fix: security hardening + code quality improvements (401 retry limit, UUID crypto, debounce this-bug, deduplicate CSS/helpers, optimize SW precache)

2026-02-08 13:53:23 +01:00
parent c66c80adcc
commit 9f48e073b8
11 changed files with 41 additions and 152 deletions
--- a/js/services/directus.js
+++ b/js/services/directus.js
@@ -45,6 +45,7 @@ class DirectusService {
        this.refreshToken = null
        this.tokenExpiry = null
        this.refreshTimeout = null
+        this._refreshPromise = null
        
        this.loadTokens()
        this.setupVisibilityRefresh()
@@ -153,15 +154,17 @@ class DirectusService {
                headers
            })
            
-            // Token expired - try refresh (but not for auth endpoints)
-            if (response.status === 401 && this.refreshToken && !endpoint.startsWith('/auth/')) {
-                const refreshed = await this.refreshSession()
-                if (refreshed) {
-                    return this.request(endpoint, options)
-                } else {
-                    this.clearTokens()
-                    return this.request(endpoint, options)
+            if (response.status === 401 && this.refreshToken && !endpoint.startsWith('/auth/') && _retryCount < 1) {
+                if (!this._refreshPromise) {
+                    this._refreshPromise = this.refreshSession().finally(() => {
+                        this._refreshPromise = null
+                    })
                }
+                const refreshed = await this._refreshPromise
+                if (!refreshed) {
+                    this.clearTokens()
+                }
+                return this.request(endpoint, options, _retryCount + 1)
            }

            if (response.status === 429 && _retryCount < 3) {