feat(clerk-js): Stale-while-revalidate session token #7317
Conversation
🦋 Changeset detectedLatest commit: d2cac65 The changes in this PR will be included in the next version bump. This PR includes changesets to release 20 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
📝 WalkthroughWalkthroughThis pull request implements stale-while-revalidate behavior for session token retrieval. The token cache API was refactored to return a structured result object containing the cache entry and a 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. 📜 Recent review detailsConfiguration used: Repository YAML (base), Organization UI (inherited) Review profile: CHILL Plan: Pro Disabled knowledge base sources:
📒 Files selected for processing (6)
🧰 Additional context used📓 Path-based instructions (14)**/*.{js,jsx,ts,tsx}📄 CodeRabbit inference engine (.cursor/rules/development.mdc)
Files:
**/*.{js,jsx,ts,tsx,json,md,yml,yaml}📄 CodeRabbit inference engine (.cursor/rules/development.mdc)
Files:
packages/**/src/**/*.{ts,tsx}📄 CodeRabbit inference engine (.cursor/rules/development.mdc)
Files:
**/*.{ts,tsx,js,jsx}📄 CodeRabbit inference engine (.cursor/rules/development.mdc)
Files:
packages/**/src/**/*.{ts,tsx,js,jsx}📄 CodeRabbit inference engine (.cursor/rules/development.mdc)
Files:
**/*.{test,spec}.{ts,tsx,js,jsx}📄 CodeRabbit inference engine (.cursor/rules/development.mdc)
Files:
**/*.ts?(x)📄 CodeRabbit inference engine (.cursor/rules/development.mdc)
Files:
**/*.{test,spec,e2e}.{ts,tsx,js,jsx}📄 CodeRabbit inference engine (.cursor/rules/development.mdc)
Files:
**/*.{ts,tsx}📄 CodeRabbit inference engine (.cursor/rules/typescript.mdc)
Files:
**/*.test.{ts,tsx}📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)
Files:
**/*.{js,ts,jsx,tsx}📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)
Files:
**/*.{js,ts,jsx,tsx,json,md,yml,yaml}📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)
Files:
**/*⚙️ CodeRabbit configuration file
Files:
**/*.{md,tsx}📄 CodeRabbit inference engine (.cursor/rules/development.mdc)
Files:
🧬 Code graph analysis (2)packages/clerk-js/src/core/resources/__tests__/Session.test.ts (4)
packages/clerk-js/src/core/tokenCache.ts (1)
🪛 LanguageToolpackages/upgrade/src/versions/core-3/changes/gettoken-leeway-minimum.md[uncategorized] ~47-~47: If this is a compound adjective that modifies the following noun, use a hyphen. (EN_COMPOUND_ADJECTIVE_INTERNAL) 🔇 Additional comments (10)
Comment |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
| const tokenResolver = Token.create(path, params, false); | ||
|
|
||
| // Cache the promise immediately to prevent concurrent calls from triggering duplicate requests | ||
| SessionTokenCache.set({ tokenId, tokenResolver }); |
There was a problem hiding this comment.
This will update the tokenResolver during the background refresh. As per the separate comment, this is not a problem during this getToken call, but wont this be a problem for any subsequent getToken calls?
I haven't verified this, so it's just my reading of the code, but I saw no test cases for this which might also be nice to add.
Say I have two queries using getToken, both triggered from components that render together. The first getToken call triggers a background refresh, which sets the tokenResolver to a promise. This first getToken returns the value immediately as it awaits the previous tokenResolver.
The second call to getToken runs immediately after, does not call a background refresh since one is in progress, but it does read the value via await tokenResolver which is now the promise for the background refresh, because of this, the second getToken call does not SWR correctly even if it should?
Since we might have to touch tokenResolver etc to fix this, this might (or might not!) be a good time to tackle something related too. Awaiting already finished promises still always resolve in a microtask at the end of the JS frame, which is inefficient, so we'll want some way to read the value synchronously after the fetch has finished. Just mentioning that in case this happens to align nicely with a fix for the above.
There was a problem hiding this comment.
Great catch. Indeed, concurrent calls while refreshing would behave incorrectly as we were awaiting the new in-flight token resolver instead of returning the stale value. To address this, we no longer cache the tokenResolver running in the background until it succeeds, unlike the normal fetch case where it's cached immediately to dedupe requests. We also added a resolvedToken value to the cache so it can be read synchronously without awaiting the resolver, which avoids the microtask overhead you mentioned.
