your code fetches a token but doesn’t wait for that token before fetching the user.
Also this code seems to suggest every page load you’ll generate an access token instead of fetching and storing and reusing an active token.
Additionally this is all front end code, this violates the developer services agreement as you are leaking your client_secret and then the access_token generated with it.
Essentially you are leaking your password.
Only a users own token should be shown to the user. Never an app access token.
So whilst the fix is simple, you should not be doing this as it violates the agreement