From e5953fb02a91d4d335bebb9bd4598a90d8a98499 Mon Sep 17 00:00:00 2001
From: Yury Saukou <yury_saukou@epam.com>
Date: Thu, 14 Mar 2024 12:35:20 +0400
Subject: [PATCH 01/63] STCOR-769 Utilize the 'tenant' procured through the SSO
 login process (#1415)

To support Single Sign-On (SSO) authorization in consortium mode,
it's necessary to explicitly pass the tenant in the request header
to load data.

(cherry picked from commit d8db8b79589f7522a4ba0bc756350708139606f9)
---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a468d2f25..022b5a105 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 ## 10.2.0 IN PROGRESS
 
+## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
+[Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.0...v10.1.1)
+
 * Utilize the `tenant` procured through the SSO login process. Refs STCOR-769.
 * Remove tag-based selectors from Login, ResetPassword, Forgot UserName/Password form CSS. Refs STCOR-712.
 * Provide `useUserTenantPermissions` hook. Refs STCOR-830.

From 2bea8b0674497961635431fbc7d7e260244afd8e Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Fri, 8 Dec 2023 14:22:12 -0500
Subject: [PATCH 02/63] leverage keycloak (authn) and kong (discovery)
 endpoints

There's a lot going on here, but fundamentally the changes are
split into two main categories:
* route authentication requests to/from keycloak
* handle discovery dynamically via an API request AFTER authentication
  instead of reading a static module list from `stripes.config.js`
---
 CHANGELOG.md                                  |   1 +
 src/App.js                                    |   5 +-
 src/RootWithIntl.js                           |  15 ++
 src/components/About/About.css                |   4 +
 src/components/About/About.js                 | 100 +++++---
 .../ForgotPassword/ForgotPasswordCtrl.js      |   7 +-
 .../ForgotUserName/ForgotUserNameCtrl.js      |   7 +-
 src/components/Login/Login.js                 | 102 +++++---
 src/components/Login/LoginForm.js             | 228 ++++++++++++++++++
 src/components/Login/index.js                 |   2 +-
 src/components/OIDCLanding.js                 | 111 +++++++++
 src/components/OIDCRedirect.js                |  32 +++
 .../PreLoginLanding/PreLoginLanding.js        |  71 ++++++
 src/components/PreLoginLanding/index.css      |  13 +
 src/components/PreLoginLanding/index.js       |   1 +
 src/components/Redirect/Redirect.js           |  27 +++
 src/components/Redirect/Redirect.test.js      |  45 ++++
 src/components/Redirect/index.js              |   1 +
 src/components/TitleManager/TitleManager.js   |  14 +-
 src/components/index.js                       |   2 +
 src/discoverServices.js                       | 195 +++++++++++----
 src/loginServices.js                          |  94 +++++---
 src/okapiActions.js                           |   8 +
 src/okapiReducer.js                           |   4 +
 translations/stripes-core/en.json             |   8 +-
 translations/stripes-core/en_US.json          |  10 +-
 26 files changed, 945 insertions(+), 162 deletions(-)
 create mode 100644 src/components/Login/LoginForm.js
 create mode 100644 src/components/OIDCLanding.js
 create mode 100644 src/components/OIDCRedirect.js
 create mode 100644 src/components/PreLoginLanding/PreLoginLanding.js
 create mode 100644 src/components/PreLoginLanding/index.css
 create mode 100644 src/components/PreLoginLanding/index.js
 create mode 100644 src/components/Redirect/Redirect.js
 create mode 100644 src/components/Redirect/Redirect.test.js
 create mode 100644 src/components/Redirect/index.js

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 022b5a105..54c511384 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@
 * Provide `useUserTenantPermissions` hook. Refs STCOR-830.
 * Load DayJS locale data as part of `loginServices`. STCOR-771.
 * Turn on `<StrictMode>`; ignore it with `stripes.config.js` `disableStrictMode: true`. Refs STCOR-841.
+* Use keycloak URLs in place of users-bl for tenant-switch. Refs US1153537.
 * Make branding optional. Refs STCOR-847.
 * Idle-session timeout and "Keep working?" modal. Refs STCOR-776.
 * Implement password validation for Login Page. Refs STCOR-741.
diff --git a/src/App.js b/src/App.js
index ee22c1754..4ce6130fc 100644
--- a/src/App.js
+++ b/src/App.js
@@ -33,8 +33,11 @@ export default class StripesCore extends Component {
   constructor(props) {
     super(props);
 
