Session Handling and Token Invalidation about atproto HOT 11 CLOSED

I mean that all methods are checking if the session is expired and renewing it if necessary

Aah, thanks! I'll recheck my implementation – looks like something wrong with tokens on my end.

The problem that I can understand that we must export session every 2 hours because of refreshed tokens

Yeah, you're correct! I guess I can do something like this one:

def post_message(text):
    session_string = "..."  # content from file
    client = Client()
    client.login(session_string=session_string)

    client.send_post(...)

    if client.export_session_string() != previous_session_string:
        # export it again

But probably some more elegant way is needed 🤔

from atproto.

There is also an idea to add an option to store the exported session as a file (this file could be always updated when a new token is generated, so you don't have to catch all errors) when Client() is initialized. Also, looks like some user/password fallback is needed as well.

We can use the exported session for two months before updating it in persistent storage. Isn't it?

You're correct in general, but It is something strange happens there with token with expiration date 2 days ago

and refresh token with expiration in December:

This token raises an error on client.login(session_string=...):

atproto.exceptions.BadRequestError: Response(success=False, status_code=400, content=XrpcError(error='ExpiredToken', message='Token has been revoked'), headers=Headers({'date': 'Tue, 19 Sep 2023 19:48:13 GMT', 'content-type': 'application/json; charset=utf-8', 'content-length': '59', 'connection': 'keep-alive', 'x-powered-by': 'Express', 'access-control-allow-origin': '*', 'ratelimit-limit': '3000', 'ratelimit-remaining': '2999', 'ratelimit-reset': '1695153193', 'ratelimit-policy': '3000;w=300', 'vary': 'Accept-Encoding'}))

🤯🤯🤯

from atproto.

I'd assume that something is broken on bsky side with this token – with newly generated tokens everything works fine! I think we're good to use the same exported session for 2 months!

from atproto.

Hi! But SDK cares about refreshing of access token using refresh token for a long time 🧐 was added here #27

The problem that I can understand that we must export session every 2 hours because of refreshed tokens 😢

Or do you want to say that auto-refresh logic was broken in SDK?

from atproto.

I mean that all methods are checking if the session is expired and renewing it if necessary

from atproto.

We definitely should save the session to persistent storage at the end of the script. But we also must catch all errors first to not exit without saving the exported session.

This doesn't fit well with envs, CI/CD secrets, and so on 🥲 sad

from atproto.

We can use the exported session for two months before updating it in persistent storage. Isn't it?

from atproto.

I can add the ability to register callback on token refresh. And the user can implement storing this token in db or file or wherever

from atproto.

I'd assume that something is broken on bsky side with this token – with newly generated tokens everything works fine! I think we're good to use the same exported session for 2 months!

Didn't you changed password or remove app password?

from atproto.

Didn't you changed password or remove app password?

Nope. Furthermore, for a token that was generated yesterday, I'm getting the same "Token has been revoked" error. Password/handle haven't been changed, and I am still able to generate new tokens with the same password.

Token generated at 1695150790, exp=1695157990
Refresh token generated at 1695150790, exp=1702926790 (Dec, 18)

>>> client = Client()
>>> client.login(session_string=sec)
atproto.exceptions.BadRequestError: Response(success=False, status_code=400, content=XrpcError(error='ExpiredToken', message='Token has been revoked'), headers=Headers({'date': 'Wed, 20 Sep 2023 09:07:36 GMT', 'content-type': 'application/json; charset=utf-8', 'content-length': '59', 'connection': 'keep-alive', 'x-powered-by': 'Express', 'access-control-allow-origin': '*', 'ratelimit-limit': '3000', 'ratelimit-remaining': '2998', 'ratelimit-reset': '1695201121', 'ratelimit-policy': '3000;w=300', 'vary': 'Accept-Encoding'}))

...

>>> client._import_session_string(sec)
SessionString(...)
>>> client._should_refresh_session()
True
>>> client._refresh_and_set_session()
atproto.exceptions.BadRequestError: Response(success=False, status_code=400, content=XrpcError(error='ExpiredToken', message='Token has been revoked'), ...)

from atproto.

so... does it mean that when you refresh the session and get a new refresh token, the old one is revoked?

from atproto.