fix: evita logout al cambiar de tenant (race condition refresh token)
This commit is contained in:
Horux Dev
@@ -7,6 +7,7 @@ import { Header } from '@/components/layouts/header';
|
||||
import { Card, CardContent, CardHeader, CardTitle, Button, Input, Label, Select, SelectContent, SelectItem, SelectTrigger, SelectValue, Dialog, DialogContent, DialogHeader, DialogTitle, DialogDescription, DialogFooter } from '@horux/shared-ui';
|
||||
import { getMyTenants, addMyTenant, type MyTenantDetailed } from '@/lib/api/tenants';
|
||||
import { switchTenant } from '@/lib/api/auth';
|
||||
import { cancelAllApiRequests } from '@/lib/api/client';
|
||||
import { useAuthStore } from '@/stores/auth-store';
|
||||
import { formatCurrency } from '@/lib/utils';
|
||||
import { Building2, Plus, Crown, ArrowRight, Loader2, AlertCircle, CheckCircle2 } from 'lucide-react';
|
||||
@@ -61,6 +62,9 @@ export default function MisEmpresasPage() {
|
||||
router.push('/dashboard');
|
||||
return;
|
||||
}
|
||||
// Cancela requests pendientes para evitar que intenten refrescar con el
|
||||
// token que switchTenant va a invalidar.
|
||||
cancelAllApiRequests();
|
||||
try {
|
||||
const res = await switchTenant(tenantId);
|
||||
setTokens(res.accessToken, res.refreshToken);
|
||||
|
||||
@@ -4,6 +4,7 @@ import { useState, useEffect } from 'react';
|
||||
import { useQueryClient } from '@tanstack/react-query';
|
||||
import { useAuthStore } from '@/stores/auth-store';
|
||||
import { switchTenant } from '@/lib/api/auth';
|
||||
import { cancelAllApiRequests } from '@/lib/api/client';
|
||||
import { Building2, ChevronDown, Check, Loader2, Crown } from 'lucide-react';
|
||||
import { cn } from '@horux/shared-ui';
|
||||
import { isGlobalAdminRfc } from '@horux/shared';
|
||||
@@ -44,6 +45,9 @@ export function MembershipSwitcher() {
|
||||
const handleSwitch = async (tenantId: string) => {
|
||||
if (tenantId === user?.tenantId) { setOpen(false); return; }
|
||||
setSwitching(true);
|
||||
// Cancela requests pendientes para evitar que intenten refrescar con el
|
||||
// token que switchTenant va a invalidar.
|
||||
cancelAllApiRequests();
|
||||
try {
|
||||
const res = await switchTenant(tenantId);
|
||||
setTokens(res.accessToken, res.refreshToken);
|
||||
|
||||
@@ -7,6 +7,14 @@ export const apiClient = axios.create({
|
||||
},
|
||||
});
|
||||
|
||||
// Lock para refrescos: solo un /auth/refresh puede estar en vuelo a la vez.
|
||||
// Cualquier otra peticion 401 espera el resultado del refresh en curso.
|
||||
let refreshPromise: Promise<{ accessToken: string; refreshToken: string }> | null = null;
|
||||
|
||||
// Controllers de peticiones activas, para poder cancelarlas en operaciones
|
||||
// que invalidan el refresh token (ej. cambio de tenant real).
|
||||
const activeControllers = new Set<AbortController>();
|
||||
|
||||
apiClient.interceptors.request.use((config) => {
|
||||
if (typeof window !== 'undefined') {
|
||||
const token = localStorage.getItem('accessToken');
|
||||
@@ -26,13 +34,30 @@ apiClient.interceptors.request.use((config) => {
|
||||
// Ignore parse errors
|
||||
}
|
||||
}
|
||||
|
||||
// Rastrear controller para cancelacion masiva
|
||||
const controller = new AbortController();
|
||||
config.signal = controller.signal;
|
||||
(config as any)._horuxController = controller;
|
||||
activeControllers.add(controller);
|
||||
}
|
||||
return config;
|
||||
});
|
||||
|
||||
function releaseController(config: any) {
|
||||
const controller = config?._horuxController as AbortController | undefined;
|
||||
if (controller) {
|
||||
activeControllers.delete(controller);
|
||||
}
|
||||
}
|
||||
|
||||
apiClient.interceptors.response.use(
|
||||
(response) => response,
|
||||
(response) => {
|
||||
releaseController(response.config);
|
||||
return response;
|
||||
},
|
||||
async (error) => {
|
||||
releaseController(error.config);
|
||||
const originalRequest = error.config;
|
||||
|
||||
// Rate limit hit. El backend envía { message } — lo preservamos para que los
|
||||
@@ -67,9 +92,11 @@ apiClient.interceptors.response.use(
|
||||
if (error.response?.status === 401 && !originalRequest._retry) {
|
||||
originalRequest._retry = true;
|
||||
|
||||
try {
|
||||
const refreshToken = localStorage.getItem('refreshToken');
|
||||
if (refreshToken) {
|
||||
if (!refreshPromise) {
|
||||
refreshPromise = (async () => {
|
||||
const refreshToken = localStorage.getItem('refreshToken');
|
||||
if (!refreshToken) throw new Error('No refresh token');
|
||||
|
||||
const response = await axios.post(
|
||||
`${process.env.NEXT_PUBLIC_API_URL || 'http://localhost:4000/api'}/auth/refresh`,
|
||||
{ refreshToken }
|
||||
@@ -78,17 +105,35 @@ apiClient.interceptors.response.use(
|
||||
const { accessToken, refreshToken: newRefreshToken } = response.data;
|
||||
localStorage.setItem('accessToken', accessToken);
|
||||
localStorage.setItem('refreshToken', newRefreshToken);
|
||||
return { accessToken, refreshToken: newRefreshToken };
|
||||
})().finally(() => {
|
||||
refreshPromise = null;
|
||||
});
|
||||
}
|
||||
|
||||
originalRequest.headers.Authorization = `Bearer ${accessToken}`;
|
||||
return apiClient(originalRequest);
|
||||
}
|
||||
try {
|
||||
const { accessToken } = await refreshPromise;
|
||||
originalRequest.headers.Authorization = `Bearer ${accessToken}`;
|
||||
return apiClient(originalRequest);
|
||||
} catch {
|
||||
localStorage.removeItem('accessToken');
|
||||
localStorage.removeItem('refreshToken');
|
||||
localStorage.removeItem('horux-tenant-view');
|
||||
window.location.href = '/login';
|
||||
return Promise.reject(error);
|
||||
}
|
||||
}
|
||||
|
||||
return Promise.reject(error);
|
||||
}
|
||||
);
|
||||
|
||||
/**
|
||||
* Cancela todas las peticiones activas del apiClient.
|
||||
* Util antes de operaciones que invalidan el refresh token (ej. switch-tenant)
|
||||
* para evitar race conditions entre requests viejas y el nuevo par de tokens.
|
||||
*/
|
||||
export function cancelAllApiRequests() {
|
||||
activeControllers.forEach((controller) => controller.abort());
|
||||
activeControllers.clear();
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user