Only load refresh token in configure() when sessionType=refresh_token #…

…336 ref DEV-2421
authgear · Jan 13, 2025 · b6b010c · b6b010c
2 parents 8da4297 + b0f7962
commit b6b010c
Showing 1 changed file with 8 additions and 7 deletions.
diff --git a/packages/authgear-web/src/container.ts b/packages/authgear-web/src/container.ts
@@ -277,10 +277,6 @@ export class WebContainer {
    * @public
    */
   async configure(options: ConfigureOptions): Promise<void> {
-    // TODO: verify if we need to support configure for second time
-    // and guard if initialized
-    const refreshToken = await this.tokenStorage.getRefreshToken(this.name);
-
     this.clientID = options.clientID;
     this.baseContainer.apiClient.endpoint = options.endpoint;
     if (options.sessionType != null) {
@@ -294,16 +290,20 @@ export class WebContainer {
       this.isSSOEnabled = options.isSSOEnabled ?? false;
     }
 
-    this.baseContainer.refreshToken = refreshToken ?? undefined;
-
     switch (this.sessionType) {
       case "cookie":
         this.baseContainer._updateSessionState(
           SessionState.Unknown,
           SessionStateChangeReason.NoToken
         );
         break;
-      case "refresh_token":
+      case "refresh_token": {
+        // Only load refresh token when the session type is refresh_token.
+        // This prevents a very rare situation that session type is changed from refresh_token to cookie,
+        // and the previously stored refresh token is loaded.
+        const refreshToken = await this.tokenStorage.getRefreshToken(this.name);
+        this.baseContainer.refreshToken = refreshToken ?? undefined;
+
         if (this.baseContainer.refreshToken != null) {
           // consider user as logged in if refresh token is available
           this.baseContainer._updateSessionState(
@@ -317,6 +317,7 @@ export class WebContainer {
           );
         }
         break;
+      }
     }
   }