This repository was archived by the owner on Mar 4, 2026. It is now read-only.
Invalidate access tokens when session id changes#1142
Merged
Conversation
eritbh
added a commit
that referenced
this pull request
Feb 5, 2026
* invalidate access token when session id changes * also update cache logic to decode new jwt format of reddit_session
Member
Author
|
backported to 6.1 as e90b135 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Previously we didn't bother caching our OAuth access token because we grabbed it directly out of a cookie in new Modmail, and that was cheap. Modmail went away and #1138 lets us get a token from Shreddit by exchanging a CSRF token for an access token, but this means making a request to Shreddit in order to use an access token, so we now cache the token. Caching the token without being aware of when the Reddit session changes causes issues where Reddit invalidates the token when the user logs out, but Toolbox doesn't know and continues to make requests with the bad token until it was originally supposed to expire.
This PR hacks around this by using part of the
reddit_sessioncookie as the storage key for the cached access token, meaning that a new access token will be retrieved whenever the session changes. This makes Toolbox work again when switching accounts.Also fixes the per-user cache logic to decode the new
reddit_sessionformat and get the current user's base36 ID from it (it's now a JWT and not just a random string of values, with the user's fullname as the JWTsubject).