Correct handling of malformed tokens with compliant 401 response according to RFC 6750

[jan-thoma]

invalid_token

The access token provided is expired, revoked, malformed, or invalid for other reasons. The resource SHOULD respond with the HTTP 401 (Unauthorized) status code. The client MAY request a new access token and retry the protected resource request.

[markhuot]

I like this a lot. The only thing we lose is any messaging around expired tokens, which I think can be especially helpful for debugging purposes. Would it break the spec to return a message like token_expired instead of token_invalid?

[jan-thoma]

Firebase actually throws 2 messages on validation one is token expired the other one is JSON malformed. This could be implemented as a json response following the graphql style.

[markhuot]

Interesting, this is all really helpful, thanks! Do you happen to have a link to where this is in the Firebase docs? I'd love to learn from it. In the meantime I'll take a look at what sort of messaging we can change here.

[jan-thoma]

nope, there are no docs about exceptions, if you remove the try catch block. you get the stack trace of the two classes.

[jan-thoma]

i would like to see it happen that the user-token branch gets merged in the official repo in the next months. We work on a project where craftql fits in perfectly and saves us tons of time.

[markhuot]

Yup, that seems doable. I'd like to get it merged by the end of July, but that might be tight with some other things competing for my time. Certainly by the end of August though. If there's a specific date or need feel free to email me directly (email is on my GitHub profile) and we can discuss.

[jan-thoma]

August fits perfectly. i have ideas some which maybe worth considering, i will send you an email later.