Session Handling and Token Invalidation

[Vadimkin]

Hello,

Recently, Bluesky added access tokens (#151), and right now, the library allows exporting a session string (client.export_session_string()). This string includes the handle, DID, their access token, and a refresh token.

Previously, the refresh token had been implemented with a 2-month lifetime (and then developer should generate another refresh token with client.login(login=..., password=...)), but now, the CreateSession function returns another refresh token with another 2-month lifetime.

In my codebase, it's something like this:

def app_init():
    # On app init
    client = Client()
    client.login(BLUESKY_USER_HANDLE, BLUESKY_USER_APP_PASSWORD)
    with open(BLUESKY_SECRET_FILE, "w") as f:
        f.write(client.export_session_string())

def post_message(text):
    session_string = "..."  # content from file
    client = Client()
    client.login(session_string=session_string)

    if client._access_jwt and client._should_refresh_session():
        client._refresh_and_set_session()
        # Update file with new session
        with open(BLUESKY_SECRET_FILE, "w") as f:
            f.write(client.export_session_string())

    # client.send_post(...)

My point here is that protected methods are being used to resolve this problem with autorefresh. Is it better to make them public (if the token needs to be invalidated in this way)?

My initial expectation is that methods like client.send_post()/client.com.atproto.repo.create_record()/etc will take care of token invalidation (if needed), but I receive an error, and it looks like invalidation doesn't work for those methods.

[MarshalX]

Hi! But SDK cares about refreshing of access token using refresh token for a long time 🧐 was added here #27

The problem that I can understand that we must export session every 2 hours because of refreshed tokens 😢

Or do you want to say that auto-refresh logic was broken in SDK?

[MarshalX]

I mean that all methods are checking if the session is expired and renewing it if necessary

[Vadimkin]

I mean that all methods are checking if the session is expired and renewing it if necessary

Aah, thanks! I'll recheck my implementation – looks like something wrong with tokens on my end.

The problem that I can understand that we must export session every 2 hours because of refreshed tokens

Yeah, you're correct! I guess I can do something like this one:

def post_message(text):
    session_string = "..."  # content from file
    client = Client()
    client.login(session_string=session_string)

    client.send_post(...)

    if client.export_session_string() != previous_session_string:
        # export it again

But probably some more elegant way is needed 🤔

[MarshalX]

We definitely should save the session to persistent storage at the end of the script. But we also must catch all errors first to not exit without saving the exported session.

This doesn't fit well with envs, CI/CD secrets, and so on 🥲 sad

[MarshalX]

We can use the exported session for two months before updating it in persistent storage. Isn't it?

[Vadimkin]

There is also an idea to add an option to store the exported session as a file (this file could be always updated when a new token is generated, so you don't have to catch all errors) when Client() is initialized. Also, looks like some user/password fallback is needed as well.

We can use the exported session for two months before updating it in persistent storage. Isn't it?

You're correct in general, but It is something strange happens there with token with expiration date 2 days ago

and refresh token with expiration in December:

This token raises an error on client.login(session_string=...):

atproto.exceptions.BadRequestError: Response(success=False, status_code=400, content=XrpcError(error='ExpiredToken', message='Token has been revoked'), headers=Headers({'date': 'Tue, 19 Sep 2023 19:48:13 GMT', 'content-type': 'application/json; charset=utf-8', 'content-length': '59', 'connection': 'keep-alive', 'x-powered-by': 'Express', 'access-control-allow-origin': '*', 'ratelimit-limit': '3000', 'ratelimit-remaining': '2999', 'ratelimit-reset': '1695153193', 'ratelimit-policy': '3000;w=300', 'vary': 'Accept-Encoding'}))

🤯🤯🤯

[Vadimkin]

I'd assume that something is broken on bsky side with this token – with newly generated tokens everything works fine! I think we're good to use the same exported session for 2 months!

[MarshalX]

I can add the ability to register callback on token refresh. And the user can implement storing this token in db or file or wherever

[MarshalX]

I'd assume that something is broken on bsky side with this token – with newly generated tokens everything works fine! I think we're good to use the same exported session for 2 months!

