parse-server: Handling errors with “Session token is expired.” for automatic (anonymous) users
Issue Description
My iOS app uses Parse Server’s automatic user feature, namely users do not have to provide login credentials, but instead are logged in automatically and anonymously. These are not users that have been migrated from Parse.com, but automatic users with revocable sessions generated by hosted Parse Server.
Our client-side Parse initialisation looks like this:
[Parse initializeWithConfiguration:[ParseClientConfiguration configurationWithBlock:^(id<ParseMutableClientConfiguration> _Nonnull configuration) {
configuration.applicationId = <our app id>;
configuration.clientKey = <our client key>;
configuration.server = <our server>; }]];
// Users
[PFUser enableRevocableSessionInBackground];
[PFUser enableAutomaticUser];
[PFACL setDefaultACL:[PFACL ACL] withAccessForCurrentUser:YES];
On the server, “Expire inactive session” is YES, and “Revoke session on password reset” is YES. Session length is 1 year in seconds. I do not fully understand what constitutes an “inactive” session as far as “Expire inactive session” goes, and exactly what “Expire” constitutes - deletion from the database, or just making the token invalid. It seems to me that the session remains valid simply for “session length” after its inception, regardless of other factors.
Based on that understanding, everything works as expected - the user can communicate with the database - and at the 1 year mark, the session token appears to expire naturally.
With a standard login flow, one would clearly then display a screen allowing the user to login and refresh their token. However, in the case of automatic or anonymous users, that makes no sense - they never entered any login credentials, and so they have no means of refreshing their credentials manually.
Given that automatic user is enabled, I would have expected that Parse Server would automatically generate a new session token for a user with anonymous credentials. Instead, any interaction with the server or database fails with:
Error Domain=Parse Code=209 "Session token is expired." UserInfo={code=209, temporary=0, error=Session token is expired., NSLocalizedDescription=Session token is expired.}
I note that in Parse Server’s authentication tab “App authentication settings”, that “Enable Anonymous Authentication” is actually set to NO. My understanding here is that this would simply let users communicate with Parse server without a valid session token or valid PFUser object. This is not really what we want - we want a valid anonymous PFUser to communicate, as we may later want to transition then to a regular PFUser. I’ve tried switching it to YES, but we still see the same errors.
I am using Parse Server v2.3.2 with MongoDB v3.0.12, and iOS Parse SDK v1.17.1. I am looking to upgrade to the latest versions, but I want to take the time to understand what the problem is first, and if/how this may solve the problem.
Is this a known bug, solved by a later version or not? Is this a problem with my implementation or understanding? Can anyone help me with a solution?
Deleting the app and reinstalling it fixes the problem, because a new automatic user is generated and a fresh session token is provided. In the database this appears as a completely new user and the old one sits unused forevermore.
I would like to implement a solution that simply grants a new session token for anonymous users with an expired token. It seems as though I must set a finite session length, and I would rather not just set it to 100 years - it does not solve the problem for existing users and feels like a hack.
Thank you for your help.
Kind regards, Alex
Steps to reproduce
On the client, initialise Parse with:
[Parse initializeWithConfiguration:[ParseClientConfiguration configurationWithBlock:^(id<ParseMutableClientConfiguration> _Nonnull configuration) {
configuration.applicationId = <app id>;
configuration.clientKey = <client key>;
configuration.server = <server>; }]];
// Users
[PFUser enableRevocableSessionInBackground];
[PFUser enableAutomaticUser];
[PFACL setDefaultACL:[PFACL ACL] withAccessForCurrentUser:YES];
On the server use:
Expire inactive session: YES
Revoke session on password reset: YES
Session Length: <Finite Time>
Enable Anonymous Authentication: NO or YES...
Anonymous automatic users are created for new users. They work as expected during their valid lifetime. After an automatic PFUser has existed for “Session Length” the session token expires.
Expected Results
Given that the user did not enter any credentials and that automatic user is enabled, I would have expected Parse Server to grant a new valid (revocable) session token automatically.
Actual Outcome
Client-server interactions fail with error code 209: “Session token is expired.”, 101, or 206. 101 is clearly related to the invalid Session Token. 206 may or may not be a related issue.
The client is effectively cut adrift from our back-end and cannot synchronise with our database or interact with our server.
They cannot be asked to log in, as they have no credentials with which to log in. Currently it seems they are forced to reinstall the app and become a new anonymous user.
Environment Setup
-
Server
- parse-server version (Be specific! Don’t say ‘latest’.) : 2.3.2
- Operating System: Unknown
- Hardware: Nodechef Hosted
- Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): Remote Nodechef
-
Database
- MongoDB version: 3.0.12
- Storage engine: Nodechef Hosted
- Hardware: Nodechef Hosted
- Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): Remote Nodechef
Logs/Trace
Initialisation
— Configure Facebook Authentication – — Enable Anonymous Authentication – — Allow Client Class Creation Disabled — — Expire Inactive Sessions Enabled — — Revoke Session On Password Reset Enabled — — Session length in seconds: 31536000 —
Example 209 Session token is expired.
Example 206
Error generating response. ParseError { “code”: 206, “message”: “Cannot modify user k6uCHupaxA.” }
Cannot modify user k6uCHupaxA.
Example 101
Error handling request: ParseError { “code”: 101, “message”: “invalid session” }
invalid session
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 20 (8 by maintainers)
Just as a note: You can also add
expireInactiveSessions: falseto the server configuration to stop sessions from expiring at all.Me neither! This is literally the only thing I ever did in Studio 3T. There’s a trial version you can use for non-commercial purposes if you want to check it out.
I don’t remember the specifics, but if you google you should be able to figure out how to update a single field in all database Session objects fairly easily. Iirc it was using a simple query to determine which objects to edit, and defining the updated field - very straightforward and took a couple of minutes to update a few million session objects.
On Thu, 4 Oct 2018 at 11:06, Claes Jacobsson notifications@github.com wrote:
Hi Claes,
Glad you found it helpful!
I updated the mongodb directly using Studio 3T to update all Session objects expiresAt dates and set them to a date 3 years in the future.
I never need tokens to expire as we only use anonymous users, so I just bought myself time to either see a fix for anonymous users, implement user profiles and proper session management or simply edit the database once again nearer that date.
Best,
Alex
On Thu, 4 Oct 2018 at 10:56, Claes Jacobsson notifications@github.com wrote: