set-session re-uses a token that may have been revoked by the server

[reubenmiller]

Using set-session does not detect when a token has been revoked due to the "max number of sessions" limit configured in Cumulocity IoT.

Example

1. Activate a session (no error is thrown)

2. Using any follow up API calls results in 401 responses

   ERROR   serverError: Token '04a5f818-3957-43ae-a7e4-b3fc7a8b86dc' not present for user 'myuser@example.com'. GET https://iot.latest.stage.c8y.io/inventory/managedObjects?q=%24filter%3D+%24orderby%3Dname: 401 security/Unauthorized Token '04a5f818-3957-43ae-a7e4-b3fc7a8b86dc' not present for user 'myuser@example.com'.

[reubenmiller]

The token renewal time (on the server side) seems to also have an effect on the token being revoked.

% c8y devices list
2024-04-28T13:11:55.042+0200	ERROR	Authentication failed (statusCode=401). Try to run set-session again, or check the password
2024-04-28T13:11:55.042+0200	ERROR	serverError: SessionAuth: Token is terminated. Tenant id: t9679. Username: myuser@example.com. Token id: 436afea3-ff75-4f06-91b7-ba19d1177a4f, issued at: 2024-04-28T11:00:06.775Z, valid until: 2024-04-30T11:00:06.775Z, revoked at: 2024-04-28T11:11:54.296Z. GET https://example.cumulocity.com/inventory/managedObjects?q=%24filter%3D+%24orderby%3Dname: 401 Authentication failed/Unauthorized SessionAuth: Token is terminated. Tenant id: t9679. Username: myuser@example.com. Token id: 436afea3-ff75-4f06-91b7-ba19d1177a4f, issued at: 2024-04-28T11:00:06.775Z, valid until: 2024-04-30T11:00:06.775Z, revoked at: 2024-04-28T11:11:54.296Z.
2024-04-28T13:11:55.042+0200	ERROR	Authentication failed (statusCode=401). Try to run set-session again, or check the password