Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
axios-auth-refresh
Advanced tools
Axios plugin which makes it very easy to automatically refresh the authorization tokens of your clients
Library that helps you implement automatic refresh of authorization via axios interceptors. You can easily intercept the original request when it fails, refresh the authorization and continue with the original request, without any user interaction.
What happens when the request fails due to authorization is all up to you. You can either run a refresh call for a new authorization token or run a custom logic.
The plugin stalls additional requests that have come in while waiting for a new authorization token and resolves them when a new token is available.
npm install axios-auth-refresh --save
# or
yarn add axios-auth-refresh
createAuthRefreshInterceptor(
axios: AxiosInstance,
refreshAuthLogic: (failedRequest: any) => Promise<any>,
options: AxiosAuthRefreshOptions = {}
): number;
axios
- an instance of AxiosrefreshAuthLogic
- a Function used for refreshing authorization (must return a promise).
Accepts exactly one parameter, which is the failedRequest
returned by the original call.options
- object with settings for interceptor (See available options)Interceptor id
in case you want to reject it manually.
In order to activate the interceptors, you need to import a function from axios-auth-refresh
which is exported by default and call it with the axios instance you want the interceptors for,
as well as the refresh authorization function where you need to write the logic for refreshing the authorization.
The interceptors will then be bound onto the axios instance, and the specified logic will be run whenever a 401 (Unauthorized) status code is returned from a server (or any other status code you provide in options). All the new requests created while the refreshAuthLogic has been processing will be bound onto the Promise returned from the refreshAuthLogic function. This means that the requests will be resolved when a new access token has been fetched or when the refreshing logic failed.
import axios from 'axios';
import createAuthRefreshInterceptor from 'axios-auth-refresh';
// Function that will be called to refresh authorization
const refreshAuthLogic = (failedRequest) =>
axios.post('https://www.example.com/auth/token/refresh').then((tokenRefreshResponse) => {
localStorage.setItem('token', tokenRefreshResponse.data.token);
failedRequest.response.config.headers['Authorization'] = 'Bearer ' + tokenRefreshResponse.data.token;
return Promise.resolve();
});
// Instantiate the interceptor
createAuthRefreshInterceptor(axios, refreshAuthLogic);
// Make a call. If it returns a 401 error, the refreshAuthLogic will be run,
// and the request retried with the new token
axios.get('https://www.example.com/restricted/area').then(/* ... */).catch(/* ... */);
:warning: Because of the bug axios#2295 v0.19.0 is not supported. :warning:
:white_check_mark: This has been fixed and will be released in axios v0.19.1
There's a possibility to skip the logic of the interceptor for specific calls.
To do this, you need to pass the skipAuthRefresh
option to the request config for each request you don't want to intercept.
axios.get('https://www.example.com/', { skipAuthRefresh: true });
If you're using TypeScript you can import the custom request config interface from axios-auth-refresh
.
import { AxiosAuthRefreshRequestConfig } from 'axios-auth-refresh';
Since this plugin automatically stalls additional requests while refreshing the token, it is a good idea to wrap your request logic in a function, to make sure the stalled requests are using the newly fetched data (like token).
Example of sending the tokens:
// Obtain the fresh token each time the function is called
function getAccessToken() {
return localStorage.getItem('token');
}
// Use interceptor to inject the token to requests
axios.interceptors.request.use((request) => {
request.headers['Authorization'] = `Bearer ${getAccessToken()}`;
return request;
});
You can specify multiple status codes that you want the interceptor to run for.
{
statusCodes: [401, 403], // default: [ 401 ]
}
You can specify multiple status codes that you want the interceptor to run for.
{
shouldRefresh: (error) =>
error?.response?.data?.business_error_code === 100385,
}
You can specify the instance which will be used for retrying the stalled requests.
Default value is undefined
and the instance passed to createAuthRefreshInterceptor
function is used.
{
retryInstance: someAxiosInstance, // default: undefined
}
onRetry
callback before sending the stalled requestsYou can specify the onRetry
callback which will be called before each
stalled request is called with the request configuration object.
{
onRetry: (requestConfig) => ({ ...requestConfig, baseURL: '' }), // default: undefined
}
While your refresh logic is running, the interceptor will be triggered for every request
which returns one of the options.statusCodes
specified (HTTP 401 by default).
In order to prevent the interceptors loop (when your refresh logic fails with any of the status
codes specified in options.statusCodes
) you need to use a skipAuthRefresh
flag on your refreshing call inside the refreshAuthLogic
function.
In case your refresh logic does not make any calls, you should consider using the following flag when initializing the interceptor to pause the whole axios instance while the refreshing is pending. This prevents interceptor from running for each failed request.
{
pauseInstanceWhileRefreshing: true, // default: false
}
Some CORS APIs may not return CORS response headers when an HTTP 401 Unauthorized response is returned. In this scenario, the browser won't be able to read the response headers to determine the response status code.
To intercept any network error, enable the interceptNetworkError
option.
CAUTION: This should be used as a last resort. If this is used to work around an API that doesn't support CORS with an HTTP 401 response, your retry logic can test for network connectivity attempting refresh authentication.
{
interceptNetworkError: true, // default: undefined
}
This library has also been used for:
have you used it for something else? Create a PR with your use case to share it.
v3.1.0
interceptNetworkError
option introduced. See #133.v3.0.0
skipWhileRefresh
flag has been deprecated due to its unclear name and its logic has been moved to pauseInstanceWhileRefreshing
flagpauseInstanceWhileRefreshing
is set to false
by defaultCheck out contribution guide or my patreon page!
FAQs
Axios plugin which makes it very easy to automatically refresh the authorization tokens of your clients
We found that axios-auth-refresh demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.