dify/web/service/refresh-token.ts

import { API_PREFIX } from '@/config'
import { fetchWithRetry } from '@/utils'

const LOCAL_STORAGE_KEY = 'is_other_tab_refreshing'

let isRefreshing = false
function waitUntilTokenRefreshed() {
  return new Promise<void>((resolve) => {
    function _check() {
      const isRefreshingSign = globalThis.localStorage.getItem(LOCAL_STORAGE_KEY)
      if ((isRefreshingSign && isRefreshingSign === '1') || isRefreshing) {
        setTimeout(() => {
          _check()
        }, 1000)
      }
      else {
        resolve()
      }
    }
    _check()
  })
}

const isRefreshingSignAvailable = function (delta: number) {
  const nowTime = new Date().getTime()
  const lastTime = globalThis.localStorage.getItem('last_refresh_time') || '0'
  return nowTime - Number.parseInt(lastTime) <= delta
}

// only one request can send
async function getNewAccessToken(timeout: number): Promise<void> {
  try {
    const isRefreshingSign = globalThis.localStorage.getItem(LOCAL_STORAGE_KEY)
    if ((isRefreshingSign && isRefreshingSign === '1' && isRefreshingSignAvailable(timeout)) || isRefreshing) {
      await waitUntilTokenRefreshed()
    }
    else {
      isRefreshing = true
      globalThis.localStorage.setItem(LOCAL_STORAGE_KEY, '1')
      globalThis.localStorage.setItem('last_refresh_time', new Date().getTime().toString())
      globalThis.addEventListener('beforeunload', releaseRefreshLock)

      // Do not use baseFetch to refresh tokens.
      // If a 401 response occurs and baseFetch itself attempts to refresh the token,
      // it can lead to an infinite loop if the refresh attempt also returns 401.
      // To avoid this, handle token refresh separately in a dedicated function
      // that does not call baseFetch and uses a single retry mechanism.
      const [error, ret] = await fetchWithRetry(globalThis.fetch(`${API_PREFIX}/refresh-token`, {
        method: 'POST',
        credentials: 'include', // Important: include cookies in the request
        headers: {
          'Content-Type': 'application/json;utf-8',
        },
        // No body needed - refresh token is in cookie
      }))
      if (error) {
        return Promise.reject(error)
      }
      else {
        if (ret.status === 401)
          return Promise.reject(ret)
      }
    }
  }
  catch (error) {
    console.error(error)
    return Promise.reject(error)
  }
  finally {
    releaseRefreshLock()
  }
}

function releaseRefreshLock() {
  if (isRefreshing) {
    isRefreshing = false
    globalThis.localStorage.removeItem(LOCAL_STORAGE_KEY)
    globalThis.localStorage.removeItem('last_refresh_time')
    globalThis.removeEventListener('beforeunload', releaseRefreshLock)
  }
}

export async function refreshAccessTokenOrRelogin(timeout: number) {
  return Promise.race([new Promise<void>((resolve, reject) => setTimeout(() => {
    releaseRefreshLock()
    reject(new Error('request timeout'))
  }, timeout)), getNewAccessToken(timeout)])
}
feat: add config for max-tree-depth (#21291) 2025-06-23 13:55:57 +08:00			`import { API_PREFIX } from '@/config'`
refactor the logic of refreshing access_token (#10068) 2024-11-05 12:38:31 +08:00			`import { fetchWithRetry } from '@/utils'`

fix: Page may lock if user close the page when refresh access_token (#10550) 2024-11-12 15:18:19 +08:00			`const LOCAL_STORAGE_KEY = 'is_other_tab_refreshing'`

refactor the logic of refreshing access_token (#10068) 2024-11-05 12:38:31 +08:00			`let isRefreshing = false`
			`function waitUntilTokenRefreshed() {`
Chore/cleanup warnings (#17974) 2025-04-14 11:27:14 +08:00			`return new Promise<void>((resolve) => {`
refactor the logic of refreshing access_token (#10068) 2024-11-05 12:38:31 +08:00			`function _check() {`
fix: Page may lock if user close the page when refresh access_token (#10550) 2024-11-12 15:18:19 +08:00			`const isRefreshingSign = globalThis.localStorage.getItem(LOCAL_STORAGE_KEY)`
refactor the logic of refreshing access_token (#10068) 2024-11-05 12:38:31 +08:00			`if ((isRefreshingSign && isRefreshingSign === '1') \|\| isRefreshing) {`
			`setTimeout(() => {`
			`_check()`
			`}, 1000)`
			`}`
			`else {`
			`resolve()`
			`}`
			`}`
			`_check()`
			`})`
			`}`

