CodeDump
Georges Pompidou Georges Pompidou - 1 year ago 138
Node.js Question

Google API invalid request after access token expires

This is the comment that led me to ask this question.

I've got a server side Node.js app, using googleapis package. Users log in with their Google accounts, and I store tokens in their session. The credentials I get are as follows

{ access_token: '<AN ACCESS TOKEN>',

  token_type: 'Bearer',

  id_token: '<A LONG ID TOKEN>',

  expiry_date: <A TIMESTAMP> } // why do some places say there's an expires_in instead of this


There's no
refresh_token
because the users have already logged in for the first time and clicked accept, and I didn't store the refresh token (looks like I should've).

So, when the
expiry_date
is reached, if the user tries to make a request for us to save something to their google drive, I get an error message:

{ [Error: invalid_request] code: 400 } // ...no further details


My 2-part question:


  • I assume I'm getting that error message because the access_token in my OAuth client object is expired (because the call works fine before the token expires). Is this correct? Why is the error message not more detailed?

  • In the linked answer at the top, the solution is to force the accept prompt again, get the refresh token, and store it permanently, and use it to get a new access token when it expires. Why is this a better option than just checking if the token is expired, and having a user reauthenticate when we want to make a call to the API? Which is the "correct" way to ensure that my logged in users can always make the drive API call to save their documents?


Kevin Christopher Henry Kevin Christopher Henry
Answer Source

  1. Right, the 400 response is because of the expired access token. I'm not sure why Google doesn't give more detail, but it's common for services to use the 400 status code to indicate some kind of credentials problem. The definition of the status code indicates that it's a client issue.

  2. Both approaches will work and they each have advantages and disadvantages. The client-side re-authentication method you're suggesting has the advantage of making the implementation simpler, since you don't have to store the refresh token and don't have to implement the refresh process. The downside is that forcing the user to re-authenticate every hour is less user-friendly. At the least they will be redirected away from your app, and they may have to explicitly log in or re-authorize as well. You'll just have to look at the trade-offs and pick what works best for your use case.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download

Sign up

Sign up with GitHub
Latest added
Handy Gardeners
Olympus DVR recording date and time extractor
multitouchtest.html
metatype_loop_question
example_loop
-1 down vote favorite I have a listing page (call it a page to list the draft blogs or unpublished blogs). When I click a blog item from the draft, it shows the details on read-only format It provides four functionalities - Close, Edit, Delete, Publish. I have completed Close by calling {% url 'blog:drafts' %}, Edit by calling a class derived from UpdateView and delete by calling a class derived from DeleteView. However, I am stuck at publish since there is no view present to create a class based view and get it done. Other option was to define a function and then invoke that function in urls.py I run into issues when I try this I keep receiving error saying that the function that I invoked is not a valid view I am stuck at this error message for days. Is there any alternate ways to write a "publish" function inside the DetailView class and then invoke that function for the active object from the html template?
HS110 Python
......
alert
Create and Schedule Cron Jobs Easily with Laravel
Installing Laravel on Cloudways Laravel hosting
Rotating panels
http://aurvu.com
http://so4m6.com
FNISaa2 Papyrus
GenerateFNISUsers
FNIScommon1
FNISaa1
woocommmercerestapi.php
fsagsas