Centralize authentication logic and integrate token refresh mechanism
- Introduce `AuthWrapper` component for streamlined session-based layouts and authentication handling. - Add new utilities (`tokenUtils.ts`) for JWT decoding, token expiration checks, and refresh operations via Keycloak. - Refactor `serverCall` and `authOptions` to use centralized token refresh logic, removing redundant implementations. - Implement `ClientSessionProvider` for consistent session management across the client application. - Simplify `RootLayout` by delegating authentication enforcement to `AuthWrapper`.
This commit is contained in:
@@ -1,89 +1,6 @@
|
||||
import {getServerSession} from "next-auth";
|
||||
import {authOptions} from "@/lib/api/auth/authOptions";
|
||||
|
||||
interface JwtPayload {
|
||||
exp: number;
|
||||
iat?: number;
|
||||
sub?: string;
|
||||
|
||||
[key: string]: unknown; // for any extra claims
|
||||
}
|
||||
|
||||
// Function to decode JWT payload without verification (for local expiration check)
|
||||
function decodeJwtPayload(token: string): JwtPayload | null {
|
||||
try {
|
||||
const base64Url = token.split('.')[1];
|
||||
const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');
|
||||
const jsonPayload = decodeURIComponent(
|
||||
atob(base64)
|
||||
.split('')
|
||||
.map(c => '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2))
|
||||
.join('')
|
||||
);
|
||||
return JSON.parse(jsonPayload);
|
||||
} catch (error) {
|
||||
console.error("[auth] Failed to decode JWT payload:", error);
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
// Function to check if token is expired or about to expire (within 5 minutes)
|
||||
function isTokenExpiredOrExpiring(token: string): boolean {
|
||||
const payload = decodeJwtPayload(token);
|
||||
if (!payload || !payload.exp) {
|
||||
return true; // Consider invalid tokens as expired
|
||||
}
|
||||
|
||||
const currentTime = Math.floor(Date.now() / 1000);
|
||||
const expirationTime = payload.exp;
|
||||
const bufferTime = 5 * 60; // 5 minutes buffer
|
||||
|
||||
return (expirationTime - currentTime) <= bufferTime;
|
||||
}
|
||||
|
||||
// Function to refresh token using refresh token
|
||||
async function refreshAccessToken(refreshToken: string): Promise<string | null> {
|
||||
try {
|
||||
const {
|
||||
KEYCLOAK_CLIENT_ID,
|
||||
KEYCLOAK_CLIENT_SECRET,
|
||||
KEYCLOAK_ISSUER,
|
||||
} = process.env;
|
||||
|
||||
if (!KEYCLOAK_CLIENT_ID || !KEYCLOAK_CLIENT_SECRET || !KEYCLOAK_ISSUER) {
|
||||
console.error("[auth] Missing Keycloak configuration for token refresh");
|
||||
return null;
|
||||
}
|
||||
|
||||
const tokenEndpoint = `${KEYCLOAK_ISSUER}/protocol/openid-connect/token`;
|
||||
|
||||
const response = await fetch(tokenEndpoint, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/x-www-form-urlencoded',
|
||||
},
|
||||
body: new URLSearchParams({
|
||||
grant_type: 'refresh_token',
|
||||
client_id: KEYCLOAK_CLIENT_ID,
|
||||
client_secret: KEYCLOAK_CLIENT_SECRET,
|
||||
refresh_token: refreshToken,
|
||||
}),
|
||||
});
|
||||
|
||||
if (!response.ok) {
|
||||
console.error("[auth] Failed to refresh token:", response.status, response.statusText);
|
||||
return null;
|
||||
}
|
||||
|
||||
const data = await response.json();
|
||||
console.log("[auth] Token refreshed successfully");
|
||||
return data.access_token;
|
||||
} catch (error) {
|
||||
console.error("[auth] Error refreshing token:", error);
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
export async function serverCall(
|
||||
path: string,
|
||||
method: "GET" | "POST" | "PUT" | "DELETE" | "PATCH",
|
||||
@@ -97,28 +14,15 @@ export async function serverCall(
|
||||
};
|
||||
|
||||
if (session?.accessToken) {
|
||||
// Check if token is expired or about to expire
|
||||
if (isTokenExpiredOrExpiring(session.accessToken)) {
|
||||
console.log("[auth] Access token is expired or about to expire, attempting refresh");
|
||||
|
||||
if (session.refreshToken) {
|
||||
const newAccessToken = await refreshAccessToken(session.refreshToken);
|
||||
if (newAccessToken) {
|
||||
// Update the session with new token (note: this won't persist across requests)
|
||||
session.accessToken = newAccessToken;
|
||||
console.log("[auth] Using refreshed access token");
|
||||
} else {
|
||||
console.warn("[auth] Failed to refresh token, proceeding with expired token");
|
||||
}
|
||||
} else {
|
||||
console.warn("[auth] No refresh token available, proceeding with expired token");
|
||||
}
|
||||
}
|
||||
|
||||
// Use the access token from the session directly
|
||||
// Token refresh is handled by the JWT callback in authOptions.ts
|
||||
headers["Authorization"] = `Bearer ${session.accessToken}`;
|
||||
// console.log("[auth] Using access token from session for API call");
|
||||
} else {
|
||||
console.warn("[auth] No access token available in session for API call");
|
||||
}
|
||||
|
||||
console.log("[api] Calling backend API: ", method, url, body);
|
||||
console.log("[api] Calling backend API - [" + method + "]", path, body ?? "");
|
||||
|
||||
return fetch(url, {
|
||||
method,
|
||||
|
||||
Reference in New Issue
Block a user