A new user in Jodel's database is only created when you register with a different device_uid. If you keep your device_uid (which is necessary for keeping access to your karma and posts), no new user is cluttering up Jodel's DB

  3. Nils Borrmann

    Afaik this is all correct, Christian, I just wanted to add, the only difference I noticed between recreating/registering and refreshing accounts is that the register endpoint is rate-limited.

    This is irrelevant in OJOC, but if you have, say, 200 accounts with an expired access_token, you can't re-register them all in one go. However this is possible if you use the refresh endpoint.

    PS: I myself am responsible for probably thousands of empty accounts. I'm too lazy to save and load account tokens and creating them is just so easy ... Whenever I run my tests, two accounts are created :P I wonder whether they remove them before disclosing account numbers to investors ...

  4. Kevin Gregull

    Seeing as they are intentionally "beautifing" their Vote and Pin Number on Posts they share on their Facebook Page, I would think they would happily report more accounts.

    pasted_image_at_2017_04_28_08_24_pm.png console.png

    Anyway. Would you be so kind as to share the Payload of the Refresh Endpoint? Or do I just use the refresh Token in the Authorization Header instead of the Token?

  5. Nils Borrmann

    Oh wow, that's interesting, I hadn't noticed that. Can't reproduce it though, maybe it was just a bug.

    Anyway, the endpoint is "/v2/users/refreshToken" (POST), the payload is:

            payload = {"client_id": client_id, 
                   "distinct_id": distinct_id, 
                   "refresh_token": refresh_token}

    Have a look at jodel_api, I have implemented it there.

  6. Log in to comment
Assignee
Type
task
Priority
major
Status
new
Votes
0
Watchers
2
Jira: the preferred issue tracker for Bitbucket. Join the team!