Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Users Search
Help Dashboard Sign In Sign Up
Q&A Code Reviews Meta
Q&A
Posts Tags Edits
Ask Question

Welcome to Software Development on Codidact!

Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.

Comments on How to prevent token from being refreshed

Parent

How to prevent token from being refreshed

+5
−0

I have an Angular application. The frontend has a mechanism that periodically fetches some information like this:

ngOnInit(): void {
    setInterval( () => {
        this.http.get(...   ).subscribe(
            (data) => {
                 this.data: any = data;
            }
      }, 10000);
}

This gets handled in the backend by the service method

@GET
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
public Response getData(
    ...

I also have a function for refreshing the token declared like this:

@POST
@Path("/token")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public Response updateToken(String token) {

The problem is that I only want the token to be updated when the actual user is clicking around at the page. Not for this notifier. The user should be automatically logged out if inactive for a while. That's why this matters.

I have come up with some possible strategies here.

  1. Send some extra metadata in the url passed to this.http.get and somehow figure out how to extract that in updateToken

  2. Adding a separate endpoint and somehow make this avoid triggering updateToken

  3. Changing this.http.get to something completely different call

  4. Making the server send updates periodically to valid tokens

But I have no idea how to start with any of these. Can you help?

java angular glassfish
posted almost 3 years ago
3y ago
user card
klutt‭
1273 reputation 17 12 162 52
History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.
Why should this post be closed?

1 comment thread

Why? (2 comments)
Post
+3
−0

It's worth noting that logging out a user goes way beyond not fetching a token, because your UI needs to inform the user he is about to be (or has been) logged out. And if your UI closes or locks itself, it probably doesn't matter if it has a current token.

So I'd handle this fully in the UI; for instance by detecting keypresses and mouse clicks, and upon not observing any for X minutes, I'd show a splash screen warning that a logout is imminent, and if still no action occurs, I'd lock the UI.

To refresh the token, I'd have some angular service fetch a new token in regular intervals, but only if the UI is not locked.

That said, as a user I really hate it if apps do that. I am perfectly capable of locking my workstation before walking away, and if I switch to another app for some reason (task switching is a thing, and some tasks require interacting with more than one app), and then return to your app, I'd hate to find myself logged out and having to start over.

posted almost 3 years ago
user card
meriton‭
2375 reputation 7 56 220 35
History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.

1 comment thread

Thanks, I'll look into it. However, I was really hoping to not have to redesign everything just to fi... (4 comments)
Thanks, I'll look into it. However, I was really hoping to not have to redesign everything just to fi...
klutt‭ wrote almost 3 years ago
copy link

Thanks, I'll look into it. However, I was really hoping to not have to redesign everything just to fix this bug.

Task switching is not a thing in this environment. :)

meriton‭ wrote almost 3 years ago
copy link

Do you know the environment well enough to say that with certainty? For instance, people are never interrupted by a ringing phone and have to handle that before continuing? Or the arrival of an urgent email? Or some coworker asking for help through chat? Obviously, I don't know the environment you are developping for, so you'll have to be the judge of that. I am just saying that it is not usually as obvious as it appears at first glance.

klutt‭ wrote almost 3 years ago
copy link

I completely understand your skepticism, but this is not the typical office environment. I also hate such features, but in this case it's a security issue that's not negotiable. In the case that someone get interrupted by another task it's actually imperative that this automatic logoff works.

However, it turned out that it was not as much work as I thought to implement your solution, and it seems to work quite nicely. Thank you.

klutt‭ wrote almost 3 years ago
copy link

meriton‭ Actually, we ended up using httpinterceptors for this purpose instead. It was quite clean to implement.

However, we also kept your suggestion to make sure that logging out occurs if the user is inactive.