Thinkin' bout those access tokens

Hello again,

I’d been wondering about the personal access token page and theorising a bit about what’s going on under the hood, which is always a bit of weekend fun. That got me thinking and there’s a certain UI flow you can follow which can temporarily lock you out as well :slightly_smiling_face:

Originally, I was going to ask what’s up with personal access tokens because every time I create a new session (I’m the opposite of a tab hoarder: I open the same site, only to close it and open it seconds later), I end up with a new token and this happens:

I actually invalidated most of my tokens just a few weeks ago so I can only imagine what others might have!

Anyway, my initial assumption is that these tokens are used to drive the GraphQL API and retrieve instance information which seems… sort of correct? At a glance, I think the _ui cookie /is/ the access token but it’s sort of shuffled between web.fly.io and fly.io?

I was a bit confused as to why have an access token at all if there’s still a server side rendered layer in between. EDIT: In fairness, this only seems true on half of the pages with others doing a client side call direct to a GraphQL endpoint. Things are still in migration of course!

I imagine it’s easier to invalidate the token itself, given cookies persist no matter what. That leads me to my next bit of fun: What if I invalidate the most recent token?

Screen Shot 2021-07-03 at 12.34.32 PM

Very cool but oh no, how do I get back? It seems if I simply go straight to fly.io, I’ll get issued a new token instantly but instead, I click back and end up on web.fly.io. Upon closer inspection, this too actually seems to regenerate the _ui cookie but no new access token is issued under the “Personal Access Tokens” page in settings.

Hmm, I guess we’ll just log out then and oh, what’s that cookie still doing there.

If I were to delete it, I’d get a new one but let’s leave it and try to log back in.

Hmm, it’s still there. I guess since it saw I already had one, a new one wasn’t set which can only mean

Screen Shot 2021-07-03 at 12.35.37 PM

I’m trapped forever… until I simply close my tab and open a new one of course but as someone who doesn’t computer good, l don’t know what state is and isn’t logging out the same as resetting everything? :wink:

As always, this is just a thinly veined excuse to hear someone talk about how things work under the hood in great detail because no other businesses do that sadly

Beyond that, it would be nice if the site access tokens could be a little more descriptive because I don’t know which ones are still valid or what sessions they relate to :slight_smile: I actually first came across the above purely by accident because I had no idea what those access tokens mapped to exactly.

Cheers and keep it up!

1 Like