Don't refresh access tokens from frontend if refresh token is expired (!548) · Merge requests · vseth / sip-com-apps / community-solutions

Yuto Takano requested to merge reduce-traffic-with-expired-tokens into master Sep 16, 2025

Add support for Keycloak's refresh_expire_in and closes #305 (closed). As a result, refresh requests should be reduced if the frontend knows that refreshes won't work anyway.

I also disabled checking for notifications if the frontend isn't authenticated at all, which reduces unncecessary requests further.

It doesn't 100% solve Jacques' comment in #305 (closed), but I think that is fine. We still let requests happen if the token is invalid (we just won't try to refresh it if it can't be refreshed). I kept the behaviour, because some requests (like list of categories) should go ahead even if logged out, while others should not, and the frontend generally has no idea which ones are which. We could explicitly create different fetch functions like fetchWithAuth and fetchWithoutAuth and block the request for fetchWithAuth + invalid token, but it's brittle since it'll silently break when the backend adds/removes @login_required to a view.

The MR also adds much-needed comments to the frontend auth code.

Admin message

Don't refresh access tokens from frontend if refresh token is expired

Merge request reports