+    const storedTenant = localStorage.getItem('tenant');
+    const parsedTenant = storedTenant ? JSON.parse(storedTenant) : undefined;
+
     const okapi = (typeof okapiConfig === 'object' && Object.keys(okapiConfig).length > 0)
-      ? okapiConfig : { withoutOkapi: true };
+      ? { ...okapiConfig, tenant: parsedTenant?.tenantName || okapiConfig.tenant, clientId: parsedTenant?.clientId } : { withoutOkapi: true };
 
     const initialState = merge({}, { okapi }, props.initialState);
 
diff --git a/src/RootWithIntl.js b/src/RootWithIntl.js
index 8658fd941..d95c56674 100644
--- a/src/RootWithIntl.js
+++ b/src/RootWithIntl.js
@@ -20,6 +20,8 @@ import {
   ModuleTranslator,
   TitledRoute,
   Front,
+  OIDCRedirect,
+  OIDCLanding,
   SSOLanding,
   SSORedirect,
   Settings,
@@ -88,6 +90,12 @@ const RootWithIntl = ({ stripes, token = '', isAuthenticated = false, disableAut
                                   key="sso-landing"
                                   component={<SSORedirect stripes={connectedStripes} />}
                                 />
+                                <TitledRoute
+                                  name="oidcRedirect"
+                                  path="/oidc-landing"
+                                  key="oidc-landing"
+                                  component={<OIDCRedirect stripes={stripes} />}
+                                />
                                 <TitledRoute
                                   name="logoutTimeout"
                                   path="/logout-timeout"
@@ -126,6 +134,13 @@ const RootWithIntl = ({ stripes, token = '', isAuthenticated = false, disableAut
                         component={<CookiesProvider><SSOLanding stripes={connectedStripes} /></CookiesProvider>}
                         key="sso-landing"
                       />
+                      <TitledRoute
+                        name="oidcLanding"
+                        exact
+                        path="/oidc-landing"
+                        component={<CookiesProvider><OIDCLanding stripes={stripes} /></CookiesProvider>}
+                        key="oidc-landing"
+                      />
                       <TitledRoute
                         name="forgotPassword"
                         path="/forgot-password"
diff --git a/src/components/About/About.css b/src/components/About/About.css
index e940a85d7..782bde274 100644
--- a/src/components/About/About.css
+++ b/src/components/About/About.css
@@ -23,3 +23,7 @@
 .incompatible {
   color: orange;
 }
+
+.paddingLeftOfListItems {
+  padding-left: 14px;
+}
diff --git a/src/components/About/About.js b/src/components/About/About.js
index 58de039f2..95c377acc 100644
--- a/src/components/About/About.js
+++ b/src/components/About/About.js
@@ -12,7 +12,6 @@ import {
   List,
   Loading
 } from '@folio/stripes-components';
-import AboutEnabledModules from './AboutEnabledModules';
 import AboutInstallMessages from './AboutInstallMessages';
 import WarningBanner from './WarningBanner';
 import { withModules } from '../Modules';
@@ -101,15 +100,49 @@ const About = (props) => {
     );
   }
 
