__Today __in the Shopware Release News, we announced a hotly awaited bugfix. In this blog post, Jannis Leifeld (Technical Specialist Administration at Shopware AG) explains what exactly the problem was and how it could be solved. Please also note the important information for developers of extensions!
The Shopware administration had two confusing bugs, which caused problems in several instances. The first bug was that the user got logged out "randomly" while working in the administration. The other bug was that, under some circumstances, the administration created a high CPU load.
The reason for both bugs was an issue with the administration worker.
The first problem was that it was possible to have multiple instances of the same worker running. This caused the creation of numerous, identical requests at the same time and finally led to a high CPU load and could also block the server when a lot of long polling requests were fired (consume call) at the same time by the several worker instances.
The fact that the worker can also initialize a token update of the administration caused the other problem. But when multiple workers refresh the token simultaneously, it, of course, can happen that the next request already invalids the refresh token. If this was the case, then the user got logged out.
The solution to these problems was to make sure that there is only a single instance of the administration worker running, causing only one source of truth to refresh the token. So after fixing this, even if the admin makes multiple refresh token requests simultaneously, the token will only be refreshed once and returned to all requesters.
To make this possible, we needed to change the public API of the "refresh-token.helper.js." It was previously exporting a "class" and now it exports a "method" that returns the instance of the "class". This guarantees only a single instance of this class.
⚠️ If you made extensions using this class, be aware of this necessary change. All other changes are backward compatible.