There was a problem hiding this comment.
Also expanded the test coverage of the SWR behavior
@clerk/agent-toolkit
@clerk/astro
@clerk/backend
@clerk/chrome-extension
@clerk/clerk-js
@clerk/dev-cli
@clerk/expo
@clerk/expo-passkeys
@clerk/express
@clerk/fastify
@clerk/localizations
@clerk/nextjs
@clerk/nuxt
@clerk/react
@clerk/react-router
@clerk/shared
@clerk/tanstack-react-start
@clerk/testing
@clerk/ui
@clerk/upgrade
@clerk/vue
commit: |
Ephem
left a comment
Ephem
left a comment
There was a problem hiding this comment.
I like the latest changes! Using the poller for the background revalidation makes sense to me. I think there's still some torny parts to untangle, and besides the latest comments, something still feels harder than it should be here, so I wonder if we've found the correct mental model for this yet?
I have a few early thoughts, let's chat!
|
|
||
| if (expiresSoon) { | ||
| // Token expired or dangerously close to expiration - force synchronous refresh | ||
| if (remainingTtl <= POLLER_INTERVAL_IN_MS / 1000) { |
There was a problem hiding this comment.
Default LEEWAY was 10s, and SYNC_LEEWAY was 5s, so if I'm reading this correctly, we used to sync fetch when less than 15s was remaining? Now this value is 5s?
I wonder if 5s is enough considering latency and all other factors?
However we change this it's a breaking change so let's remember to document it properly in the changelog when we've figured it out.
There was a problem hiding this comment.
Right. Before we would do a blocking fetch under the 15s, now we use the stale value when it's under 15s but more than 5 seconds. The idea there is that the poller would async fetch the token before we get to the 5s. If that doesn't occur then we would force a sync fetch.
There was a problem hiding this comment.
And yes, this is a breaking change so it's going to be part of Core 3
| } | ||
|
|
||
| return value.entry; | ||
| const effectiveLeeway = Math.max(leeway, MIN_REMAINING_TTL_IN_SECONDS); |
There was a problem hiding this comment.
This part is a bit weird. MIN_REMAINING_TTL_IN_SECONDS is 15s, and default LEEWAY is 10s, but the Math.max ensures we never go below 15s right?
If this is what we want(?), I think we should increase the LEEWAY to 15s as well, that way we document that "you can only raise this".
Thinking more on it, this PR now changes the public leewayInSeconds to only apply if you also use the internal refreshTokenOnFocus option? That seems off.
There was a problem hiding this comment.
🤔 In agreement here, this effectively forces leeway to always be equal to or greater than MIN_REMAINING_TTL_IN_SECONDS, do we want that value to be 5 or 15 going forward?
| try { | ||
| const token = await this.clerk.session.getToken(); | ||
| // Use refreshIfStale to fetch fresh token when cached token is within leeway period | ||
| const token = await this.clerk.session.getToken({ refreshIfStale: true }); |
There was a problem hiding this comment.
This also affects the refreshTokenOnFocus, but do we want that? Because those cases can be a race to finish setting the cookie before any external data fetching runs, it seems prudent to use the available token then?
| // Prefer synchronous read to avoid microtask overhead when token is already resolved | ||
| const cachedToken = cacheResult.entry.resolvedToken ?? (await cacheResult.entry.tokenResolver); |
There was a problem hiding this comment.
As I mentioned in chat, when I made the comment about this I didn't think it through fully. To get the full benefits, we'd have to make sure _getToken/getToken itself to be synchronous when data is already available (or maybe more likely add the .status and .value/.reason fields to the promise).
This likely only makes sense if/when we decide to expose this promise to the end user so they can use it though.
I see you've used resolvedToken as the way to be able to have a background refetch running while still reading the currently cached token though so this still has immediate value. That was a bit unclear at first, but I think it makes sense, will need to think some more on it.
There was a problem hiding this comment.