fix: add last_refresh_time to track the validity of is_other_tab_refreshing (#12517) 2025-01-09 10:40:45 +08:00			`const isRefreshingSignAvailable = function (delta: number) {`
			`const nowTime = new Date().getTime()`
			`const lastTime = globalThis.localStorage.getItem('last_refresh_time') \|\| '0'`
Chore: frontend infrastructure upgrade (#16420) Co-authored-by: NFish <douxc512@gmail.com> Co-authored-by: zxhlyh <jasonapring2015@outlook.com> Co-authored-by: twwu <twwu@dify.ai> Co-authored-by: jZonG <jzongcode@gmail.com> 2025-03-21 17:41:03 +08:00			`return nowTime - Number.parseInt(lastTime) <= delta`
fix: add last_refresh_time to track the validity of is_other_tab_refreshing (#12517) 2025-01-09 10:40:45 +08:00			`}`

refactor the logic of refreshing access_token (#10068) 2024-11-05 12:38:31 +08:00			`// only one request can send`
fix: add last_refresh_time to track the validity of is_other_tab_refreshing (#12517) 2025-01-09 10:40:45 +08:00			`async function getNewAccessToken(timeout: number): Promise<void> {`
refactor the logic of refreshing access_token (#10068) 2024-11-05 12:38:31 +08:00			`try {`
fix: Page may lock if user close the page when refresh access_token (#10550) 2024-11-12 15:18:19 +08:00			`const isRefreshingSign = globalThis.localStorage.getItem(LOCAL_STORAGE_KEY)`
fix: add last_refresh_time to track the validity of is_other_tab_refreshing (#12517) 2025-01-09 10:40:45 +08:00			`if ((isRefreshingSign && isRefreshingSign === '1' && isRefreshingSignAvailable(timeout)) \|\| isRefreshing) {`
refactor the logic of refreshing access_token (#10068) 2024-11-05 12:38:31 +08:00			`await waitUntilTokenRefreshed()`
			`}`
			`else {`
			`isRefreshing = true`
fix: Page may lock if user close the page when refresh access_token (#10550) 2024-11-12 15:18:19 +08:00			`globalThis.localStorage.setItem(LOCAL_STORAGE_KEY, '1')`
fix: add last_refresh_time to track the validity of is_other_tab_refreshing (#12517) 2025-01-09 10:40:45 +08:00			`globalThis.localStorage.setItem('last_refresh_time', new Date().getTime().toString())`
fix: Page may lock if user close the page when refresh access_token (#10550) 2024-11-12 15:18:19 +08:00			`globalThis.addEventListener('beforeunload', releaseRefreshLock)`
refactor the logic of refreshing access_token (#10068) 2024-11-05 12:38:31 +08:00
			`// Do not use baseFetch to refresh tokens.`
			`// If a 401 response occurs and baseFetch itself attempts to refresh the token,`
			`// it can lead to an infinite loop if the refresh attempt also returns 401.`
			`// To avoid this, handle token refresh separately in a dedicated function`
			`// that does not call baseFetch and uses a single retry mechanism.`
feat: add config for max-tree-depth (#21291) 2025-06-23 13:55:57 +08:00			const [error, ret] = await fetchWithRetry(globalThis.fetch(`${API_PREFIX}/refresh-token`, {
refactor the logic of refreshing access_token (#10068) 2024-11-05 12:38:31 +08:00			`method: 'POST',`
refactor: replace localStorage with HTTP-only cookies for auth tokens (#24365) Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Signed-off-by: lyzno1 <yuanyouhuilyz@gmail.com> Signed-off-by: kenwoodjw <blackxin55+@gmail.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Yunlu Wen <wylswz@163.com> Co-authored-by: Joel <iamjoel007@gmail.com> Co-authored-by: GareArc <chen4851@purdue.edu> Co-authored-by: NFish <douxc512@gmail.com> Co-authored-by: Davide Delbianco <davide.delbianco@outlook.com> Co-authored-by: minglu7 <1347866672@qq.com> Co-authored-by: Ponder <ruan.lj@foxmail.com> Co-authored-by: crazywoola <100913391+crazywoola@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: heyszt <270985384@qq.com> Co-authored-by: Asuka Minato <i@asukaminato.eu.org> Co-authored-by: Guangdong Liu <liugddx@gmail.com> Co-authored-by: Eric Guo <eric.guocz@gmail.com> Co-authored-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Co-authored-by: XlKsyt <caixuesen@outlook.com> Co-authored-by: Dhruv Gorasiya <80987415+DhruvGorasiya@users.noreply.github.com> Co-authored-by: crazywoola <427733928@qq.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: lyzno1 <92089059+lyzno1@users.noreply.github.com> Co-authored-by: hj24 <mambahj24@gmail.com> Co-authored-by: GuanMu <ballmanjq@gmail.com> Co-authored-by: 非法操作 <hjlarry@163.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Tonlo <123lzs123@gmail.com> Co-authored-by: Yusuke Yamada <yamachu.dev@gmail.com> Co-authored-by: Novice <novice12185727@gmail.com> Co-authored-by: kenwoodjw <blackxin55+@gmail.com> Co-authored-by: Ademílson Tonato <ademilsonft@outlook.com> Co-authored-by: znn <jubinkumarsoni@gmail.com> Co-authored-by: yangzheli <43645580+yangzheli@users.noreply.github.com> 2025-10-19 21:29:04 +08:00			`credentials: 'include', // Important: include cookies in the request`
refactor the logic of refreshing access_token (#10068) 2024-11-05 12:38:31 +08:00			`headers: {`
			`'Content-Type': 'application/json;utf-8',`
			`},`
refactor: replace localStorage with HTTP-only cookies for auth tokens (#24365) Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Signed-off-by: lyzno1 <yuanyouhuilyz@gmail.com> Signed-off-by: kenwoodjw <blackxin55+@gmail.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Yunlu Wen <wylswz@163.com> Co-authored-by: Joel <iamjoel007@gmail.com> Co-authored-by: GareArc <chen4851@purdue.edu> Co-authored-by: NFish <douxc512@gmail.com> Co-authored-by: Davide Delbianco <davide.delbianco@outlook.com> Co-authored-by: minglu7 <1347866672@qq.com> Co-authored-by: Ponder <ruan.lj@foxmail.com> Co-authored-by: crazywoola <100913391+crazywoola@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: heyszt <270985384@qq.com> Co-authored-by: Asuka Minato <i@asukaminato.eu.org> Co-authored-by: Guangdong Liu <liugddx@gmail.com> Co-authored-by: Eric Guo <eric.guocz@gmail.com> Co-authored-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Co-authored-by: XlKsyt <caixuesen@outlook.com> Co-authored-by: Dhruv Gorasiya <80987415+DhruvGorasiya@users.noreply.github.com> Co-authored-by: crazywoola <427733928@qq.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: lyzno1 <92089059+lyzno1@users.noreply.github.com> Co-authored-by: hj24 <mambahj24@gmail.com> Co-authored-by: GuanMu <ballmanjq@gmail.com> Co-authored-by: 非法操作 <hjlarry@163.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Tonlo <123lzs123@gmail.com> Co-authored-by: Yusuke Yamada <yamachu.dev@gmail.com> Co-authored-by: Novice <novice12185727@gmail.com> Co-authored-by: kenwoodjw <blackxin55+@gmail.com> Co-authored-by: Ademílson Tonato <ademilsonft@outlook.com> Co-authored-by: znn <jubinkumarsoni@gmail.com> Co-authored-by: yangzheli <43645580+yangzheli@users.noreply.github.com> 2025-10-19 21:29:04 +08:00			`// No body needed - refresh token is in cookie`
refactor the logic of refreshing access_token (#10068) 2024-11-05 12:38:31 +08:00			`}))`
			`if (error) {`
			`return Promise.reject(error)`
			`}`
			`else {`
			`if (ret.status === 401)`
			`return Promise.reject(ret)`
			`}`
			`}`
			`}`
			`catch (error) {`
			`console.error(error)`
			`return Promise.reject(error)`
			`}`
			`finally {`
fix: Page may lock if user close the page when refresh access_token (#10550) 2024-11-12 15:18:19 +08:00			`releaseRefreshLock()`
			`}`
			`}`

