I don’t know how this happens, but from the list of requests, I can see that it has a valid token in the notifications?token=ey... request.
How that happens is hard to tell. I think it will be easier to investigate once the logout button is on.
I am preparing a new build that should fix everything mentioned in this topic and a few other things.
This had the value returned from POST /api/v1/auth/refresh from my traffic summary.
I stopped my summary at sysinfo, but it was used on serversettings and notifications.
To me, the question is how it it got a refresh token after I deleted it. Did I just miss it?
I’ve looked through both the port 8200 traffic and the dev tools of my browser refresh.
Anyway, to be continued I suppose.
That is also my question. There are 3 endpoints places that can issue a refresh token:
/api/v1/auth/signin: When using the sign-in temporary token/api/v1/auth/login: When supplying the password/api/v1/auth/refresh: If there is already a valid refresh token, a new is issuedIf I understand you trace summary correctly, the call to POST /api/v1/auth/refresh actually has the RefreshToken_8200 value from “somewhere”.
It may be a “feature” of sorts in Edge that keeps the cookie. I know Safari will “protect you” and hide some cookies in the developer storage view, but they are sent in the requests anyway.
Deleting the cookie in Chrome gives me 401 responses, when the access token expires or I reload the page.
If you mean a deletion doesn’t really take, I tested that already by noting the cookie value, turning on the dev tools and Wireshark, deleting the cookie, verifying it was not now shown, doing refresh.
Request has a Cookie RefreshToken_8200 which is different than deleted.
This one is the mystery. I’m not sure where it’s from. Apparently not by JS.
Response has a Set-Cookie RefreshToken_8200 which is the new cookie.
I get the 401 in Chrome on Refresh. It look awhile to research how to delete one cookie, but Application in dev tools can do it. Until then I can wander freely, maybe on old access token.
OK, some sort of browser dependent stuff going on here. I’ll probably continue on 2.0.9.103.