User not redirected to login screen on 401 error with expired refresh token

[guilhermelcdev]

Firstly, I'd like to extend my gratitude to the contributors and maintainers for this project; the codebase is impressive and has been incredibly useful. However, I've encountered an issue related to authentication flow, specifically when handling 401 errors that arise from an expired access token and refresh token.

Issue
In scenarios where both the access token and the refresh token are expired, the application fails to redirect the user back to the login screen upon receiving a 401 response from the server. This behavior prevents users from re-authenticating and continuing their session seamlessly.

Steps to Reproduce
Allow both the access and refresh tokens to expire (simulate or wait for expiration).
Trigger a request that requires authentication.
Observe that upon receiving a 401 HTTP response, the application does not redirect to the login screen.
Expected Behavior
The expected behavior is for the application to automatically redirect users to the login screen upon detecting a 401 error due to expired tokens. This redirection should prompt the user to re-login, ensuring the authentication flow remains uninterrupted and user experience is maintained.

Actual Behavior
The application remains on the current screen without redirecting the user to the login screen, despite receiving a 401 error indicating that both the access and refresh tokens have expired.

[wmcginty]

Hi, thanks for the kind words @guilhermelcdev! It took me a while to wrap my head around it and I thought an example might benefit others. Glad it has been able to help.

As to your issue though, I'm a little confused. It shouldn't be possible for the refresh token to expire, it doesn't track an expiry. Are you doing some mapping or something else to get a 401 from /api/token/refresh?

But, from the apps perspective, you are correct it will not redirect you to login automatically in these instances (because it should be an impossible state). If you would like to implement something like this yourself though, you should be able to start in AuthorizationRefreshService.attemptRecovery(from:executing:). This function will receive the 401 (or any error) from the attempt to refresh and then you can act accordingly to deep link the user to a login screen.