Skip to content

fix: add two-tier locking to prevent iframe race conditions causing "Invalid state" errors #1505

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yogeshchoudhary147 merged 6 commits into from
Jan 16, 2026
Merged

fix: add two-tier locking to prevent iframe race conditions causing "Invalid state" errors #1505

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4b6c01d
fix: add two-tier locking to prevent iframe race conditions
yogeshchoudhary147 Jan 13, 2026
cccfbe3
test: Add tests for two-tier locking and update affected tests
yogeshchoudhary147 Jan 13, 2026
eb5228a
test: Unskip and update tests for two-tier locking behavior
yogeshchoudhary147 Jan 13, 2026
5fe4abc
refactor: Add constant and improve comments per PR feedback
yogeshchoudhary147 Jan 13, 2026
0330ba8
refactor: improve locking pattern consistency in _getTokenFromIFrame
yogeshchoudhary147 Jan 15, 2026
adc9ab0
revert: remove accidental .prettierignore changes
yogeshchoudhary147 Jan 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
237 changes: 194 additions & 43 deletions __tests__/Auth0Client/getTokenSilently.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,10 @@ import {
INVALID_REFRESH_TOKEN_ERROR_MESSAGE
} from '../../src/constants';
import { GenericError } from '../../src/errors';
import { buildGetTokenSilentlyLockKey } from '../../src/Auth0Client.utils';
import {
buildGetTokenSilentlyLockKey,
buildIframeLockKey
} from '../../src/Auth0Client.utils';

jest.mock('es-cookie');
jest.mock('../../src/jwt');
Expand Down Expand Up @@ -1541,8 +1544,15 @@ describe('Auth0Client', () => {
});

let i = 1;
const iframeLockKey = buildIframeLockKey(TEST_CLIENT_ID);

acquireLockSpy.mockImplementation(() => {
acquireLockSpy.mockImplementation((key: string) => {
// Always succeed for iframe lock
if (key === iframeLockKey) {
return Promise.resolve(true);
}

// Per-audience lock: fail twice, succeed on third attempt
if (i === 3) {
return Promise.resolve(true);
} else {
Expand All @@ -1553,7 +1563,8 @@ describe('Auth0Client', () => {

await getTokenSilently(auth0);

expect(acquireLockSpy).toHaveBeenCalledTimes(3);
// Should be called 4 times: 3 for per-audience lock (2 failures + 1 success) + 1 for iframe lock
expect(acquireLockSpy).toHaveBeenCalledTimes(4);
});

it('should trow a Timeout error if it can not acquire a lock after retrying', async () => {
Expand Down Expand Up @@ -1719,7 +1730,10 @@ describe('Auth0Client', () => {
})
]);

expect(mockWindow.addEventListener).toHaveBeenCalledTimes(1);
// With the global iframe lock, requests are serialized, so each request cycle
// will add and remove the pagehide listener. However, addEventListener is still
// called once per lock acquisition cycle.
expect(mockWindow.addEventListener).toHaveBeenCalled();
});

it('should remove pagehide event listener only when all locks are released', async () => {
Expand Down Expand Up @@ -1758,7 +1772,10 @@ describe('Auth0Client', () => {
);
});

it('should release all active locks on page hide', async () => {
// Skipped: With the global iframe lock, requests are serialized rather than parallel
// This test was designed for truly parallel iframe requests, which we now prevent
// to avoid state corruption in the Auth0 session
it.skip('should release all active locks on page hide', async () => {
const auth0 = setup();
let pagehideHandler: (() => void) | undefined;

Expand Down Expand Up @@ -1834,52 +1851,34 @@ describe('Auth0Client', () => {
await Promise.all([promise1, promise2]);
});

it('should handle errors in concurrent requests without affecting other locks', async () => {
it('should handle errors and release locks properly', async () => {
const auth0 = setup();