Agreed. And yeah, right now the value is key to allow for returning the stale value, while we wait for the poller to do it's thing
nikosdouvlis
force-pushed
the
vincent-and-the-doctor
branch
from
d24d455 to
12a12f5
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (2)
packages/clerk-js/src/core/resources/__tests__/Session.test.ts (1)
543-544: Consider using a helper to generate mock JWTs consistently.The manually crafted
newMockJwtworks for this test since it's comparing raw strings, but for maintainability, consider using thecreateJwtWithTtlhelper (from tokenCache.test.ts) or a shared fixture to ensure JWT claims are always valid and consistent across tests.packages/clerk-js/src/core/tokenCache.ts (1)
210-227: SWR logic is sound, but consider clarifying leeway behavior.The implementation correctly:
- Evicts tokens with ≤5s remaining (forcing synchronous fetch)
- Signals
needsRefreshwhen remaining TTL < effective leeway (minimum 15s)- Returns the cached entry immediately regardless of staleness
However, the
leewayparameter is effectively ignored when < 15s due to the floor atMIN_REMAINING_TTL_IN_SECONDS. While this is documented in the JSDoc, callers passing values like 10s (the default) may not realize their value has no effect.Consider either:
- Raising
DEFAULT_LEEWAYto 15s to match the minimum, or- Adding a debug log when the provided leeway is floored
This is a minor clarity improvement and not blocking.
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (7)
packages/clerk-js/src/core/__tests__/tokenCache.test.ts(20 hunks)packages/clerk-js/src/core/auth/AuthCookieService.ts(1 hunks)packages/clerk-js/src/core/auth/SessionCookiePoller.ts(2 hunks)packages/clerk-js/src/core/resources/Session.ts(2 hunks)packages/clerk-js/src/core/resources/__tests__/Session.test.ts(4 hunks)packages/clerk-js/src/core/tokenCache.ts(9 hunks)packages/shared/src/types/session.ts(1 hunks)
🧰 Additional context used
📓 Path-based instructions (12)
**/*.{js,jsx,ts,tsx}
📄 CodeRabbit inference engine (.cursor/rules/development.mdc)
All code must pass ESLint checks with the project's configuration
Files:
packages/shared/src/types/session.tspackages/clerk-js/src/core/auth/AuthCookieService.tspackages/clerk-js/src/core/auth/SessionCookiePoller.tspackages/clerk-js/src/core/__tests__/tokenCache.test.tspackages/clerk-js/src/core/tokenCache.tspackages/clerk-js/src/core/resources/__tests__/Session.test.tspackages/clerk-js/src/core/resources/Session.ts
**/*.{js,jsx,ts,tsx,json,md,yml,yaml}
📄 CodeRabbit inference engine (.cursor/rules/development.mdc)
Use Prettier for consistent code formatting
Files:
packages/shared/src/types/session.tspackages/clerk-js/src/core/auth/AuthCookieService.tspackages/clerk-js/src/core/auth/SessionCookiePoller.tspackages/clerk-js/src/core/__tests__/tokenCache.test.tspackages/clerk-js/src/core/tokenCache.tspackages/clerk-js/src/core/resources/__tests__/Session.test.tspackages/clerk-js/src/core/resources/Session.ts
packages/**/src/**/*.{ts,tsx}
📄 CodeRabbit inference engine (.cursor/rules/development.mdc)
TypeScript is required for all packages
Files:
packages/shared/src/types/session.tspackages/clerk-js/src/core/auth/AuthCookieService.tspackages/clerk-js/src/core/auth/SessionCookiePoller.tspackages/clerk-js/src/core/__tests__/tokenCache.test.tspackages/clerk-js/src/core/tokenCache.tspackages/clerk-js/src/core/resources/__tests__/Session.test.tspackages/clerk-js/src/core/resources/Session.ts
**/*.{ts,tsx,js,jsx}
📄 CodeRabbit inference engine (.cursor/rules/development.mdc)
Follow established naming conventions (PascalCase for components, camelCase for variables)
Files:
packages/shared/src/types/session.tspackages/clerk-js/src/core/auth/AuthCookieService.tspackages/clerk-js/src/core/auth/SessionCookiePoller.tspackages/clerk-js/src/core/__tests__/tokenCache.test.tspackages/clerk-js/src/core/tokenCache.tspackages/clerk-js/src/core/resources/__tests__/Session.test.tspackages/clerk-js/src/core/resources/Session.ts
packages/**/src/**/*.{ts,tsx,js,jsx}
📄 CodeRabbit inference engine (.cursor/rules/development.mdc)
packages/**/src/**/*.{ts,tsx,js,jsx}: Maintain comprehensive JSDoc comments for public APIs
