something (still/again) broke in session expiration

General
1

this is the very same problem described in http://support.backendless.com/t/something-broke-in-session-expiration and although I wrote update to it, this topic isn’t changed from “solved”. So I’m creating separate topic.
I’m experiencing same type of error again now.

my code:


var cache = Backendless.LocalCache.getAll();

if (cache["stayLoggedIn"]) {

if (Backendless.UserService.isValidLogin()) {

console.log("tokenExist");

loggedInUser = Backendless.UserService.getCurrentUser();

} else {

Backendless.LocalCache.clear();

console.log("token expired! relogin!");

}

} else {

console.log("not logged!");

}

Backendless.UserService.isValidLogin() gives true, but after that Backendless.UserService.getCurrentUser() raise exception
Uncaught Object {code: 3048, message: “Session timeout. Url: <https://api.backendless.com…-586EEF9BD600/page/session_expiration/index.html>”;, statusCode: 302}
my settings for user login:
enable multiple logins (16)
enable session timeout (304800 sec)
unlimited unsucseful logins

2

Could you please check and let us know what these calls return?:
Backendless.LocalCache.get(“stayLoggedIn”)

Backendless.LocalCache.get(“current-user-id”)

3

Sure.
First is
true
Second is
“53FC6A47-79C6-561E-FFED-4EBA0ABDA400”

4

This is quite odd. Mapping it to the code in question, you should be getting a value from the server:

https://github.com/Backendless/JS-SDK/blob/master/libs/backendless.js#L1727

Is your environment setup where you can step into the function and see where it fails?

5

well, error stack I see in console is:
Backendless._ajax_for_browser @backendless.js:384
find @backendless.js:1120
findById @backendless.js:1171
getCurrentUser @backendless.js:1727

6

Is iniApp already called by then?

7

What? of course it was.
Let me tell you what network calls are logged:
https://api.backendless.com/v1/users/isvalidusertoken/2762BFCE-80D9-B012-FFE1-D9659997C400
status 200 ok with response “true”
https://api.backendless.com/v1/data/Users/53FC6A47-79C6-561E-FFED-4EBA0ABDA400
status 302 Found with response {“code”:3048,“message”:“Session timeout. Url: <https://api.backendless.com/DECCC828-2720-F3EA-FFAD-586EEF9BD600/page/session_expiration/index.html>”}
it’s as simple as that

8

Could you please let me know your app id, I’d like to see what could be causing that timeout.

9

appid:
DECCC828-2720-F3EA-FFAD-586EEF9BD600

10

Could you please check if there is the “user-token” header for this request?:
https://api.backendless.com/v1/data/Users/53FC6A47-79C6-561E-FFED-4EBA0ABDA400

11

yes there was

12

I bet that user does not have the “superAdmin” role, does he?

If not, I see what’s going on now. The problem is the permission settings in your app allow user object retrieval only for “ServerCodeUser” and “superAdmin” roles. The implementation of getCurrentUser() retrieves the user object from the server using the Backendless.Data.of(User).findById API:
https://github.com/Backendless/JS-SDK/blob/master/libs/backendless.js#L1727

Since the API is blocked, you’re not getting the object back. I think the best course of action would be to override the getCurrentUser implementation in your app and persist the entire user object on the client side. (or restrict persistent logins, which does not sound good).

13

Yes, this user is without superAdmin role.
It’s not quite clear for me, why functioning is broken when session expired and why error message is about “Session timeout”

14

Did you take a look at the implementation of getCurrentUser()? The code attempts to retrieve the user object by using the API which is blocked by your security settings.

I am not sure why the error message says session timeout, it appears like a secondary (non-core) issue at the moment.

15

Hmm, nope, I’m not convinced yet. Although I’ll try debug it later.
My question was and still is - about why when session is expired (it really is expired, I wasn’t logged for quite some time) I still get true on isvalidusertoken. So in my current situation I just added now try catch block around Backendless.UserService.getCurrentUser(); and add check for expired session - and show login dialog in that case

16

I am not convinced that the session is expired… To me it looks like a misleading error message. When I tried retrieving a user in your app, I got an error message saying the permissions do not allow it.

17

I see. But if your version is right, then I wouldn’t be able to successfully call Backendless.UserService.getCurrentUser() although now, after I logged-in, it work

18

In that case there is no request to the server to retrieve the user object. User object is retrieved from the original response for the login request. The highlighted code handles it:
https://github.com/Backendless/JS-SDK/blob/master/libs/backendless.js#L1720-L1722

19

Ok, let me try again.
I’m telling you - it’s problem with session expiration and isvalidtoken wrongfully returning “true”.
And it’s have nothing to do with my roles setup. Login config - maybe.
I created NEW application, configured login settings like this:
enable multiple logins (16)
enable session timeout (120 sec) - extremely short for quick demo.
generated code for login demo (just added console.log("getCurrentUser: " + Backendless.UserService.getCurrentUser()); after login)
Logged in with “remember me” option. And after a couple of minutes I got same error about session expiration

20

I guess this thread isn’t monitored by devs since it’s marked as Solved, I’ll wait some more and will create another topic with copy of my latest reply