// Mock iframe to fail
jest
.spyOn(<any>utils, 'runIframe')
.mockResolvedValueOnce({
access_token: TEST_ACCESS_TOKEN,
state: TEST_STATE
})
.mockRejectedValueOnce(new Error('Network error'));

// Mock one successful and one failing request

const promise1 = getTokenSilently(auth0, {
authorizationParams: { audience: 'audience1' }
});

await new Promise(resolve => setTimeout(resolve, 50));

const promise2 = getTokenSilently(auth0, {
authorizationParams: { audience: 'audience2' }
});

const [result1, result2] = await Promise.allSettled([
promise1,
promise2
]);
.mockRejectedValue(new Error('Network error'));

// First should succeed, second should fail
expect(result1.status).toEqual('fulfilled');
expect((result1 as PromiseFulfilledResult<string>).value).toEqual(
TEST_ACCESS_TOKEN
);

expect(result2.status).toEqual('rejected');
// Attempt a request that will fail
await expect(
getTokenSilently(auth0, {
authorizationParams: { audience: 'test-audience' },
cacheMode: 'off'
})
).rejects.toThrow('Network error');

// Both locks should be released despite the error
// Per-audience lock should be released despite the error
expect(releaseLockSpy).toHaveBeenCalledWith(
`auth0.lock.getTokenSilently.${TEST_CLIENT_ID}.audience1`
`auth0.lock.getTokenSilently.${TEST_CLIENT_ID}.test-audience`
);

// Iframe lock should also be released
expect(releaseLockSpy).toHaveBeenCalledWith(
`auth0.lock.getTokenSilently.${TEST_CLIENT_ID}.audience2`
buildIframeLockKey(TEST_CLIENT_ID)
);
});

it('should allow simultaneous calls with different audiences to make separate HTTP calls', async () => {
it('should serialize iframe calls with different audiences while making separate HTTP calls', async () => {
const auth0 = setup();

let iframeCallCount = 0;
Expand Down Expand Up @@ -1921,14 +1920,20 @@ describe('Auth0Client', () => {
})
]);

// Both should result in their own HTTP calls
// With iframe lock serialization, both should still result in separate HTTP calls
expect(mockFetch).toHaveBeenCalledTimes(2);
expect(utils.runIframe).toHaveBeenCalledTimes(2);

// Verify each call got a different token
// Verify each call got a different token (different audiences)
expect(token1).not.toEqual(token2);
expect(token1).toMatch(/^access_token_\d+$/);
expect(token2).toMatch(/^access_token_\d+$/);

// Verify iframe lock was used for both
expect(acquireLockSpy).toHaveBeenCalledWith(
buildIframeLockKey(TEST_CLIENT_ID),
5000
);
});

it('should allow simultaneous calls with the same audience to make only one HTTP call', async () => {
Expand Down Expand Up @@ -1973,11 +1978,11 @@ describe('Auth0Client', () => {
})
]);

// Both should return the same token (from the single shared call)
// Both should return the same token (per-audience lock prevents duplicate calls)
expect(token1).toEqual(token2);
expect(token1).toMatch(/^access_token_\d+$/);

// Should only result in one HTTP call due to lock
// Should only result in one HTTP call due to per-audience lock
expect(mockFetch).toHaveBeenCalledTimes(1);
expect(utils.runIframe).toHaveBeenCalledTimes(1);
});
Expand Down Expand Up @@ -3030,4 +3035,150 @@ describe('Auth0Client', () => {
);
});
});

describe('two-tier locking for iframe requests', () => {
it('should acquire both per-audience and iframe locks when using iframe flow', async () => {
const auth0 = setup();

jest.spyOn(<any>utils, 'runIframe').mockResolvedValue({
access_token: TEST_ACCESS_TOKEN,
state: TEST_STATE,
code: TEST_CODE
});

mockFetch.mockResolvedValue(
fetchResponse(true, {
id_token: TEST_ID_TOKEN,
access_token: TEST_ACCESS_TOKEN,
expires_in: 86400
})
);

await getTokenSilently(auth0, {
authorizationParams: { audience: 'test-audience' },
cacheMode: 'off'
});

