Centralize authentication logic and integrate token refresh mechanism

- Introduce `AuthWrapper` component for streamlined session-based layouts and authentication handling. - Add new utilities (`tokenUtils.ts`) for JWT decoding, token expiration checks, and refresh operations via Keycloak. - Refactor `serverCall` and `authOptions` to use centralized token refresh logic, removing redundant implementations. - Implement `ClientSessionProvider` for consistent session management across the client application. - Simplify `RootLayout` by delegating authentication enforcement to `AuthWrapper`.
2025-07-11 23:42:41 +02:00
parent 6aae06635d
commit bdbaf36456
6 changed files with 272 additions and 165 deletions
--- a/internal_frontend/lib/api/auth/authOptions.ts
+++ b/internal_frontend/lib/api/auth/authOptions.ts
@@ -1,5 +1,6 @@
 import KeycloakProvider from "next-auth/providers/keycloak";
 import type {NextAuthOptions} from "next-auth";
+import {getAccessToken} from "@/lib/api/auth/tokenUtils";

 interface TypedJWT {
    access_token?: string;
@@ -20,9 +21,9 @@ if (!KEYCLOAK_CLIENT_SECRET) throw new Error("Missing KEYCLOAK_CLIENT_SECRET");
 if (!KEYCLOAK_ISSUER) throw new Error("Missing KEYCLOAK_ISSUER");
 if (!NEXTAUTH_SECRET) throw new Error("Missing NEXTAUTH_SECRET");

-console.log("[auth] Using Keycloak provider:");
-console.log("  - Client ID:", KEYCLOAK_CLIENT_ID);
-console.log("  - Issuer:", KEYCLOAK_ISSUER);
+// console.log("[auth] Using Keycloak provider:");
+// console.log("  - Client ID:", KEYCLOAK_CLIENT_ID);
+// console.log("  - Issuer:", KEYCLOAK_ISSUER);

 async function isTokenValid(token: string): Promise<boolean> {
    try {
@@ -60,22 +61,39 @@ export const authOptions: NextAuthOptions = {
                return token;
            }

-            const {access_token} = token as TypedJWT;
+            const {access_token, refresh_token} = token as TypedJWT;
            if (access_token) {
-                const valid = await isTokenValid(access_token);
-                if (!valid) {
-                    console.warn("[auth] Access token invalid — clearing session");
+                // Use centralized getAccessToken function
+                const tokenResult = await getAccessToken(access_token, refresh_token);
+
+                if (tokenResult.accessToken) {
+                    token.access_token = tokenResult.accessToken;
+                    if (tokenResult.refreshToken) {
+                        token.refresh_token = tokenResult.refreshToken;
+                    }
+
+                    if (tokenResult.refreshed) {
+                        console.log("[auth] Token refreshed successfully in JWT callback");
+                        return token;
+                    }
+
+                    // If token wasn't refreshed, fall back to network validation
+                    const valid = await isTokenValid(tokenResult.accessToken);
+                    if (!valid) {
+                        console.warn("[auth] Access token invalid — clearing session");
+                        return {};
+                    }
+                } else {
+                    console.warn("[auth] No valid access token available — clearing session");
                    return {};
                }
            }

-            console.log("[auth] JWT callback: reusing existing token");
            return token;
        },

