%22%2F%3E%3Crect%20x%3D%2224%22%20y%3D%2224%22%20width%3D%22792%22%20height%3D%22312%22%20rx%3D%2212%22%20fill%3D%22%23171717%22%20stroke%3D%22%23262626%22%20stroke-width%3D%221%22%2F%3E%3Ctext%20x%3D%2248%22%20y%3D%2272%22%20font-family%3D%22system-ui%2Csans-serif%22%20font-size%3D%2214%22%20font-weight%3D%22600%22%20fill%3D%22%23a3a3a3%22%3ETOKEN%20REFRESH%3C%2Ftext%3E%3Ctext%20x%3D%2248%22%20y%3D%22110%22%20font-family%3D%22system-ui%2Csans-serif%22%20font-size%3D%2220%22%20font-weight%3D%22600%22%20fill%3D%22white%22%3ESingle-flight%20guard%20%C2%B7%20Retry%20%C2%B7%20Keystore%3C%2Ftext%3E%3Crect%20x%3D%2248%22%20y%3D%22132%22%20width%3D%22140%22%20height%3D%226%22%20rx%3D%223%22%20fill%3D%22%23262626%22%2F%3E%3Crect%20x%3D%2248%22%20y%3D%22146%22%20width%3D%22220%22%20height%3D%226%22%20rx%3D%223%22%20fill%3D%22%23262626%22%2F%3E%3Crect%20x%3D%2248%22%20y%3D%22160%22%20width%3D%22180%22%20height%3D%226%22%20rx%3D%223%22%20fill%3D%22%23262626%22%2F%3E%3Crect%20x%3D%2248%22%20y%3D%22180%22%20width%3D%22320%22%20height%3D%2280%22%20rx%3D%228%22%20fill%3D%22%230a0a0a%22%20stroke%3D%22%23262626%22%20stroke-width%3D%221%22%2F%3E%3Ccircle%20cx%3D%22700%22%20cy%3D%22220%22%20r%3D%2252%22%20fill%3D%22none%22%20stroke%3D%22%23404040%22%20stroke-width%3D%222%22%20stroke-dasharray%3D%225%205%22%2F%3E%3Cpath%20d%3D%22M700%20168%20v26%20l20%2020%22%20stroke%3D%22%23737373%22%20stroke-width%3D%222%22%20stroke-linecap%3D%22round%22%20fill%3D%22none%22%2F%3E%3Ctext%20x%3D%22700%22%20y%3D%22290%22%20font-family%3D%22system-ui%2Csans-serif%22%20font-size%3D%2211%22%20fill%3D%22%23737373%22%20text-anchor%3D%22middle%22%3ESessionManager%3C%2Ftext%3E%3Crect%20x%3D%220%22%20y%3D%22280%22%20width%3D%22840%22%20height%3D%2280%22%20fill%3D%22url(%23tg2)%22%2F%3E%3C%2Fsvg%3E)
Token Refresh That Never Logs Users Out
15 January 2025
A single-flight refresh guard, retry strategy, and clock-skew handling so users stay signed in.
TL;DR
Use a central session manager with a single-flight refresh guard: only one in-flight refresh at a time, queue other requests until it completes. Retry with exponential backoff and handle clock skew. Store tokens in Keystore/Secure Enclave. On 401, attempt refresh once; if refresh fails, then logout. Never log users out on a single failed request.
Architecture
One SessionManager (or AuthRepository) owns the current session. All API calls go through an interceptor that attaches the access token. If the interceptor sees 401, it calls SessionManager.refresh(). Refresh() uses a mutex or single promise so concurrent callers wait on the same refresh. After refresh, retry the original request. Tokens live in Keystore; in-memory cache is optional for speed. Logout clears Keystore and in-memory state.
Failure modes
- Refresh loop: refresh token expired or revoked but client keeps retrying.
- Clock skew: device time wrong, token appears expired when it isn’t (or vice versa).
- Token leakage: tokens in logs, crash reports, or screenshots.
- Logout not clearing all state: remnants in storage or memory.
Testing checklist
- Unit tests: refresh called once under 401; concurrent requests share one refresh.
- Mock server: 401 → refresh → 200; 401 → refresh fails → logout.
- Clock skew: advance device time, confirm token validation still correct.
- Snapshot or integration test: logout clears storage and in-memory session.
What I'd do differently next time
I’d add a small “session health” ping (e.g. every N minutes) that validates the refresh token server-side and proactively refreshes before expiry, so we rarely hit the expiry edge at all.