// Should acquire per-audience lock
expect(acquireLockSpy).toHaveBeenCalledWith(
buildGetTokenSilentlyLockKey(TEST_CLIENT_ID, 'test-audience'),
5000
);

// Should also acquire iframe lock
expect(acquireLockSpy).toHaveBeenCalledWith(
buildIframeLockKey(TEST_CLIENT_ID),
5000
);

// Both locks should be released
expect(releaseLockSpy).toHaveBeenCalledWith(
buildGetTokenSilentlyLockKey(TEST_CLIENT_ID, 'test-audience')
);
expect(releaseLockSpy).toHaveBeenCalledWith(
buildIframeLockKey(TEST_CLIENT_ID)
);
});

it('should release iframe lock even when iframe fails', async () => {
const auth0 = setup();
const iframeLockKey = buildIframeLockKey(TEST_CLIENT_ID);

jest.spyOn(<any>utils, 'runIframe').mockRejectedValue(
new Error('iframe error')
);

try {
await getTokenSilently(auth0, { cacheMode: 'off' });
} catch (e) {
// Expected to fail
}

// Iframe lock should still be released
expect(releaseLockSpy).toHaveBeenCalledWith(iframeLockKey);
});

it('should not acquire iframe lock when using refresh tokens', async () => {
const auth0 = setup({
useRefreshTokens: true
});

await loginWithRedirect(auth0, undefined, {
token: {
response: { refresh_token: TEST_REFRESH_TOKEN }
}
});

const iframeLockKey = buildIframeLockKey(TEST_CLIENT_ID);
acquireLockSpy.mockClear();
releaseLockSpy.mockClear();

mockFetch.mockResolvedValue(
fetchResponse(true, {
id_token: TEST_ID_TOKEN,
refresh_token: TEST_REFRESH_TOKEN,
access_token: TEST_ACCESS_TOKEN,
expires_in: 86400
})
);

await getTokenSilently(auth0, { cacheMode: 'off' });

// Should acquire per-audience lock only
expect(acquireLockSpy).toHaveBeenCalledWith(
buildGetTokenSilentlyLockKey(TEST_CLIENT_ID, 'default'),
5000
);

// Should NOT acquire iframe lock (refresh token flow)
expect(acquireLockSpy).not.toHaveBeenCalledWith(iframeLockKey, 5000);
expect(releaseLockSpy).not.toHaveBeenCalledWith(iframeLockKey);
});

it('should acquire iframe lock when falling back from refresh token to iframe', async () => {
const auth0 = setup({
useRefreshTokens: true,
useRefreshTokensFallback: true
});

await loginWithRedirect(auth0, undefined, {
token: {
response: { refresh_token: TEST_REFRESH_TOKEN }
}
});

const iframeLockKey = buildIframeLockKey(TEST_CLIENT_ID);
acquireLockSpy.mockClear();
releaseLockSpy.mockClear();

// First call fails (refresh token expired)
mockFetch.mockResolvedValueOnce(
fetchResponse(false, {
error: 'invalid_grant',
error_description: INVALID_REFRESH_TOKEN_ERROR_MESSAGE
})
);

// Second call succeeds (iframe fallback)
jest.spyOn(<any>utils, 'runIframe').mockResolvedValue({
access_token: TEST_ACCESS_TOKEN,
state: TEST_STATE,
code: TEST_CODE
});

mockFetch.mockResolvedValueOnce(
fetchResponse(true, {
id_token: TEST_ID_TOKEN,
access_token: TEST_ACCESS_TOKEN,
expires_in: 86400
})
);

await getTokenSilently(auth0, { cacheMode: 'off' });

// Should acquire iframe lock when falling back to iframe
expect(acquireLockSpy).toHaveBeenCalledWith(iframeLockKey, 5000);
expect(releaseLockSpy).toHaveBeenCalledWith(iframeLockKey);
});
});
});
Loading