Race conditions with single use refresh tokens for Convex Auth
I'm trying to prototype refreshing Convex Auth tokens from my backend, to support server side rendering and data fetching. I'm able to do this by setting cookies instead of use local storage, but am struggling to avoid race conditions for the refresh token. There a few differen scenarious where multiple requests come it at the same time onto different servers. The servers notice the JWT is about to expire (I'm faking 10 seconds expire) and then call the signIn action with the refresh token. This often causes the user to log out because (I believe) the second refresh fails due to reusing the refresh token quickly. I've tried deduping the refresh calls, but this is not straightforward with multiple requests/servers/reloads so it's still flaky.
Two questions:
1. Is it correct that the refresh token can only be used once, with no buffer in time?
2. With single use refresh tokens, is there a recommended approach to avoiding a race condition? There's a lot of things involved (multiple windows, multiple requests, multiple backend servers, etc) so coordination is hard.
0 Replies