Use tree-shaking friendly exports
Validate all inputs and sanitize outputs
All public APIs must be documented with JSDoc
Use dynamic imports for optional features
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Implement proper logging with different levels
Files:
packages/shared/src/types/session.tspackages/clerk-js/src/core/auth/AuthCookieService.tspackages/clerk-js/src/core/auth/SessionCookiePoller.tspackages/clerk-js/src/core/__tests__/tokenCache.test.tspackages/clerk-js/src/core/tokenCache.tspackages/clerk-js/src/core/resources/__tests__/Session.test.tspackages/clerk-js/src/core/resources/Session.ts
**/*.ts?(x)
📄 CodeRabbit inference engine (.cursor/rules/development.mdc)
Use proper TypeScript error types
Files:
packages/shared/src/types/session.tspackages/clerk-js/src/core/auth/AuthCookieService.tspackages/clerk-js/src/core/auth/SessionCookiePoller.tspackages/clerk-js/src/core/__tests__/tokenCache.test.tspackages/clerk-js/src/core/tokenCache.tspackages/clerk-js/src/core/resources/__tests__/Session.test.tspackages/clerk-js/src/core/resources/Session.ts
**/*.{ts,tsx}
📄 CodeRabbit inference engine (.cursor/rules/typescript.mdc)
**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoidanytype - preferunknownwhen type is uncertain, then narrow with type guards
Implement type guards forunknowntypes using the patternfunction isType(value: unknown): value is Type
Useinterfacefor object shapes that might be extended
Usetypefor unions, primitives, and computed types
Preferreadonlyproperties for immutable data structures
Useprivatefor internal implementation details in classes
Useprotectedfor inheritance hierarchies
Usepublicexplicitly for clarity in public APIs
Use mixins for shared behavior across unrelated classes in TypeScript
Use generic constraints with bounded type parameters like<T extends { id: string }>
Use utility types likeOmit,Partial, andPickfor data transformation instead of manual type construction
Use discriminated unions instead of boolean flags for state management and API responses
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation at the type level
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Document functions with JSDoc comments including @param, @returns, @throws, and @example tags
Create custom error classes that extend Error for specific error types
Use the Result pattern for error handling instead of throwing exceptions
Use optional chaining (?.) and nullish coalescing (??) operators for safe property access
Let TypeScript infer obvious types to reduce verbosity
Useconst assertionswithas constfor literal types
Usesatisfiesoperator for type checking without widening types
Declare readonly arrays and objects for immutable data structures
Use spread operator and array spread for immutable updates instead of mutations
Use lazy loading for large types...
Files:
packages/shared/src/types/session.tspackages/clerk-js/src/core/auth/AuthCookieService.tspackages/clerk-js/src/core/auth/SessionCookiePoller.tspackages/clerk-js/src/core/__tests__/tokenCache.test.tspackages/clerk-js/src/core/tokenCache.tspackages/clerk-js/src/core/resources/__tests__/Session.test.tspackages/clerk-js/src/core/resources/Session.ts
**/*.{js,ts,jsx,tsx}
📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)
Use ESLint with custom configurations tailored for different package types
Files:
packages/shared/src/types/session.tspackages/clerk-js/src/core/auth/AuthCookieService.tspackages/clerk-js/src/core/auth/SessionCookiePoller.tspackages/clerk-js/src/core/__tests__/tokenCache.test.tspackages/clerk-js/src/core/tokenCache.tspackages/clerk-js/src/core/resources/__tests__/Session.test.tspackages/clerk-js/src/core/resources/Session.ts
**/*.{js,ts,jsx,tsx,json,md,yml,yaml}
📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)
Use Prettier for code formatting across all packages
Files:
packages/shared/src/types/session.tspackages/clerk-js/src/core/auth/AuthCookieService.tspackages/clerk-js/src/core/auth/SessionCookiePoller.tspackages/clerk-js/src/core/__tests__/tokenCache.test.tspackages/clerk-js/src/core/tokenCache.tspackages/clerk-js/src/core/resources/__tests__/Session.test.tspackages/clerk-js/src/core/resources/Session.ts
