fix(auth): silent session renewal + 401 auto-recovery
ci / changes (push) Successful in 4s
ci / tc_booking (push) Has been skipped
ci / tc_operator (push) Successful in 20s
ci / tc_website (push) Has been skipped
ci / tc_platform_api (push) Has been skipped
ci / test_platform_api (push) Has been skipped
ci / build_booking (push) Has been skipped
ci / tc_portal (push) Successful in 26s
ci / build_platform_api (push) Has been skipped
ci / build_operator (push) Successful in 31s
ci / build_portal (push) Successful in 39s
ci / deploy (push) Successful in 41s
ci / changes (push) Successful in 4s
ci / tc_booking (push) Has been skipped
ci / tc_operator (push) Successful in 20s
ci / tc_website (push) Has been skipped
ci / tc_platform_api (push) Has been skipped
ci / test_platform_api (push) Has been skipped
ci / build_booking (push) Has been skipped
ci / tc_portal (push) Successful in 26s
ci / build_platform_api (push) Has been skipped
ci / build_operator (push) Successful in 31s
ci / build_portal (push) Successful in 39s
ci / deploy (push) Successful in 41s
Idle sessions died and left a broken page: when the access token expired, nuxt-oidc-auth's automatic refresh had no refresh token to use — neither Authentik provider carried the offline_access scope mapping (and the operator never requested the scope), so the module cleared the session and every /api call 401'd until a manual F5 happened to re-auth through Authentik's still-alive SSO session. Fix 1: offline_access end to end — scope mapping attached to both live providers (and blueprints, prod + dev), operator now requests the scope. Sessions renew server-side for up to 30 days of activity (Redis store + pinned token key from earlier make the refresh tokens durable). Fix 2: client plugin in both apps — a 401 from /api sends the browser through /auth/oidc/login instead of leaving dead buttons; invisible when Authentik's session is alive, a clean sign-in screen when it isn't. Loop-guarded. Full sign-out behavior unchanged.
This commit is contained in:
Ronni Baslund
@@ -0,0 +1,20 @@
|
||||
// Recover from a dead session instead of leaving a broken page: when any
|
||||
// /api call returns 401, bounce the browser through the OIDC login route.
|
||||
// With a live Authentik SSO session that round-trip is invisible (instant
|
||||
// return to a fresh session); when Authentik's session is gone too, the
|
||||
// user lands on the sign-in screen — never half-dead buttons. The
|
||||
// timestamp guard prevents redirect loops if login can't restore a session.
|
||||
export default defineNuxtPlugin(() => {
|
||||
const KEY = 'auth-recover-at'
|
||||
globalThis.$fetch = $fetch.create({
|
||||
onResponseError({ request, response }) {
|
||||
const url =
|
||||
typeof request === 'string' ? request : request instanceof Request ? request.url : String(request)
|
||||
if (response.status !== 401 || !url.startsWith('/api/')) return
|
||||
const last = Number(sessionStorage.getItem(KEY) ?? 0)
|
||||
if (Date.now() - last < 30_000) return
|
||||
sessionStorage.setItem(KEY, String(Date.now()))
|
||||
window.location.href = '/auth/oidc/login'
|
||||
},
|
||||
}) as typeof globalThis.$fetch
|
||||
})
|
||||
Reference in New Issue
Block a user