-  const modules = _.get(props.stripes, ['discovery', 'modules']) || {};
+  const applications =
+    _.get(props.stripes, ['discovery', 'applications']) || {};
   const interfaces = _.get(props.stripes, ['discovery', 'interfaces']) || {};
   const isLoadingFinished = _.get(props.stripes, ['discovery', 'isFinished']);
-  const nm = Object.keys(modules).length;
-  const ni = Object.keys(interfaces).length;
-  const ConnectedAboutEnabledModules = props.stripes.connect(AboutEnabledModules);
+  const na = Object.keys(applications).length;
+
   const unknownMsg = <FormattedMessage id="stripes-core.about.unknown" />;
-  const numModulesMsg = <FormattedMessage id="stripes-core.about.moduleCount" values={{ count: nm }} />;
-  const numInterfacesMsg = <FormattedMessage id="stripes-core.about.interfaceCount" values={{ count: ni }} />;
+  const numApplicationsMsg = (
+    <FormattedMessage
+      id="stripes-core.about.applicationCount"
+      values={{ count: na }}
+    />
+  );
+
+  const renderInterfaces = (list) => {
+    return (
+      <List
+        listStyle="square"
+        listClass={css.paddingLeftOfListItems}
+        items={list}
+        itemFormatter={(item) => <li key={item.name}>{item.name}</li>}
+      />
+    );
+  };
+  const renderModules = (list) => {
+    return (
+      <List
+        listStyle="bullet"
+        listClass={css.paddingLeftOfListItems}
+        items={list}
+        itemFormatter={(item) => {
+          return (
+            <li>
+              <Headline weight="medium" margin="xx-small">
+                {item.name}
+              </Headline>
+              {renderInterfaces(item.interfaces)}
+            </li>
+          );
+        }}
+      />
+    );
+  };
 
   return (
     <Pane
@@ -128,6 +161,24 @@ const About = (props) => {
       )}
       <AboutInstallMessages stripes={props.stripes} />
       <div className={css.versionsContainer}>
+        <div className={css.versionsColumn}>
+          <Headline size="large">
+            <FormattedMessage id="stripes-core.about.applicationsVersionsTitle" />
+          </Headline>
+          <Headline>{numApplicationsMsg}</Headline>
+          {Object.values(applications)
+            .map((app) => {
+              return (
+                <ul key={app.name}>
+                  <li>
+                    <Headline>{app.name}</Headline>
+                    {renderModules(app.modules)}
+                  </li>
+                </ul>
+              );
+            })}
+        </div>
+
         <div className={css.versionsColumn}>
           <Headline size="large">
             <FormattedMessage id="stripes-core.about.userInterface" />
@@ -165,16 +216,14 @@ const About = (props) => {
             ]}
             itemFormatter={item => (<li key={item.key}>{item.value}</li>)}
           />
+
           <br />
-          <div data-test-stripes-core-about-module-versions>
-            {Object.keys(props.modules).map(key => listModules(key, props.modules[key]))}
-          </div>
-        </div>
-        <div className={css.versionsColumn}>
           <Headline size="large">
             <FormattedMessage id="stripes-core.about.okapiServices" />
           </Headline>
-          <Headline>Okapi</Headline>
+          <Headline>
+            <FormattedMessage id="stripes-core.about.foundation" />
+          </Headline>
           <List
             listStyle="bullets"
             itemFormatter={(item, i) => (<li key={i}>{item}</li>)}
@@ -185,31 +234,6 @@ const About = (props) => {
             ]}
           />
           <br />
-          <Headline>{numModulesMsg}</Headline>
-          <ConnectedAboutEnabledModules tenantid={_.get(props.stripes, ['okapi', 'tenant']) || unknownMsg} availableModules={modules} />
-          <Headline size="small">
-            <FormattedMessage id="stripes-core.about.legendKey" />
-          </Headline>
-          <FormattedMessage
-            id="stripes-core.about.notEnabledModules"
-            tagName="p"
-            values={{
-              span: chunks => <span className={css.isEmptyMessage}>{chunks}</span>
-            }}
-          />
-          <br />
-          <Headline>{numInterfacesMsg}</Headline>
-          <List
-            listStyle="bullets"
-            items={Object.keys(interfaces).sort()}
-            itemFormatter={key => (
-              <li key={key}>
-                {`${key} ${interfaces[key]}`}
-              </li>
-            )}
-          />
-        </div>
-        <div className={css.versionsColumn}>
           <Headline size="large">
             <FormattedMessage id="stripes-core.about.uiOrServiceDependencies" />
           </Headline>
diff --git a/src/components/ForgotPassword/ForgotPasswordCtrl.js b/src/components/ForgotPassword/ForgotPasswordCtrl.js
index fbe46e7e0..7223a007f 100644
--- a/src/components/ForgotPassword/ForgotPasswordCtrl.js
+++ b/src/components/ForgotPassword/ForgotPasswordCtrl.js
@@ -33,7 +33,12 @@ class ForgotPasswordCtrl extends Component {
   static manifest = Object.freeze({
     searchUsername: {
       type: 'okapi',
-      path: 'bl-users/forgotten/password',
+      path: (queryParams, pathComponents, resourceData, config, props) => {
+        if (props.stripes.okapi.authnUrl) {
+          return 'users-keycloak/forgotten/password';
+        }
+        return 'bl-users/forgotten/password';
+      },
       headers: {
         'accept': '*/*',
       },
diff --git a/src/components/ForgotUserName/ForgotUserNameCtrl.js b/src/components/ForgotUserName/ForgotUserNameCtrl.js
index 44ddc5717..007b09246 100644
--- a/src/components/ForgotUserName/ForgotUserNameCtrl.js
+++ b/src/components/ForgotUserName/ForgotUserNameCtrl.js
@@ -34,7 +34,12 @@ class ForgotUserNameCtrl extends Component {
   static manifest = Object.freeze({
     searchUsername: {
       type: 'okapi',
-      path: 'bl-users/forgotten/username',
+      path: (queryParams, pathComponents, resourceData, config, props) => {
+        if (props.stripes.okapi.authnUrl) {
+          return 'users-keycloak/forgotten/username';
+        }
+        return 'bl-users/forgotten/username';
+      },
       headers: {
         'accept': '*/*',
       },
diff --git a/src/components/Login/Login.js b/src/components/Login/Login.js
index 63e91b612..56c045597 100644
--- a/src/components/Login/Login.js
+++ b/src/components/Login/Login.js
@@ -1,45 +1,72 @@
 import React, { Component } from 'react';
 import PropTypes from 'prop-types';
-import { FormattedMessage } from 'react-intl';
-import { Field, Form } from 'react-final-form';
-
-import { branding } from 'stripes-config';
-
+import { connect as reduxConnect } from 'react-redux';
 import {
-  TextField,
-  Button,
-  Row,
-  Col,
-  Headline,
-} from '@folio/stripes-components';
+  withRouter,
+  matchPath,
+} from 'react-router-dom';
 
