fix(auth/refresh): send 403 res for invalid token to properly invalidate session (#1068)

api/server/controllers/AuthController.js

@@ -112,7 +112,9 @@ const refreshController = async (req, res) => {
       res.status(401).send('Refresh token expired or not found for this user');
     }
   } catch (err) {
-    res.status(401).send('Invalid refresh token');
+    console.error('Refresh token error', refreshToken);
+    console.error(err);
+    res.status(403).send('Invalid refresh token');
   }
 };
 

packages/data-provider/src/request.ts

@@ -21,20 +21,19 @@ const processQueue = (error: AxiosError | null, token: string | null = null) =>
 
 axios.interceptors.response.use(
   (response) => response,
-  (error) => {
+  async (error) => {
     const originalRequest = error.config;
     if (error.response.status === 401 && !originalRequest._retry) {
       if (isRefreshing) {
-        return new Promise(function (resolve, reject) {
+        try {
-          failedQueue.push({ resolve, reject });
+          const token = await new Promise(function (resolve, reject) {
-        })
+            failedQueue.push({ resolve, reject });
-          .then((token) => {
-            originalRequest.headers['Authorization'] = 'Bearer ' + token;
-            return axios(originalRequest);
-          })
-          .catch((err) => {
-            return Promise.reject(err);
           });
+          originalRequest.headers['Authorization'] = 'Bearer ' + token;
+          return await axios(originalRequest);
+        } catch (err) {
+          return await Promise.reject(err);
+        }
       }
 
       originalRequest._retry = true;