Problem in polling/ reaching a protected "trigger" API endpoint, while using session-auth as authentication system.


I have developed a simple Zapier integration (dredditz 1.0.0) currently having authentication module build with session-auth system and a protected endpoint API trigger. The trigger is looking for new posts while this endpoint expects the request’s  Auth Header to have valid JWT. Which I am doing via building the request JavaScript object with url, and headers properties.
My integration is working fine locally passing all the tests viz. (following are the 4 tests I am doing in application.test.js)
1)  calling the getAuthenticationToken() method from authentication.js, authenticating the user with username, password, returning a AuthResponse object consisting of authentication token and refresh token, which I am catching in bundle.authData.xxx computed fields for later on usage / susequent API calls for refreshing token or polling trigger.
2)  subsequently if I again call the getAuthenticationToken() method from authentication.js module, it is correctly refreshing the old authToken using the refreshToken (given to zapier in the first step). I checked it via z.console.log messages.
3) passing the “test” API call which can be reached only if user is authenticated.
4) successfully doing the trigger test locally, fetching new posts on a protected endpoint.

Even app is working on the Zapier platform (tested it via creating a Zap) to start with, polling the trigger API correctly, but same is getting 403 “Access Denied” after 15 minutes. And it is happening because Zapier by itself is not refreshing the authenticationToken. And passing the invalid JWT in the header, my back-end invalidates the Authtokens every 15 mins and expects same to be refreshed using refreshToken provided when you passed username and password.

I somehow need to call getAuthenticationToken method which is in the authentication.js module from the trigger post.js. I tried few ways but I am getting z.authData is undefined and runtime can’t read the property say refreshToken of undefined. In generic words, is it possible to call a method from authentication.js module while being in trigger post.js module. I mean it would be required in all the cases where the app have to make sure to have valid JWT in the header before polling a protected endpoint.
p.s. I am using session-auth as that is what is fitting best with my backend and can’t use o-auth2, as backend is currently not supporting o-auth2.
 


2 replies

Userlevel 6
Badge +9

Are you catching that error and throwing a refreshAuthError? Zapier will look for a 401 and trigger refresh - anything else needs to be explicitly handled.  https://zapier.github.io/zapier-platform/#stale-authentication-credentials

Something to think about is determining what’s an expired token error vs. what is an actual invalid access attempt if both cases return the same error code.  Something like checking in getSessionKey if you have neither a refresh key nor user provided credentials that work - you’ll know something is wrong and can handle that accordingly.

Thanks, @Zane for a quick reply on this, you are right my back-end is emitting 403 even when it should ideally 401. I will take care of this in the future, for time being, I fixed this issue via having the API call to /refreshToken endpoint just before making a polling call to the protected API endpoint in the trigger module. 

As mentioned in the documentation link you provided I do not need to keep adding this refreshToken API call in all the further triggers, I am planning. Throwing refreshAuthError in the right way is a better and safer approach. It will save me from having to repeatedly call refresh token endpoint before actually polling the trigger API. 

Reply