        async session({session, token}) {
            const {access_token, refresh_token} = token as TypedJWT;
-            console.log("[auth] Session callback: enriching session with tokens");
            return {
                ...session,
                accessToken: access_token,
--- a/internal_frontend/lib/api/auth/tokenUtils.ts
+++ b/internal_frontend/lib/api/auth/tokenUtils.ts
@@ -0,0 +1,147 @@
+interface JwtPayload {
+    exp: number;
+    iat?: number;
+    sub?: string;
+
+    [key: string]: unknown; // for any extra claims
+}
+
+interface TokenRefreshResult {
+    access_token: string;
+    refresh_token?: string;
+    expires_in?: number;
+}
+
+// Function to decode JWT payload without verification (for local expiration check)
+export function decodeJwtPayload(token: string): JwtPayload | null {
+    try {
+        const base64Url = token.split('.')[1];
+        const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');
+        const jsonPayload = decodeURIComponent(
+            atob(base64)
+                .split('')
+                .map(c => '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2))
+                .join('')
+        );
+        return JSON.parse(jsonPayload);
+    } catch (error) {
+        console.error("[auth] Failed to decode JWT payload:", error);
+        return null;
+    }
+}
+
+// Function to check if token is expired or about to expire (within 5 minutes)
+export function isTokenExpiring(token: string, bufferTimeMinutes: number = 5): boolean {
+    const payload = decodeJwtPayload(token);
+    if (!payload || !payload.exp) {
+        return true; // Consider invalid tokens as expired
+    }
+    const currentTime = Math.floor(Date.now() / 1000);
+    const expirationTime = payload.exp;
+    const bufferTime = bufferTimeMinutes * 60; // Convert minutes to seconds
+    const timeUntilExpiration = expirationTime - currentTime;
+
+    // Log token expiration warning message
+    if (timeUntilExpiration <= bufferTime) {
+        const expirationDate = new Date(expirationTime * 1000);
+        if (timeUntilExpiration <= 0) {
+            console.warn(`[auth] Token has already expired at ${expirationDate.toISOString()}`);
+        } else {
+            const minutesUntilExpiration = Math.floor(timeUntilExpiration / 60);
+            const secondsUntilExpiration = timeUntilExpiration % 60;
+            console.warn(`[auth] Token will expire in ${minutesUntilExpiration}m ${secondsUntilExpiration}s at ${expirationDate.toISOString()}`);
+        }
+    }
+
+    return timeUntilExpiration <= bufferTime;
+}
+
+// Function to refresh token using refresh token
+export async function refreshAccessToken(refreshToken: string): Promise<TokenRefreshResult | null> {
+    try {
+        const {
+            KEYCLOAK_CLIENT_ID,
+            KEYCLOAK_CLIENT_SECRET,
+            KEYCLOAK_ISSUER,
+        } = process.env;
+
+        if (!KEYCLOAK_CLIENT_ID || !KEYCLOAK_CLIENT_SECRET || !KEYCLOAK_ISSUER) {
+            console.error("[auth] Missing Keycloak configuration for token refresh");
+            return null;
+        }
+
+        const tokenEndpoint = `${KEYCLOAK_ISSUER}/protocol/openid-connect/token`;
+
+        const response = await fetch(tokenEndpoint, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            body: new URLSearchParams({
+                grant_type: 'refresh_token',
+                client_id: KEYCLOAK_CLIENT_ID,
+                client_secret: KEYCLOAK_CLIENT_SECRET,
+                refresh_token: refreshToken,
+            }),
+        });
+
+        if (!response.ok) {
+            console.error("[auth] Failed to refresh token:", response.status, response.statusText);
+            return null;
+        }
+
+        const data = await response.json();
+        return data as TokenRefreshResult;
+    } catch (error) {
+        console.error("[auth] Error refreshing token:", error);
+        return null;
+    }
+}
+
+// Helper function to get just the access token (for backward compatibility)
+export async function getRefreshedAccessToken(refreshToken: string): Promise<string | null> {
+    const result = await refreshAccessToken(refreshToken);
+    return result?.access_token || null;
+}
+
+// Centralized function to get a valid access token (refreshing if needed)
+export async function getAccessToken(accessToken?: string, refreshToken?: string): Promise<{
+    accessToken: string | null;
+    refreshToken?: string | null;
+    refreshed: boolean;
+}> {
+    // If no access token provided, return null
+    if (!accessToken) {
+        return {accessToken: null, refreshed: false};
+    }
+
+    // Check if token is expiring within 1 minute (as requested in issue)
+    if (!isTokenExpiring(accessToken, 1)) {
+        return {accessToken, refreshed: false};
+    }
+
+    console.log("[auth] Access token is expiring within 1 minute, attempting refresh");
+
+    // If no refresh token, return the current token (might be expired)
+    if (!refreshToken) {
+        console.warn("[auth] No refresh token available for refresh");
+        return {accessToken, refreshed: false};
+    }
+
+    try {
+        const refreshResult = await refreshAccessToken(refreshToken);
+        if (refreshResult) {
+            return {
+                accessToken: refreshResult.access_token,
+                refreshToken: refreshResult.refresh_token || refreshToken,
+                refreshed: true
+            };
+        } else {
+            console.warn("[auth] Failed to refresh token, returning current token");
+            return {accessToken, refreshed: false};
+        }
+    } catch (error) {
+        console.error("[auth] Error refreshing token:", error);
+        return {accessToken, refreshed: false};
+    }
+}