Access token is refreshed but not updated in my DB

Question

I am using Box API 2.0, and I have a service running to sync the documents between Box and my application. Sometimes something happens like a network error or someone updating the application or restarting the server while the service is requesting a new access token. In this case my access token in my local DB is not the same as the issued one, and because of the error of the restart the new issued token is not saved in my local DB for future use.

How can I prevent something like this from happening? The refresh token is also renewed with each request, so it can't be used to issue a new access and refresh token.

Answer 1

You can use your old refresh token again, as long as you have not made calls with the new access token.

So lets say you have Access Token and Refresh token AT1/RT1. At some point you call the refresh URL to get a new set of tokens:

curl https://www.box.com/api/oauth2/token \ -d 'grant_type=refresh_token&refresh_token={RT1}&client_id={your_client_id}&client_secret={your_client_secret}' \ -X POST

And then your network goes dark, and you never get the response. Box sent you back a new set of tokens AT2/RT2 like this:

{ "access_token": "AT2", "expires_in": 3696, "restricted_to": [], "token_type": "bearer", "refresh_token": "RT2" }

But you never got it. Boo :(... But never fear!
You can send the exact same request again, and Box's server will give you back EXACTLY the same response.

The same AT2/RT2

Then when you use AT2 (or RT2), RT1 becomes invalid.