feat(dashboard): proactively refresh expired Keycloak tokens #91
@@ -9,7 +9,16 @@
|
||||
//! When Keycloak is not configured (dev convenience), the helper
|
||||
//! returns an unauthenticated builder — matching the agent's
|
||||
//! pass-through behavior in the same state.
|
||||
//!
|
||||
//! **Token refresh**: KC access tokens are short-lived (5 min default
|
||||
//! in the certifai realm). Before attaching, we decode the JWT's `exp`
|
||||
//! claim and proactively refresh via the stored refresh_token if the
|
||||
//! access token is expired or about to expire. The session is updated
|
||||
//! with the new pair. If refresh fails, we send the (stale) token
|
||||
//! anyway — the agent's 401 will surface to the UI, which can prompt
|
||||
//! re-login.
|
||||
|
||||
use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
|
||||
use dioxus::prelude::ServerFnError;
|
||||
use dioxus_fullstack::FullstackContext;
|
||||
use reqwest::Method;
|
||||
@@ -18,6 +27,11 @@ use super::auth::LOGGED_IN_USER_SESS_KEY;
|
||||
use super::server_state::ServerState;
|
||||
use super::user_state::UserStateInner;
|
||||
|
||||
/// Seconds before the JWT's `exp` time at which we consider it stale
|
||||
/// enough to refresh. Covers clock skew + the round-trip to the agent
|
||||
/// so the token doesn't expire mid-flight.
|
||||
const REFRESH_SKEW_SECS: i64 = 30;
|
||||
|
||||
/// Build a `RequestBuilder` for `<agent_api_url><path>` with the
|
||||
/// session's access token attached. `path` should include a leading
|
||||
/// `/`, e.g. `"/api/v1/repositories"`.
|
||||
@@ -38,10 +52,9 @@ pub async fn agent_get(path: &str) -> Result<reqwest::RequestBuilder, ServerFnEr
|
||||
}
|
||||
|
||||
/// Attach the session's bearer token if Keycloak is configured AND the
|
||||
/// session has a logged-in user. Otherwise leave the request as-is.
|
||||
///
|
||||
/// The Keycloak-disabled path mirrors the dashboard's `require_auth`
|
||||
/// middleware, which short-circuits when `state.keycloak.is_none()`.
|
||||
/// session has a logged-in user. Refresh the token proactively if it's
|
||||
/// expired or about to expire. Persists refreshed tokens back into the
|
||||
/// session.
|
||||
async fn attach_token(
|
||||
req: reqwest::RequestBuilder,
|
||||
state: &ServerState,
|
||||
@@ -54,8 +67,144 @@ async fn attach_token(
|
||||
.get(LOGGED_IN_USER_SESS_KEY)
|
||||
.await
|
||||
.map_err(|e| ServerFnError::new(format!("session read failed: {e}")))?;
|
||||
Ok(match user {
|
||||
Some(u) => req.bearer_auth(u.access_token),
|
||||
None => req,
|
||||
})
|
||||
let Some(mut user) = user else {
|
||||
return Ok(req);
|
||||
};
|
||||
|
||||
if token_needs_refresh(&user.access_token) {
|
||||
tracing::debug!("Access token expired or near-expiring; refreshing");
|
||||
match refresh_tokens(state, &user.refresh_token).await {
|
||||
Ok((new_access, new_refresh)) => {
|
||||
user.access_token = new_access;
|
||||
if let Some(rt) = new_refresh {
|
||||
user.refresh_token = rt;
|
||||
}
|
||||
if let Err(e) = session.insert(LOGGED_IN_USER_SESS_KEY, &user).await {
|
||||
tracing::warn!("Failed to persist refreshed tokens: {e}");
|
||||
}
|
||||
}
|
||||
Err(e) => {
|
||||
tracing::warn!("Token refresh failed: {e}; sending current token anyway");
|
||||
// Fall through — the agent will 401 and the UI will
|
||||
// prompt re-login. Better than failing the request at
|
||||
// the dashboard layer with no helpful UX cue.