**/*.{test,spec}.{ts,tsx,js,jsx}
📄 CodeRabbit inference engine (.cursor/rules/development.mdc)
**/*.{test,spec}.{ts,tsx,js,jsx}: Unit tests are required for all new functionality
Verify proper error handling and edge cases
Include tests for all new features
Files:
packages/clerk-js/src/core/__tests__/tokenCache.test.tspackages/clerk-js/src/core/resources/__tests__/Session.test.ts
**/*.{test,spec,e2e}.{ts,tsx,js,jsx}
📄 CodeRabbit inference engine (.cursor/rules/development.mdc)
Use real Clerk instances for integration tests
Files:
packages/clerk-js/src/core/__tests__/tokenCache.test.tspackages/clerk-js/src/core/resources/__tests__/Session.test.ts
**/*.test.{ts,tsx}
📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)
Use React Testing Library for component testing
Files:
packages/clerk-js/src/core/__tests__/tokenCache.test.tspackages/clerk-js/src/core/resources/__tests__/Session.test.ts
🧬 Code graph analysis (5)
packages/clerk-js/src/core/auth/AuthCookieService.ts (1)
packages/clerk-js/src/core/resources/Session.ts (1)
token(402-413)
packages/clerk-js/src/core/auth/SessionCookiePoller.ts (1)
packages/astro/src/async-local-storage.client.ts (1)
run(17-19)
packages/clerk-js/src/core/tokenCache.ts (1)
packages/clerk-js/src/core/auth/SessionCookiePoller.ts (1)
POLLER_INTERVAL_IN_MS(7-7)
packages/clerk-js/src/core/resources/__tests__/Session.test.ts (4)
packages/clerk-js/src/test/core-fixtures.ts (1)
clerkMock(249-256)packages/clerk-js/src/core/tokenCache.ts (1)
SessionTokenCache(440-440)packages/react/src/isomorphicClerk.ts (1)
session(721-727)packages/clerk-js/src/core/resources/Session.ts (2)
Session(44-439)token(402-413)
packages/clerk-js/src/core/resources/Session.ts (3)
packages/clerk-js/src/core/tokenCache.ts (1)
SessionTokenCache(440-440)packages/clerk-js/src/core/events.ts (2)
eventBus(32-32)events(7-15)packages/clerk-js/src/core/resources/Token.ts (1)
Token(7-57)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (28)
- GitHub Check: Integration Tests (billing, chrome, RQ)
- GitHub Check: Integration Tests (nextjs, chrome, 15)
- GitHub Check: Integration Tests (nextjs, chrome, 16, RQ)
- GitHub Check: Integration Tests (quickstart, chrome, 16)
- GitHub Check: Integration Tests (machine, chrome, RQ)
- GitHub Check: Integration Tests (nextjs, chrome, 16)
- GitHub Check: Integration Tests (quickstart, chrome, 15)
- GitHub Check: Integration Tests (billing, chrome)
- GitHub Check: Integration Tests (machine, chrome)
- GitHub Check: Integration Tests (custom, chrome)
- GitHub Check: Integration Tests (nuxt, chrome)
- GitHub Check: Integration Tests (ap-flows, chrome)
- GitHub Check: Integration Tests (handshake, chrome)
- GitHub Check: Integration Tests (vue, chrome)
- GitHub Check: Integration Tests (react-router, chrome)
- GitHub Check: Integration Tests (tanstack-react-start, chrome)
- GitHub Check: Integration Tests (astro, chrome)
- GitHub Check: Integration Tests (handshake:staging, chrome)
- GitHub Check: Integration Tests (localhost, chrome)
- GitHub Check: Integration Tests (sessions:staging, chrome)
- GitHub Check: Integration Tests (sessions, chrome)
- GitHub Check: Integration Tests (express, chrome)
- GitHub Check: Integration Tests (generic, chrome)
- GitHub Check: Formatting | Dedupe | Changeset
- GitHub Check: Build Packages
- GitHub Check: Analyze (javascript-typescript)
- GitHub Check: semgrep-cloud-platform/scan
- GitHub Check: semgrep-cloud-platform/scan
🔇 Additional comments (15)
packages/shared/src/types/session.ts (1)
343-351: Well-documented internal API addition for SWR behavior.The
refreshIfStaleoption is properly marked as@internalwith clear documentation explaining its purpose. This enables the token poller to proactively refresh tokens before they expire without exposing this mechanism to public consumers.packages/clerk-js/src/core/auth/AuthCookieService.ts (1)
165-166: Correct use ofrefreshIfStalefor proactive token refresh.This ensures the poller and focus handler fetch fresh tokens when the cached token is within the leeway window. The focus handler's use of
