[Fix] Add token validation to didAuthError and allowable clock skew to willAuthError

[petertgiles]

🤖 Resolves #12369

👋 Introduction

We've been getting lots of reports of premature logouts with our app. Our best explanation is that the Surface tablets appear to have over 5 seconds of clock skew which means that the client is attempting to use an expired token. Also, URQL is not configured to recognize the token_validation error and so it does not attempt to refresh when it gets the error. This PR attempts to fix both problems.

🕵️ Details

🧪 Testing

DidAuthError

1. Rebuild and log in to app
2. Add "throw new Exception('Failed to get introspection');" to the top of verifyJwtWithIntrospection in api/app/Services/OpenIdBearerTokenService.php and to simulate an expired token.
3. Make an API call in your browser

• URQL will try to refresh ONCE and then force a log out.

WillAuthError

1. Manually change allowableClockSkewSeconds in packages/client/src/constants.ts to something very large, like 8 * 60.
2. Rebuild and log into app.
3. Wait until you enter the skew zone, like 2 minutes and make an api call.

• URQL will try to refresh ONCE and and be successful

📸 Screenshot

[petertgiles]

The cleaner solution might be to update our openID provider to return a 401. This would be a bigger change because a lot of tests watch for this reason code now.

[brindasasi]

yeah .. this is what I did as well .. but I didn't see the refresh happening earlier than 10 mins .. may be let's try yours

[brindasasi]

This is looking like great to me and I didn't see any log out in UAT. I'm up for trying this out in prod tonight