Didn't you changed password or remove app password?

[Vadimkin]

Didn't you changed password or remove app password?

Nope. Furthermore, for a token that was generated yesterday, I'm getting the same "Token has been revoked" error. Password/handle haven't been changed, and I am still able to generate new tokens with the same password.

Token generated at 1695150790, exp=1695157990
Refresh token generated at 1695150790, exp=1702926790 (Dec, 18)

>>> client = Client()
>>> client.login(session_string=sec)
atproto.exceptions.BadRequestError: Response(success=False, status_code=400, content=XrpcError(error='ExpiredToken', message='Token has been revoked'), headers=Headers({'date': 'Wed, 20 Sep 2023 09:07:36 GMT', 'content-type': 'application/json; charset=utf-8', 'content-length': '59', 'connection': 'keep-alive', 'x-powered-by': 'Express', 'access-control-allow-origin': '*', 'ratelimit-limit': '3000', 'ratelimit-remaining': '2998', 'ratelimit-reset': '1695201121', 'ratelimit-policy': '3000;w=300', 'vary': 'Accept-Encoding'}))

...

>>> client._import_session_string(sec)
SessionString(...)
>>> client._should_refresh_session()
True
>>> client._refresh_and_set_session()
atproto.exceptions.BadRequestError: Response(success=False, status_code=400, content=XrpcError(error='ExpiredToken', message='Token has been revoked'), ...)

[MarshalX]

so... does it mean that when you refresh the session and get a new refresh token, the old one is revoked?

[Vadimkin]

When new access+refresh token is generated, I'll still able to use previously generated tokens.
But when access token is expired, I'll never be able to use client.login(session_string=...) command – client wants to renew access token (by refresh token), but server returns "Token has been revoked" error

[asoftbird]

Can confirm; started using tokens yesterday and after just four login events (across four hours) the token was "revoked" with no further information. Making new sessions works, but it's not clear how long they will last and how fast I'm going to hit the rate limit.

[Mwyann]

Hi,

I'm looking for any code snippet or something that handles tokens seamlessly and nicely. My idea would be to provide a login, pass and storage file for the token data. Then the login method would check the token validity, or try to refresh it, or simply login from scratch again, and save the token data on disk for future use (not sure if a file is the best idea but you get the point). All this process done in one method call, which returns an atproto.Client instance.

[asoftbird]

I still have no idea what I'm doing wrong; tokens just get revoked on a seemingly random basis and refreshing my token does not seem to work.

I'm running v0.0.29.

This code runs before every activation of my bot script:
(Bot runs every hour and posts an image, as a oneshot-type script)

import os
import sys
from dotenv import load_dotenv
from atproto import Client
import time
import json

load_dotenv()
username = str(os.getenv('BSKY_UNAME'))
password = str(os.getenv('BSKY_APP_PASSWORD'))

session_file = "session.json"
time_valid = 7200 # 2h, in seconds

def getCurrentTime():
    return int(time.time())

def getExpiryTime(creation_time):
    # 30 days; atproto protocol session token has 2month validity
    return creation_time + (time_valid)

def checkSessionValidity():
    current_time = getCurrentTime()
    try:
        with open(session_file, 'r') as file:
            data = json.load(file)
        expiry_time = data['expiry']
        created_time = data['created']

        if expiry_time < current_time:
            print(f"Session valid until {expiry_time} exceeds current time {current_time}. Generating new session token.")
            createNewSession()
        else:
            print(f"Session token valid until {expiry_time} ({(expiry_time - current_time) / 3600} hours remaining)")
    except json.JSONDecodeError as e:
        print(f"{e}: JSON file invalid; file likely empty. Generating new session token.")
        expiry_time = createNewSession()
        print(f"Created new session, valid until {expiry_time} ({time_valid} seconds)")

def getSessionString():
    try:
        with open(session_file, 'r') as file:
            data = json.load(file)
        return data["session"]
    except json.JSONDecodeError as e:
        print(f"{e}")
        return None