-import SSOLogin from '../SSOLogin';
-import OrganizationLogo from '../OrganizationLogo';
-import AuthErrorsContainer from '../AuthErrorsContainer';
-import FieldLabel from '../CreateResetPassword/components/FieldLabel';
-
-import styles from './Login.css';
+import { ConnectContext } from '@folio/stripes-connect';
+import {
+  requestLogin,
+  requestSSOLogin,
+} from '../../loginServices';
+import { setAuthError } from '../../okapiActions';
 
-class Login extends Component {
+class LoginCtrl extends Component {
   static propTypes = {
-    ssoActive: PropTypes.bool,
-    authErrors: PropTypes.arrayOf(PropTypes.object),
-    onSubmit: PropTypes.func.isRequired,
-    handleSSOLogin: PropTypes.func.isRequired,
+    authFailure: PropTypes.arrayOf(PropTypes.object),
+    ssoEnabled: PropTypes.bool,
+    autoLogin: PropTypes.shape({
+      username: PropTypes.string.isRequired,
+      password: PropTypes.string.isRequired,
+    }),
+    clearAuthErrors: PropTypes.func.isRequired,
+    history: PropTypes.shape({
+      push: PropTypes.func.isRequired,
+    }).isRequired,
+    location: PropTypes.shape({
+      pathname: PropTypes.string.isRequired,
+    }).isRequired,
   };
 
