After logging in, if I go to bsky.social/account and revoke the app access, it does allow me to update my rsvp for a while. but after some time, I guess the token finally gets revoked from bsky side. Not sure if its possible for us to know at that point, but the smokesignal site still shows as logged in
The session working for some unknown amount of time after revoking might be related to this issue.
Maybe we need to refresh session before doing each RSVP , so that in case it is revoked for some reason we can logout the user, instead of them trying to RSVP and it failing in background.
Right now there is no visual feedback that my RSVP failed because of this 500 error on the site.
I don’t really have a good solution for that, and I’m not sure what the solution would actually be. I think this is one of those cases where Smoke Signal should just fail gracefully and have better error messaging.
This is my understanding of things:
After you log into Smoke Signal and have a valid access token, if the user intentionally revokes the session form their PDS, the access token is still valid, but can’t be refreshed.
Smoke Signal doesn’t have any way of knowing that an access token has been revoked or that a refresh token won’t work on next attempt.
In that situation, what I think Smoke Signal should do is keep the user logged in and not perform any destructive actions like clearing form data so that they can re-authenticate in a new tab / window and then resubmit forms and stuff.
Maybe the solution is to store some sort of session indicator that the current session is logged in but for API calls to work, they need to re-authenticate.
