oauth-jsclient: isAccessTokenValid() gives false positive result

The isAccessTokenValid() function always returns true if token has expires_in greater then 60.

Tried to dig deeper and found that internal _checkExpiry() function makes use of createdAt property. The internal setToken() function sets now if its missing in provided token this.createdAt = tokenData.createdAt || Date.now()

Note, createToken() does not provide createdAt in the response, so SDK user cannot provide that in token.

In other words, if createdAtis missing in provided token, then system sets Date.now() and uses that in expiry computation (plus 60 sec latency)., thus gives false positive result.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 16

Most upvoted comments

Feb 2021. same here, isTokenValid() always gave false positive result.

Steps to reproduce:

  • generate token
  • store generated tokens to file
  • modify the token file ( in ex: refresh_token, access_token, etc ) to random values
  • call isTokenValid() helper from code, and it will always return positive result which irrelevant

After closer look, seems that isTokenValid() basically -only- check the createdAt value, without validating the tokens itself.

@abisalehalliprasan : Any plan in the future to have it improved ?

+1
michaelyohanes on Feb 24, 2021

I will take a look at it and provide more details.

+1
abisalehalliprasan on Feb 6, 2020
Read more comments on GitHub
← design-systems-cli: yarn start: 'tsc' is not recognized as an internal or external command
QuickBooks-V3-DotNET-SDK: Batch operation throws when creating Customer with a ParentRef →