-  static defaultProps = {
-    authErrors: [],
-    ssoActive: false,
-  };
+  static contextType = ConnectContext;
+
+  constructor(props) {
+    super(props);
+    this.sys = require('stripes-config'); // eslint-disable-line global-require
+    this.authnUrl = this.sys.okapi.authnUrl;
+    this.okapiUrl = this.sys.okapi.url;
+    this.tenant = this.sys.okapi.tenant;
+    if (props.autoLogin && props.autoLogin.username) {
+      this.handleSubmit(props.autoLogin);
+    }
+  }
+
+  componentWillUnmount() {
+    this.props.clearAuthErrors();
+  }
+
+  handleSuccessfulLogin = () => {
+    if (matchPath(this.props.location.pathname, '/login')) {
+      this.props.history.push('/');
+    }
+  }
+
+  handleSubmit = (data) => {
+    return requestLogin({ okapi: this.sys.okapi }, this.context.store, this.tenant, data)
+      .then(this.handleSuccessfulLogin)
+      .catch(e => {
+        console.error(e); // eslint-disable-line no-console
+      });
+  }
+
+  handleSSOLogin = () => {
+    requestSSOLogin(this.okapiUrl, this.tenant);
+  }
 
   render() {
-    const {
-      authErrors,
-      handleSSOLogin,
-      ssoActive,
-      onSubmit,
-    } = this.props;
+    const { authFailure, ssoEnabled } = this.props;
 
     const cookieMessage = navigator.cookieEnabled ?
       '' :
@@ -56,6 +83,7 @@ class Login extends Component {
         </Row>);
 
     return (
+<<<<<<< HEAD
       <Form
         onSubmit={onSubmit}
         subscription={{ values: true }}
@@ -241,4 +269,12 @@ class Login extends Component {
   }
 }
 
