akuity · krancour · Dec 22, 2023 · Nov 23, 2023 · Dec 22, 2023 · krancour
@@ -12,6 +12,7 @@ import { queryClient } from './config/query-client';
 import { themeConfig } from './config/themeConfig';
 import { AuthContextProvider } from './features/auth/context/auth-context-provider';
 import { ProtectedRoute } from './features/auth/protected-route';
+import { TokenRenew } from './features/auth/token-renew';
 import { MainLayout } from './features/common/layout/main-layout';
 import { Login } from './pages/login/login';
 import { Projects } from './pages/projects';
@@ -35,6 +36,7 @@ export const App = () => (
                   </Route>
                 </Route>
                 <Route path={paths.login} element={<Login />} />
+                <Route path={paths.tokenRenew} element={<TokenRenew />} />
               </Routes>
             </BrowserRouter>
           </AuthContextProvider>

@@ -0,0 +1,4 @@
+export const authTokenKey = 'auth_token';
+export const refreshTokenKey = 'refresh_token';
+
+export const redirectToQueryParam = 'redirectTo';
@@ -4,5 +4,6 @@ export const paths = {
   project: '/project/:name',
   stage: '/project/:name/stage/:stageName',
 
-  login: '/login'
+  login: '/login',
+  tokenRenew: '/token-renew'
 };
@@ -2,17 +2,23 @@ import { Code, ConnectError, Interceptor } from '@bufbuild/connect';
 import { createConnectTransport } from '@bufbuild/connect-web';
 import { notification } from 'antd';
 
+import { authTokenKey, redirectToQueryParam, refreshTokenKey } from './auth';
 import { paths } from './paths';
 
-export const authTokenKey = 'auth_token';
-
 const logout = () => {
   localStorage.removeItem(authTokenKey);
   window.location.replace(paths.login);
 };
 
-const authHandler: Interceptor = (next) => (req) => {
+const renewToken = () => {
+  window.location.replace(
+    `${paths.tokenRenew}?${redirectToQueryParam}=${window.location.pathname}`
+  );
+};
+
+const authHandler: Interceptor = (next) => async (req) => {
   const token = localStorage.getItem(authTokenKey);
+  const refreshToken = localStorage.getItem(refreshTokenKey);
   let isTokenExpired;
 
   try {
@@ -23,9 +29,13 @@ const authHandler: Interceptor = (next) => (req) => {
     throw new ConnectError('Invalid token');
   }
 
-  if (isTokenExpired) {
-    logout();
+  if (isTokenExpired && refreshToken) {
+    renewToken();
+    throw new ConnectError('Token expired');
+  }
 
+  if (isTokenExpired && !refreshToken) {
+    logout();
     throw new ConnectError('Token expired');
   }
 
@@ -56,6 +66,11 @@ const errorHandler: Interceptor = (next) => (req) => {
 };
 
 export const transport = createConnectTransport({
+  baseUrl: '',
+  interceptors: [errorHandler]
+});
+
+export const transportWithAuth = createConnectTransport({
   baseUrl: '',
   interceptors: [authHandler, errorHandler]
 });
@@ -1,19 +1,26 @@
 import React, { PropsWithChildren } from 'react';
 
-import { authTokenKey } from '@ui/config/transport';
+import { authTokenKey, refreshTokenKey } from '@ui/config/auth';
 
 import { AuthContext } from './auth-context';
 
 export const AuthContextProvider = ({ children }: PropsWithChildren) => {
   const [token, setToken] = React.useState(localStorage.getItem(authTokenKey));
 
-  const login = React.useCallback((t: string) => {
-    localStorage.setItem(authTokenKey, t);
-    setToken(t);
+  const login = React.useCallback((token: string, refreshToken?: string) => {
+    localStorage.setItem(authTokenKey, token);
+
+    if (refreshToken) {
+      localStorage.setItem(refreshTokenKey, refreshToken);
+    }
+
+    setToken(token);
   }, []);
 
   const logout = React.useCallback(() => {
     localStorage.removeItem(authTokenKey);
+    localStorage.removeItem(refreshTokenKey);
+
     setToken(null);
   }, []);
 

@@ -2,7 +2,7 @@ import React from 'react';
 
 export interface AuthContextType {
   isLoggedIn: boolean;
-  login: (token: string) => void;
+  login: (token: string, authToken?: string) => void;
   logout: () => void;
 }
 

@@ -79,7 +79,14 @@ export const OIDCLogin = ({ oidcConfig }: Props) => {
     url.searchParams.set('code_challenge_method', 'S256');
     url.searchParams.set('redirect_uri', redirectURI);
     url.searchParams.set('response_type', 'code');
-    url.searchParams.set('scope', oidcConfig.scopes.join(' '));
+    url.searchParams.set(
+      'scope',
+      [
+        ...oidcConfig.scopes,
+        // Add offline_access scope if it does not exist
+        ...(oidcConfig.scopes.includes('offline_access') ? [] : ['offline_access'])
+      ].join(' ')
+    );
 
     window.location.replace(url.toString());
   };
@@ -134,7 +141,7 @@ export const OIDCLogin = ({ oidcConfig }: Props) => {
         return;
       }
 
-      onLogin(result.id_token);
+      onLogin(result.id_token, result.refresh_token);
     })();
   }, [as, client, location]);
 

@@ -1,6 +1,8 @@
+import { TransportProvider } from '@bufbuild/connect-query';
 import { Navigate, Outlet } from 'react-router-dom';
 
 import { paths } from '@ui/config/paths';
+import { transportWithAuth } from '@ui/config/transport';
 
 import { useAuthContext } from './context/use-auth-context';
 
