Handling authentication token refreshing with fetch interceptor

[jezzsantos]

Using the fetch client, we are adding an error interceptor to catch the cases when a 401 is returned for using any of our generated APIs.

I have some questions on the design.
In the error interceptor we are looking at the response.status and if 401, we are calling our refreshToken() generated client method.
After this returns, we are retrying the original request by using fetch directly (configured with original request details) to make the original request, and to avoid using the generated fetch client.
If this request succeeds, we resolve the response to the interceptor.
If this request fails, we also resolve the failed response error to the interceptor.

async function handleUnauthorizedResponse(error: unknown, response: Response, request: Request): Promise<unknown> {
  if (response.status !== 401) {
    return Promise.resolve(error);
  }

  try {
    recorder.traceDebug("UnAuthorizedHandler: 401 detected, refreshing user's token");
    // Attempt to refresh the access_token cookies (if exist)
    return await refreshToken().then(async (res) => {
      if (res.response.ok) {
        recorder.traceDebug("UnAuthorizedHandler: Refreshed user's token, retrying original request");
        recorder.trackUsage(UsageConstants.UsageScenarios.BrowserAuthRefresh);
        // Retry the original request
        const retry = await fetch(request.url, {
          method: request.method,
          headers: request.headers,
          body: request.method === 'GET' || request.method === 'HEAD' ? undefined : request.body,
          credentials: 'include'
        });
        if (retry.ok) {
          // Retrying original request now succeeds
          return Promise.resolve(retry);
        } else {
          if (retry.status === 401) {
            recorder.traceDebug('UnAuthorizedHandler: Original request still returns 401, forcing logout');
            // Assume, the user is no-longer authenticated anymore. Best we can do here is force the user to login again
            logout().then(() => forceReloadHome());
            return Promise.resolve(error);
          } else {
            // Retrying original request failed with a different error
            const retryError = await getResponseError(retry);
            recorder.traceDebug('UnAuthorizedHandler: Original request failed with: {Error}', { error });
            return Promise.resolve(retryError); // TODO: consider that this response will be different than the one passed into this interceptor.
          }
        }
      } else {
        if (res.response.status === 401 || res.response.status === 423) {
          recorder.traceDebug("UnAuthorizedHandler: Refreshing user's token returned 401, forcing logout");
          // Access token does not exist, or Refresh token is expired, or User is locked and cannot be refreshed,
          // or they cannot be authenticated anymore, the best we can do here is force the user to log out,
          // remove all cookies, and force them to login again.
          logout().then(() => forceReloadHome());
          return Promise.resolve(error); // should never get here
        }
        const refreshError = await getResponseError(res.response);
        recorder.traceDebug("UnAuthorizedHandler: Refreshing user's token failed with: {Error}", { error });
        return Promise.resolve(refreshError); // TODO: consider that this response will be different than the one passed into this interceptor.
      }
    });
  } catch (error) {
    return Promise.reject(error);
  }
}

I have a few questions, about how this should correctly behave with respect to being called by the generated fetch client:

1. Should we resolve the original error (passed to the interceptor) if we want to ignore it. i.e. it is not a 401?
2. Should we resolve the retried response (from fetch) even though this is a different request/response than was passed into the interceptor?
3. Should we resolve, if the original request retry attempt fails? this request/response/error is also different than was passed into the interceptor?

What is the correct behavior here for such an error interceptor?