onUnauthorisedResponse static method
Implementation
static Future<UnauthorisedResponse> onUnauthorisedResponse(
LocalSessionState preRequestLocalSessionState) async {
try {
await _refreshAPILock.acquireWrite();
LocalSessionState postLockLocalSessionState =
await SuperTokensUtils.getLocalSessionState();
if (postLockLocalSessionState.status ==
LocalSessionStateStatus.NOT_EXISTS) {
SuperTokens.config.eventHandler(Eventype.UNAUTHORISED);
return UnauthorisedResponse(status: UnauthorisedStatus.SESSION_EXPIRED);
}
if (postLockLocalSessionState.status !=
preRequestLocalSessionState.status ||
(postLockLocalSessionState.status == LocalSessionStateStatus.EXISTS &&
preRequestLocalSessionState.status ==
LocalSessionStateStatus.EXISTS &&
postLockLocalSessionState.lastAccessTokenUpdate !=
preRequestLocalSessionState.lastAccessTokenUpdate)) {
return UnauthorisedResponse(status: UnauthorisedStatus.RETRY);
}
Uri refreshUrl = Uri.parse(SuperTokens.refreshTokenUrl);
http.Request refreshReq = http.Request('POST', refreshUrl);
refreshReq = await Utils.setAuthorizationHeaderIfRequiredForRequestObject(
refreshReq,
addRefreshToken: true);
if (preRequestLocalSessionState.status ==
LocalSessionStateStatus.EXISTS) {
String? antiCSRFToken = await AntiCSRF.getToken(
preRequestLocalSessionState.lastAccessTokenUpdate);
if (antiCSRFToken != null) {
refreshReq.headers[antiCSRFHeaderKey] = antiCSRFToken;
}
}
refreshReq.headers['rid'] = SuperTokens.rid;
refreshReq.headers['fdi-version'] = Version.supported_fdi.join(',');
// Add cookies to request headers
String? newCookiesToAdd =
await Client.cookieStore?.getCookieHeaderStringForRequest(refreshUrl);
refreshReq.headers[HttpHeaders.cookieHeader] = newCookiesToAdd ?? "";
SuperTokensTokenTransferMethod tokenTransferMethod =
SuperTokens.config.tokenTransferMethod;
refreshReq.headers
.addAll({'st-auth-mode': tokenTransferMethod.getValue()});
refreshReq =
SuperTokens.config.preAPIHook(APIAction.REFRESH_TOKEN, refreshReq);
var resp = await refreshReq.send();
await Utils.saveTokenFromHeaders(resp);
http.Response response = await http.Response.fromStream(resp);
// Save cookies from the response
String? setCookieFromResponse =
response.headers[HttpHeaders.setCookieHeader];
await Client.cookieStore
?.saveFromSetCookieHeader(refreshReq.url, setCookieFromResponse);
bool isUnauthorised =
response.statusCode == SuperTokens.config.sessionExpiredStatusCode;
String? frontTokenInHeaders = response.headers[frontTokenHeaderKey];
if (isUnauthorised && frontTokenInHeaders == null) {
await FrontToken.setItem("remove");
}
SuperTokensUtils.fireSessionUpdateEventsIfNecessary(
wasLoggedIn: preRequestLocalSessionState.status ==
LocalSessionStateStatus.EXISTS,
status: response.statusCode,
frontTokenFromResponse: frontTokenInHeaders,
);
if (response.statusCode >= 300) {
return UnauthorisedResponse(
status: UnauthorisedStatus.API_ERROR,
error: SuperTokensException(
"Refresh API returned with status code: ${response.statusCode}"));
}
SuperTokens.config
.postAPIHook(APIAction.REFRESH_TOKEN, refreshReq, response);
if ((await SuperTokensUtils.getLocalSessionState()).status ==
LocalSessionStateStatus.NOT_EXISTS) {
// The execution should never come here.. but just in case.
// removed by server. So we logout
// we do not send "UNAUTHORISED" event here because
// this is a result of the refresh API returning a session expiry, which
// means that the frontend did not know for sure that the session existed
// in the first place.
return UnauthorisedResponse(status: UnauthorisedStatus.SESSION_EXPIRED);
}
SuperTokens.config.eventHandler(Eventype.REFRESH_SESSION);
return UnauthorisedResponse(status: UnauthorisedStatus.RETRY);
} catch (e) {
return UnauthorisedResponse(
status: UnauthorisedStatus.API_ERROR,
error: SuperTokensException("Some unknown error occured"));
} finally {
LocalSessionState localSessionState =
await SuperTokensUtils.getLocalSessionState();
if (localSessionState.status == LocalSessionStateStatus.NOT_EXISTS) {
await FrontToken.removeToken();
await AntiCSRF.removeToken();
}
_refreshAPILock.release();
}
}