Skip to content

Fix critical bug causing users to be logged out during concurrent token refresh #826

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tjementum merged 3 commits into from
Jan 11, 2026
Merged

Fix critical bug causing users to be logged out during concurrent token refresh #826

tjementum merged 3 commits into from
Jan 11, 2026

Conversation

@tjementum
Copy link
Member

@tjementum tjementum commented Jan 11, 2026

Summary & Motivation

Fix the token refresh race condition introduced in #821. When multiple API requests are made concurrently and all attempt to refresh an expired access token, only one succeeds while the others fail with DbUpdateConcurrencyException, causing the user to be logged out. This commonly occurs when returning to a browser tab after tokens have expired (e.g., TanStack Query's invalidateQueries() triggers multiple parallel requests).

  • Implement atomic token refresh using an isolated database connection that commits immediately, independent of EF Core's Unit of Work transaction. This ensures only one concurrent request wins the refresh race, while others fall back to the grace period mechanism using PreviousRefreshTokenJti
  • Update SQLite test connection strings to use shared cache mode (Cache=Shared), enabling isolated connections to access the same in-memory database. This allows the atomic refresh pattern using Activator.CreateInstance(existingConnection.GetType()) to work in tests
  • Simplify RefreshTokenGenerator API by consolidating Generate and Update methods into a single Generate method with explicit version and expiry parameters
  • Reorder UserInfoFactory parameters to follow async conventions with cancellationToken last
  • Remove SessionRefreshed and AuthenticationTokensRefreshed telemetry events as they add noise without providing meaningful business value

Downstream projects

Update the SQLite connection string in your-self-contained-system/Tests/EndpointBaseTest.cs to use shared cache mode, which allows isolated database connections to access the same in-memory database:

-        // Create connection and add DbContext to the service collection
-        Connection = new SqliteConnection("DataSource=:memory:");
+        // Create connection using shared cache mode so isolated connections can access the same in-memory database
+        Connection = new SqliteConnection($"Data Source=TestDb_{Guid.NewGuid():N};Mode=Memory;Cache=Shared");

Checklist

  • I have added tests, or done manual regression tests
  • I have updated the documentation, if necessary

@tjementum tjementum self-assigned this Jan 11, 2026
@tjementum tjementum added the Bug Something isn't working label Jan 11, 2026
@linear
Copy link

linear bot commented Jan 11, 2026

PP-756 Token refresh fails when multiple concurrent requests occur

@tjementum tjementum moved this to 🏗 In Progress in Kanban board Jan 11, 2026
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 11, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
1 Accepted issue

Measures
0 Security Hotspots
89.1% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@tjementum tjementum merged commit de84c2a into main Jan 11, 2026
27 checks passed
@tjementum tjementum deleted the pp-756-token-refresh-fails-when-multiple-concurrent-requests-occur branch January 11, 2026 20:20
@github-project-automation github-project-automation bot moved this from 🏗 In Progress to ✅ Done in Kanban board Jan 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@tjementum tjementum

Labels

Bug Something isn't working

Projects

Kanban board
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tjementum