Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Restores pre-BFF behavior where getAccessToken() returns null instead of throwing for anonymous users, and fixes a downstream null-dereference in getIdToken().
Changes:
getAccessToken()returnsnullinstead of throwing when no refresh source is availablegetIdToken()handles thenullreturn fromgetAccessToken()to avoid a TypeError- Tests updated and added to cover anonymous user scenarios
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/authentication/authenticationContext.ts | Restore null return in getAccessToken() and add null guard in getIdToken() |
| src/authentication/authenticationContext.spec.ts | Update/add tests for anonymous user token scenarios |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix: restore null return for anonymous users in public showrooms
Problem
After updating @elfsquad/authentication with BFF (Backend for Frontend) support, getAccessToken() began throwing an error when no access token and no refresh source were available:
▎ @elfsquad/authentication: Access token expired and no refresh source is available.
This broke public showrooms where anonymous users legitimately have no tokens. The error surfaced because getAccessToken() is called on every HTTP request to attach an Authorization header — even for unauthenticated users.
The root cause: the new throw was placed in a code path that applies to all flows, not just the BFF flow it was intended to guard.
Fix
getAccessToken() — restore the pre-BFF behavior of returning null when there is no valid token and no refresh source (no refreshAccessToken callback, no stored refresh token). This is the correct outcome for anonymous users; callers that need an authenticated token handle the null case.
The throw would only be meaningful for the BFF flow, but the BFF flow never reaches this code path — when options.refreshAccessToken is set, the condition !options.refreshAccessToken is false, so it proceeds
directly to the callback.
getIdToken() — fixed a downstream null-dereference. After getAccessToken() returns null, this.accessTokenResponse remains null, so accessing .idToken on it would throw a TypeError. Added an early return of null when getAccessToken() returns null.
Tests