Automating access token refreshing via interceptors in axios
Not sure if this suits your requirements or not, but another workaround could also be the separate Axios Instances (using axios.create method) for refreshToken and the rest of API calls. This way you can easily bypass your default interceptor for checking the 401 status in case of refreshToken.
So, now your normal interceptor would be the same.
Axios.interceptors.response.use(response => response, error => {
const status = error.response ? error.response.status : null
if (status === 401) {
// will loop if refreshToken returns 401
return refreshToken(store).then(_ => {
error.config.headers['Authorization'] = 'Bearer ' + store.state.auth.token;
error.config.baseURL = undefined;
return Axios.request(error.config);
})
// Would be nice to catch an error here, which would work, if the interceptor is omitted
.catch(err => err);
}
return Promise.reject(error);
});
And, your refreshToken would be like:
const refreshInstance = Axios.create();
function refreshToken(store) {
if (store.state.auth.isRefreshing) {
return store.state.auth.refreshingCall;
}
store.commit('auth/setRefreshingState', true);
const refreshingCall = refreshInstance.get('get token').then(({ data: { token } }) => {
store.commit('auth/setToken', token)
store.commit('auth/setRefreshingState', false);
store.commit('auth/setRefreshingCall', undefined);
return Promise.resolve(true);
});
store.commit('auth/setRefreshingCall', refreshingCall);
return refreshingCall;
}
here are some nice links [1] [2], you can refer for Axios Instances
I may have found a way much simpler to handle this : use axios.interceptors.response.eject() to disable the interceptor when I call the /api/refresh_token endpoint, and re-enable it after.
The code :
createAxiosResponseInterceptor() {
const interceptor = axios.interceptors.response.use(
response => response,
error => {
// Reject promise if usual error
if (error.response.status !== 401) {
return Promise.reject(error);
}
/*
* When response code is 401, try to refresh the token.
* Eject the interceptor so it doesn't loop in case
* token refresh causes the 401 response
*/
axios.interceptors.response.eject(interceptor);
return axios.post('/api/refresh_token', {
'refresh_token': this._getToken('refresh_token')
}).then(response => {
saveToken();
error.response.config.headers['Authorization'] = 'Bearer ' + response.data.access_token;
return axios(error.response.config);
}).catch(error => {
destroyToken();
this.router.push('/login');
return Promise.reject(error);
}).finally(createAxiosResponseInterceptor);
}
);
}
This is my implementation that avoids the infinite loop if the refresh route returns 401.
To avoid the infinite loop, I am using a clean instance of axios without the interceptor to refresh the token.
I am using cookies but you can refer to the other answers if you are using localStorage.
src/api/index.js
import axios from 'axios'
const baseURL = process.env.NODE_ENV === 'production' ? '/api' : http://localhost:5000/api`
const axiosInstance = axios.create({
baseURL,
timeout: 30000
})
axiosInstance.interceptors.response.use(response => response, error => {
const { response, config } = error
if (response.status !== 401) {
return Promise.reject(error)
}
// Use a 'clean' instance of axios without the interceptor to refresh the token. No more infinite refresh loop.
return axios.get('/auth/refresh', {
baseURL,
timeout: 30000
})
.then(() => {
// If you are using localStorage, update the token and Authorization header here
return axiosInstance(config)
})
.catch(() => {
return Promise.reject(error)
})
})
export default axiosInstance
I am using Vue on the frontend.