Parse Server: Handling errors with code 209 "Session token is expired." for automatic (anonymous) users

Question

My iOS app uses Parse Server's automatic user feature, namely users do not have to provide login credentials, but instead are logged in automatically and anonymously. These are not users that have been migrated from Parse.com, but automatic users with revocable sessions generated by hosted Parse Server.

Our client-side Parse initialisation looks like this:

[Parse initializeWithConfiguration:[ParseClientConfiguration configurationWithBlock:^(id<ParseMutableClientConfiguration> _Nonnull configuration) { 
    configuration.applicationId = <our app id>; 
    configuration.clientKey = <our client key>; 
    configuration.server = <our server>; }]];

// Users 
[PFUser enableRevocableSessionInBackground]; 
[PFUser enableAutomaticUser];
[PFACL setDefaultACL:[PFACL ACL] withAccessForCurrentUser:YES];

On the server, "Expire inactive session" is YES, and "Revoke session on password reset" is YES. Session length is 1 year in seconds. I do not fully understand what constitutes an "inactive" session as far as "Expire inactive session" goes, and exactly what "Expire" constitutes - deletion from the database, or just making the token invalid. It seems to me that the session remains valid simply for "session length" after its inception, regardless of other factors.

Based on that understanding, everything works as expected - the user can communicate with the database - and at the 1 year mark, the session token appears to expire naturally.

I note that in Parse Server's authentication tab "App authentication settings", that "Enable Anonymous Authentication" is actually set to NO. My understanding here is that this would simply let users communicate with Parse server without a valid session token or valid PFUser object. This is not really what we want - we want a valid anonymous PFUser to communicate, as we may later want to transition then to a regular PFUser. I've tried switching it to YES, but we still see the same errors.

With a standard login flow, one would clearly then display a screen allowing the user to login and refresh their token. However, in the case of automatic or anonymous users, that makes no sense - they never entered any login credentials, and so they have no means of refreshing their credentials manually.

Given that automatic user is enabled, I would have expected that Parse Server would automatically generate a new session token for a user with anonymous credentials. Instead, any interaction with the server or database fails with:

Error Domain=Parse Code=209 "Session token is expired." UserInfo={code=209, temporary=0, error=Session token is expired., NSLocalizedDescription=Session token is expired.}

Can anyone help me with a solution?

I am using Parse Server v2.3.2 with MongoDB v3.0.12, and iOS Parse SDK v1.17.1. I can look to upgrade to the latest versions, but I want to take the time to understand what the problem is first, and if/how this may solve the problem.

Deleting the app and reinstalling it fixes the problem, because a new automatic user is generated and a fresh session token is provided. In the database this appears as a completely new user and the old one sits unused forevermore.

I would like to implement a solution that simply grants a new session token for anonymous users with an expired token. It seems as though I must set a finite session length, and I would rather not just set it to 100 years - it does not solve the problem for existing users and feels like a hack.

Thank you for your help.

Kind regards, Alex

Answer 1

This has been confirmed as a known issue with Parse Server as of v2.8.0 or prior.

The interim solution was simply to update our database and manually set all "expiresAt" fields in the PFSession objects to a date in the future. In addition we have increased the "Session Length" in our server settings to 3 years to give us a bigger buffer for new users.

In the meantime, proper handling of token expiry for automatic users is being discussed, and a solution is likely to be forthcoming in a future update to Parse Sever. Please see my Parse Server Github Issue.