def createNewSession():
    try:
        client = Client()
        client.login(username, password)
    except Exception as e:
        sys.exit(f"Bsky login failed: {e}")

    session_string = client.export_session_string()
    current_time = getCurrentTime()
    expiry_time = getExpiryTime(current_time)
    data = {
    "created": current_time,
    "expiry": expiry_time,
    "session": session_string
    }

    with open(session_file, 'w') as file:
        json.dump(data, file)

    return expiry_time


if __name__ == "__main__":
    print("Checking session validity..")
    checkSessionValidity()

Then, in my main script, we log in:

#bsky api
if ENABLE_BSKY:
  bsky_client = Client()

  session_string = getSessionString()

  try:
      bsky_client.login(session_string=session_string)
  except BadRequestError as e:
      print(f"Bsky login failed: {e}")
  else:
      print("Bsky login succesful!")

After just about a week of running perfectly (bot activates every hour, so the token gets refreshed ~12 times a day, well under the rate limit??), it suddenly gives me the Token Revoked error again, and, despite running the "refresh token" function before logging in on bsky, it just won't refresh the token again.

The error I now get:

Oct 02 15:00:03 [servername]bash[5482]: Checking session validity..
Oct 02 15:00:03 [servername]bash[5482]: Session valid until 1695848404 exceeds current time 1696251603. Generating new session token.
Oct 02 15:00:59 [servername]bash[5482]: Bsky login failed: Response(success=False, status_code=400, content=XrpcError(error='ExpiredToken', message='Token has been revoked'), headers=Headers({'date': 'Mon, 02 Oct 2023 13:00:12 GMT', 'content-type': 'application/json; charset=utf-8', 'content-length': '59', 'connection': 'keep-alive', 'x-powered-by': 'Express', 'access-control-allow-origin': '*', 'ratelimit-limit': '3000', 'ratelimit-remaining': '2999', 'ratelimit-reset': '1696251912', 'ratelimit-policy': '3000;w=300', 'etag': 'W/"[some-base64-token]"', 'vary': 'Accept-Encoding'}))

I legitimately have no idea why it's not working. I'm not hitting the rate limit, and I refresh my token in case it is invalid, what's going wrong? I've initially used a validity of 60 (and later, 30) days, but that just worked for a single day, so I opted for 2-hour tokens. Session token creation/refreshing seems broken, or maybe I just don't understand how it's supposed to work (in that case, the documentation could use a better example of using tokens).

Anyone able to help?

[grantmcconnaughey]

I'm also getting a lot of random ExpiredToken errors when I know that the tokens are not expired. They were just created yesterday.

Was anyone ever able to figure this one out? I don't want to create new sessions every single time because that is rate limited by IP, but if the tokens don't work either then I might have to.

The error I'm getting is:

atproto_client.exceptions.BadRequestError: Response(success=False, status_code=400, content=XrpcError(error='ExpiredToken', message='Token has been revoked')

I've confirmed the refresh token has the following exp claim: 1715191243 (Wed May 08 13:00:43 -0500 2024)

[MarshalX]

It's just a guess. refresh token was revoked because a new one has been generated because of access token refresh. and you are trying to work with the old one

[grantmcconnaughey]

That's definitely possible. I don't think that's what is happening due to how my code works, but it's possible. I reached out on Discord to see if refresh tokens are immediately revoked.

[MarshalX]

I collected all my thoughts and knowledge about it on the dedicated docs page: https://atproto.blue/en/latest/atproto_client/auth.html

Also, starting from v0.0.41 SDK provides a new callback to receive session string changes which will help you to write proper work and avoid "expired token" errors.

tldr:

from atproto import Client, SessionEvent, Session


client = Client()

@client.on_session_change
def on_session_change(event: SessionEvent, session: Session):
    print(event, session)

new advanced example: https://github.com/MarshalX/atproto/blob/main/examples/advanced_usage/session_reuse.py

i hope it will help you all. mark as the answer for now