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Ok(req.bearer_auth(user.access_token))
|
||||
}
|
||||
|
||||
/// Decode the JWT's payload (no signature verification — the agent
|
||||
/// does that) and check the `exp` claim. Treats malformed tokens as
|
||||
/// expired so the refresh path runs.
|
||||
fn token_needs_refresh(jwt: &str) -> bool {
|
||||
let Some(payload_b64) = jwt.split('.').nth(1) else {
|
||||
return true;
|
||||
};
|
||||
let Ok(bytes) = URL_SAFE_NO_PAD.decode(payload_b64) else {
|
||||
return true;
|
||||
};
|
||||
#[derive(serde::Deserialize)]
|
||||
struct ExpClaim {
|
||||
exp: i64,
|
||||
}
|
||||
let Ok(claims) = serde_json::from_slice::<ExpClaim>(&bytes) else {
|
||||
return true;
|
||||
};
|
||||
let now = chrono::Utc::now().timestamp();
|
||||
claims.exp - REFRESH_SKEW_SECS <= now
|
||||
}
|
||||
|
||||
/// Exchange a refresh_token for a new access_token. Returns the new
|
||||
/// access_token and (optionally) the new refresh_token KC issued.
|
||||
/// KC may rotate refresh_tokens on use; we honor whatever it sends.
|
||||
async fn refresh_tokens(
|
||||
state: &ServerState,
|
||||
refresh_token: &str,
|
||||
) -> Result<(String, Option<String>), String> {
|
||||
let kc = state
|
||||
.keycloak
|
||||
.ok_or_else(|| "Keycloak not configured".to_string())?;
|
||||
if refresh_token.is_empty() {
|
||||
return Err("no refresh_token in session".to_string());
|
||||
}
|
||||
|
||||
#[derive(serde::Deserialize)]
|
||||
struct TokenResp {
|
||||
access_token: String,
|
||||
refresh_token: Option<String>,
|
||||
}
|
||||
|
||||
let resp = reqwest::Client::new()
|
||||
.post(kc.token_endpoint())
|
||||
.form(&[
|
||||
("grant_type", "refresh_token"),
|
||||
("client_id", kc.client_id.as_str()),
|
||||
("refresh_token", refresh_token),
|
||||
])
|
||||
.send()
|
||||
.await
|
||||
.map_err(|e| format!("refresh request failed: {e}"))?;
|
||||
|
||||
if !resp.status().is_success() {
|
||||
let status = resp.status();
|
||||
let body = resp.text().await.unwrap_or_default();
|
||||
return Err(format!("refresh rejected ({status}): {body}"));
|
||||
}
|
||||
|
||||
let r: TokenResp = resp
|
||||
.json()
|
||||
.await
|
||||
.map_err(|e| format!("refresh response parse failed: {e}"))?;
|
||||
Ok((r.access_token, r.refresh_token))
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use super::*;
|
||||
use base64::Engine;
|
||||
|
||||
/// Build a JWT-shaped string (header.payload.sig) with the given
|
||||
/// payload. Signature is bogus — we never verify it locally.
|
||||
fn make_jwt(payload: &serde_json::Value) -> String {
|
||||
let payload_b64 = URL_SAFE_NO_PAD.encode(serde_json::to_vec(payload).unwrap());
|
||||
format!("hdr.{payload_b64}.sig")
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn token_needs_refresh_true_when_expired() {
|
||||
let exp = chrono::Utc::now().timestamp() - 60;
|
||||
let jwt = make_jwt(&serde_json::json!({ "exp": exp }));
|
||||
assert!(token_needs_refresh(&jwt));
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn token_needs_refresh_true_within_skew_window() {
|
||||
// 10 seconds left; less than the 30s skew → must refresh.
|
||||
let exp = chrono::Utc::now().timestamp() + 10;
|
||||
let jwt = make_jwt(&serde_json::json!({ "exp": exp }));
|
||||
assert!(token_needs_refresh(&jwt));
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn token_needs_refresh_false_with_plenty_of_life() {
|
||||
let exp = chrono::Utc::now().timestamp() + 600;
|
||||
let jwt = make_jwt(&serde_json::json!({ "exp": exp }));
|
||||
assert!(!token_needs_refresh(&jwt));
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn token_needs_refresh_true_on_malformed_jwt() {
|
||||
assert!(token_needs_refresh(""));
|
||||
assert!(token_needs_refresh("not.a.jwt"));
|
||||
assert!(token_needs_refresh("only-one-segment"));
|
||||
assert!(token_needs_refresh("hdr.not-base64!.sig"));
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn token_needs_refresh_true_when_exp_missing() {
|
||||
let jwt = make_jwt(&serde_json::json!({ "sub": "abc" }));
|
||||
assert!(token_needs_refresh(&jwt));
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user