updateCookieImmediately: true(line 150) mitigates the race condition concern from previous reviews by ensuring the cookie is updated via microtask before external data-fetching libraries refetch.packages/clerk-js/src/core/auth/SessionCookiePoller.ts (1)
6-7: Good: Exposing poller interval as a constant for cross-module alignment.Exporting
POLLER_INTERVAL_IN_MSenables the token cache to use the same interval for its "hard cutoff" logic, ensuring tokens aren't returned when they'll expire before the next poll opportunity. The 5-second interval with numeric separator is clear and readable.packages/clerk-js/src/core/resources/__tests__/Session.test.ts (1)
421-578: Comprehensive SWR behavior test coverage.The test suite effectively validates the stale-while-revalidate semantics:
- Immediate stale token return with background refresh
- Graceful degradation on network failures
- Retry behavior after failures
- Successful refresh propagation
The use of
vi.advanceTimersByTime(46 * 1000)correctly positions the token in the leeway window (14s remaining < 15s threshold).packages/clerk-js/src/core/__tests__/tokenCache.test.ts (4)
540-688: Thorough SWR leeway behavior tests with clear boundary conditions.The tests effectively validate:
- Fresh tokens return
needsRefresh=false- Tokens within leeway return
needsRefresh=true- Custom leeway values are honored when larger than the 15s minimum
- The 15s minimum threshold is enforced even with
leeway=0The time-based assertions (e.g., 44s elapsed = 16s remaining vs. 46s elapsed = 14s remaining) clearly demonstrate the boundary behavior.
806-832: Critical: Hard cutoff test validates token expiration safety.This test ensures tokens with less than the poller interval remaining (5s) are not returned, preventing race conditions where a "valid" token expires before the next refresh opportunity. The progression from 6s → 4s → 0s remaining with expected results (token → undefined → undefined) is well-designed.
1010-1063: Good coverage forresolvedTokensynchronous access pattern.The tests validate both scenarios:
- Token resolution timing:
resolvedTokenis undefined while pending, then populated after resolution- Pre-resolved tokens:
resolvedTokencan be supplied upfront for hydration scenarios (e.g., fromlastActiveToken)This enables synchronous reads post-resolution, supporting the SWR pattern.
1065-1176: Multi-session isolation tests correctly updated for new result shape.The access pattern changes (
result.entry.tokenResolver,result.entry.tokenId) are consistent with theTokenCacheGetResultinterface. The tests continue to validate that tokens from different sessions are properly isolated and broadcast synchronization works correctly.packages/clerk-js/src/core/resources/Session.ts (4)
371-390: SWR implementation looks correct.The logic correctly implements stale-while-revalidate semantics:
- When
needsRefreshis true butrefreshIfStaleis false (default), callers get the stale token immediately without blocking- The poller (using
refreshIfStale: true) handles background refresh- Synchronous read via
resolvedTokenavoids microtask overhead for already-resolved tokensThis addresses the past review concerns about concurrent calls since normal
getToken()calls no longer await a potentially in-flight background refresh.
392-400: Clean helper extraction.The method properly encapsulates token creation logic. The explicit return type annotation aligns with coding guidelines.
402-413: Event dispatch logic is well-structured.The conditional update of
lastActiveTokenonly whentoken.jwtexists correctly handles the signed-out case where the token has an empty raw string. TheTokenUpdateevent is still emitted to notify listeners of the state.
415-433: Token fetch flow handles deduplication correctly.Caching the promise immediately before awaiting prevents duplicate concurrent requests. Errors correctly propagate to the
retrywrapper ingetToken.packages/clerk-js/src/core/tokenCache.ts (3)
51-58: Well-defined interface for the new return type.The
TokenCacheGetResultinterface cleanly encapsulates the SWR semantics with theneedsRefreshflag allowing callers to decide whether to trigger a background refresh.