@@ -11,5 +13,9 @@ export const ProtectedRoute = () => {
     return <Navigate to={paths.login} replace />;
   }
 
-  return <Outlet />;
+  return (
+    <TransportProvider transport={transportWithAuth}>
+      <Outlet />
+    </TransportProvider>
+  );
 };
@@ -0,0 +1,102 @@
+import { useQuery } from '@tanstack/react-query';
+import { notification } from 'antd';
+import * as oauth from 'oauth4webapi';
+import React from 'react';
+import { useNavigate, useSearchParams } from 'react-router-dom';
+
+import { redirectToQueryParam, refreshTokenKey } from '@ui/config/auth';
+import { paths } from '@ui/config/paths';
+import { getPublicConfig } from '@ui/gen/service/v1alpha1/service-KargoService_connectquery';
+
+import { LoadingState } from '../common';
+
+import { useAuthContext } from './context/use-auth-context';
+
+export const TokenRenew = () => {
+  const navigate = useNavigate();
+  const [searchParams] = useSearchParams();
+  const { login: onLogin, logout } = useAuthContext();
+
+  const { data, isError } = useQuery(getPublicConfig.useQuery());
+
+  const issuerUrl = React.useMemo(() => {
+    try {
+      return data?.oidcConfig?.issuerUrl ? new URL(data?.oidcConfig?.issuerUrl) : undefined;
+    } catch (err) {
+      notification.error({
+        message: 'Invalid issuerURL',
+        placement: 'bottomRight'
+      });
+    }
+  }, [data?.oidcConfig?.issuerUrl]);
+
+  const client = React.useMemo(
+    () =>
+      data?.oidcConfig?.clientId
+        ? // eslint-disable-next-line @typescript-eslint/no-explicit-any
+          { client_id: data?.oidcConfig?.clientId, token_endpoint_auth_method: 'none' as any }
+        : undefined,
+    [data?.oidcConfig?.clientId]
+  );
+
+  const { data: as, isError: isASError } = useQuery({
+    queryKey: [issuerUrl],
+    queryFn: () =>
+      issuerUrl &&
+      oauth
+        .discoveryRequest(issuerUrl)
+        .then((response) => oauth.processDiscoveryResponse(issuerUrl, response))
+        .then((response) => {
+          if (response.code_challenge_methods_supported?.includes('S256') !== true) {
+            throw new Error('OIDC config fetch error');
+          }
+
+          return response;
+        }),
+    enabled: !!issuerUrl
+  });
+
+  React.useEffect(() => {
+    const refreshToken = localStorage.getItem(refreshTokenKey);
+
+    if (!refreshToken) {
+      navigate(paths.home);
+
+      return;
+    }
+
+    if (!as || !client) {
+      return;
+    }
+
+    (async () => {
+      const response = await oauth.refreshTokenGrantRequest(as, client, refreshToken);
+
+      const result = await oauth.processRefreshTokenResponse(as, client, response);
+      if (oauth.isOAuth2Error(result) || !result.id_token) {
+        notification.error({
+          message: 'OIDC: Proccess Authorization Code Grant Response error',
+          placement: 'bottomRight'
+        });
+        logout();
+        return;
+      }
+
+      onLogin(result.id_token, result.refresh_token);
+      navigate(searchParams.get(redirectToQueryParam) || paths.home);
+    })();
+  }, [as, client]);
+
+  React.useEffect(() => {
+    if (isError || isASError) {
+      logout();
+      navigate(paths.login);
+    }
+  }, [isError, isASError]);
+
+  return (
+    <div className='pt-40'>
+      <LoadingState />
+    </div>
+  );
+};
@@ -19,7 +19,7 @@ import { graphlib, layout } from 'dagre';
 import React from 'react';
 import { useParams } from 'react-router-dom';
 
-import { transport } from '@ui/config/transport';
+import { transportWithAuth } from '@ui/config/transport';
 import { ColorContext } from '@ui/context/colors';
 import { LoadingState } from '@ui/features/common';
 import { getAlias } from '@ui/features/common/freight-label';
@@ -108,7 +108,7 @@ export const ProjectDetails = () => {
     const cancel = new AbortController();
 
     const watchStages = async () => {
-      const promiseClient = createPromiseClient(KargoService, transport);
+      const promiseClient = createPromiseClient(KargoService, transportWithAuth);
       const stream = promiseClient.watchStages({ project: name }, { signal: cancel.signal });
       let stages = data.stages.slice();
 

@@ -13,7 +13,7 @@ import { format } from 'date-fns';
 import React, { useEffect } from 'react';
 import { useParams } from 'react-router-dom';
 
-import { transport } from '@ui/config/transport';
+import { transportWithAuth } from '@ui/config/transport';
 import { listPromotions } from '@ui/gen/service/v1alpha1/service-KargoService_connectquery';
 import { KargoService } from '@ui/gen/service/v1alpha1/service_connect';
 import { ListPromotionsResponse } from '@ui/gen/service/v1alpha1/service_pb';
@@ -36,7 +36,7 @@ export const Promotions = () => {
     const cancel = new AbortController();
 
     const watchPromotions = async () => {
-      const promiseClient = createPromiseClient(KargoService, transport);
+      const promiseClient = createPromiseClient(KargoService, transportWithAuth);
       const stream = promiseClient.watchPromotions(
         { project: projectName, stage: stageName },
         { signal: cancel.signal }