			`function releaseRefreshLock() {`
			`if (isRefreshing) {`
refactor the logic of refreshing access_token (#10068) 2024-11-05 12:38:31 +08:00			`isRefreshing = false`
fix: Page may lock if user close the page when refresh access_token (#10550) 2024-11-12 15:18:19 +08:00			`globalThis.localStorage.removeItem(LOCAL_STORAGE_KEY)`
fix: add last_refresh_time to track the validity of is_other_tab_refreshing (#12517) 2025-01-09 10:40:45 +08:00			`globalThis.localStorage.removeItem('last_refresh_time')`
fix: Page may lock if user close the page when refresh access_token (#10550) 2024-11-12 15:18:19 +08:00			`globalThis.removeEventListener('beforeunload', releaseRefreshLock)`
refactor the logic of refreshing access_token (#10068) 2024-11-05 12:38:31 +08:00			`}`
			`}`

			`export async function refreshAccessTokenOrRelogin(timeout: number) {`
			`return Promise.race([new Promise<void>((resolve, reject) => setTimeout(() => {`
fix: Page may lock if user close the page when refresh access_token (#10550) 2024-11-12 15:18:19 +08:00			`releaseRefreshLock()`
refactor the logic of refreshing access_token (#10068) 2024-11-05 12:38:31 +08:00			`reject(new Error('request timeout'))`
fix: add last_refresh_time to track the validity of is_other_tab_refreshing (#12517) 2025-01-09 10:40:45 +08:00			`}, timeout)), getNewAccessToken(timeout)])`
refactor the logic of refreshing access_token (#10068) 2024-11-05 12:38:31 +08:00			`}`