355-358: Synchronous read optimization implemented correctly.Storing
resolvedTokenafter the promise resolves allows callers to bypass the microtask queue when reading already-resolved tokens. This is referenced in Session.ts where it's used with nullish coalescing:cacheResult.entry.resolvedToken ?? (await cacheResult.entry.tokenResolver).
276-288: Broadcast handler correctly adapted to new interface.The comparison logic properly accesses
result.entry.tokenResolverafter the interface change.
brkalow
left a comment
brkalow
left a comment
There was a problem hiding this comment.
Overall looks good, left a few small comments!
| if (cacheResult.needsRefresh && refreshIfStale) { | ||
| debugLogger.debug('Token is stale, refreshing as requested', { tokenId }, 'session'); | ||
| return this.#fetchToken(template, organizationId, tokenId, shouldDispatchTokenUpdate); | ||
| } |
There was a problem hiding this comment.
what do you think about firing off a this.#fetchToken() call without awaiting it if cacheResult.needsRefresh is true but refreshIfStale is falsy? This way we guarantee the cache is revalidated in the background without implicitly relying on the poller.
| } | ||
|
|
||
| return value.entry; | ||
| const effectiveLeeway = Math.max(leeway, MIN_REMAINING_TTL_IN_SECONDS); |
There was a problem hiding this comment.
🤔 In agreement here, this effectively forces leeway to always be equal to or greater than MIN_REMAINING_TTL_IN_SECONDS, do we want that value to be 5 or 15 going forward?
- Trigger background refresh when needsRefresh is true, without requiring refreshIfStale option. Guarantees cache revalidation without relying solely on the poller. - Add #refreshTokenInBackground() that doesn't cache pending promise, allowing concurrent getToken() calls to return stale token while refresh is in progress. - Track in-flight background refreshes to prevent duplicate requests. - Rename DEFAULT_LEEWAY to BACKGROUND_REFRESH_THRESHOLD_IN_SECONDS with clear documentation about 15s minimum and rate limiting warning. - Add comprehensive JSDoc for leewayInSeconds option explaining minimum value, default, and rate limiting considerations.
Add upgrade guide entries for: - getToken `leewayInSeconds` minimum of 15 seconds - stale-while-revalidate pattern for session tokens
- Test refreshIfStale: true forces synchronous refresh when token is stale - Test refreshIfStale: true with fresh token returns cached value - Test leewayInSeconds triggers earlier background refresh - Test minimum 15s leeway enforcement - Test no background refresh when token has sufficient TTL
|
!snapshot |
|
Hey @jacekradko - the snapshot version command generated the following package versions:
Tip: Use the snippet copy button below to quickly install the required packages. npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact |
- Rename option from leewayInSeconds to backgroundRefreshThreshold for clarity - Lower minimum threshold from 15s to 5s (poller interval) - Remove explicit refreshIfStale: false in AuthCookieService (default behavior) - Update tests and upgrade documentation
Description
This PR implements a stale-while-revalidate (SWR) pattern for session tokens in
getToken(). Instead of blocking on token refresh when a token is close to expiration, we return the cached token immediately and trigger a background refresh.Fixes: USER-4087
Dashboard testing PR: https://github.com/clerk/dashboard/pull/7990
How It Works
Key Behaviors
Configuration
The
backgroundRefreshThresholdoption (formerlyleewayInSeconds) controls when background refresh is triggered:Additional Options
refreshIfStale(internal): Whentrue, forces a blocking fetch instead of SWR behavior. Useful as an escape hatch when you absolutely need a fresh token and can wait for it.Implementation Details
Token Cache (
tokenCache.ts)get()returns{ entry, needsRefresh }instead of just the entryneedsRefreshsignals when background refresh should occurBroadcastChannelSession (
Session.ts)#refreshTokenInBackground(): Triggers refresh without blocking, doesn't cache the pending promise so concurrent calls still get the stale tokenresolvedTokenon cache entries enables synchronous reads (avoids microtask overhead)#backgroundRefreshInProgressSetAuthCookieService
refreshIfStale)refreshTokenOnFocusreturns cached token immediately to update cookie before SWR/similar libraries refetchBreaking Changes (Core 3)
leewayInSeconds→backgroundRefreshThresholdChecklist
pnpm testruns as expected.pnpm buildruns as expected.Type of change