-export default Login;
+const mapStateToProps = state => ({
+  authFailure: state.okapi.authFailure,
+  ssoEnabled: state.okapi.ssoEnabled,
+});
+const mapDispatchToProps = dispatch => ({
+  clearAuthErrors: () => dispatch(setAuthError([])),
+});
+
+export default reduxConnect(mapStateToProps, mapDispatchToProps)(withRouter(LoginCtrl));
diff --git a/src/components/Login/LoginForm.js b/src/components/Login/LoginForm.js
new file mode 100644
index 000000000..2dcab4c46
--- /dev/null
+++ b/src/components/Login/LoginForm.js
@@ -0,0 +1,228 @@
+import React, { Component } from 'react';
+import PropTypes from 'prop-types';
+import { FormattedMessage } from 'react-intl';
+import { Field, Form } from 'react-final-form';
+
+import { branding } from 'stripes-config';
+
+import {
+  TextField,
+  Button,
+  Row,
+  Col,
+  Headline,
+} from '@folio/stripes-components';
+
+import SSOLogin from '../SSOLogin';
+import OrganizationLogo from '../OrganizationLogo';
+import AuthErrorsContainer from '../AuthErrorsContainer';
+import FieldLabel from '../CreateResetPassword/components/FieldLabel';
+
+import styles from './Login.css';
+
+class LoginForm extends Component {
+  static propTypes = {
+    ssoActive: PropTypes.bool,
+    authErrors: PropTypes.arrayOf(PropTypes.object),
+    onSubmit: PropTypes.func.isRequired,
+    handleSSOLogin: PropTypes.func.isRequired,
+  };
+
+  static defaultProps = {
+    authErrors: [],
+    ssoActive: false,
+  };
+
+  render() {
+    const {
+      authErrors,
+      handleSSOLogin,
+      ssoActive,
+      onSubmit,
+    } = this.props;
+
+    return (
+      <Form
+        onSubmit={onSubmit}
+        subscription={{ values: true }}
+        render={({ form, submitting, handleSubmit, submitSucceeded, values }) => {
+          const { username } = values;
+          const submissionStatus = submitting || submitSucceeded;
+          const buttonDisabled = submissionStatus || !(username);
+          const buttonLabel = submissionStatus ? 'loggingIn' : 'login';
+          return (
+            <main>
+              <div className={styles.wrapper} style={branding.style?.login ?? {}}>
+                <div className={styles.container}>
+                  <Row center="xs">
+                    <Col xs={6}>
+                      <OrganizationLogo />
+                    </Col>
+                  </Row>
+                  <Row>
+                    <form
+                      className={styles.form}
+                      onSubmit={data => handleSubmit(data).then(() => form.change('password', undefined))}
+                    >
+                      <Row center="xs">
+                        <Col xs={6}>
+                          <div className={styles.formGroup}>
+                            {ssoActive && <SSOLogin handleSSOLogin={handleSSOLogin} />}
+                          </div>
+                        </Col>
+                      </Row>
+                      <Row center="xs">
+                        <Col xs={6}>
+                          <Headline
+                            size="xx-large"
+                            tag="h1"
+                            data-test-h1
+                          >
+                            <FormattedMessage id="stripes-core.title.login" />
+                          </Headline>
+                        </Col>
+                      </Row>
+                      <div data-test-new-username-field>
+                        <Row center="xs">
+                          <Col xs={6}>
+                            <Row
+                              between="xs"
+                              bottom="xs"
+                            >
+                              <Col xs={3}>
+                                <FieldLabel htmlFor="input-username">
+                                  <FormattedMessage id="stripes-core.username" />
+                                </FieldLabel>
+                              </Col>
+                            </Row>
+                          </Col>
+                        </Row>
+                        <Row center="xs">
+                          <Col xs={6}>
+                            <Field
+                              id="input-username"
+                              name="username"
+                              type="text"
+                              component={TextField}
+                              inputClass={styles.input}
+                              autoComplete="username"
+                              autoCapitalize="none"
+                              validationEnabled={false}
+                              hasClearIcon={false}
+                              marginBottom0
+                              fullWidth
+                              autoFocus
+                            />
+                          </Col>
+                        </Row>
+                      </div>
+                      <div data-test-new-username-field>
+                        <Row center="xs">
+                          <Col xs={6}>
+                            <Row
+                              between="xs"
+                              bottom="xs"
+                            >
+                              <Col xs={3}>
+                                <FieldLabel htmlFor="input-password">
+                                  <FormattedMessage id="stripes-core.password" />
+                                </FieldLabel>
+                              </Col>
+                            </Row>
+                          </Col>
+                        </Row>
+                        <Row center="xs">
+                          <Col xs={6}>
+                            <Field
+                              id="input-password"
+                              component={TextField}
+                              name="password"
+                              type="password"
+                              value=""
+                              marginBottom0
+                              fullWidth
+                              inputClass={styles.input}
+                              validationEnabled={false}
+                              hasClearIcon={false}
+                              autoComplete="current-password"
+                            />
+                          </Col>
+                        </Row>
+                      </div>
+                      <Row center="xs">
+                        <Col xs={6}>
+                          <div className={styles.formGroup}>
+                            <Button
+                              buttonStyle="primary"
+                              id="clickable-login"
+                              type="submit"
+                              buttonClass={styles.submitButton}
+                              disabled={buttonDisabled}
+                              fullWidth
+                              marginBottom0
+                            >
+                              <FormattedMessage id={`stripes-core.${buttonLabel}`} />
+                            </Button>
+                          </div>
+                        </Col>
+                      </Row>
+                      <Row
+                        className={styles.linksWrapper}
+                        center="xs"
+                      >
+                        <Col xs={6}>
+                          <Row between="xs">
+                            <Col
+                              xs={12}
+                              sm={6}
+                              md={4}
+                              data-test-new-forgot-password-link
+                            >
+                              <Button
+                                to="/forgot-password"
+                                buttonClass={styles.link}
+                                type="button"
+                                buttonStyle="link"
+                              >
+                                <FormattedMessage id="stripes-core.button.forgotPassword" />
+                              </Button>
+                            </Col>
+                            <Col
+                              xs={12}
+                              sm={6}
+                              md={4}
+                              data-test-new-forgot-username-link
+                            >
+                              <Button
+                                to="/forgot-username"
+                                buttonClass={styles.link}
+                                type="button"
+                                buttonStyle="link"
+                              >
+                                <FormattedMessage id="stripes-core.button.forgotUsername" />
+                              </Button>
+                            </Col>
+                          </Row>
+                        </Col>
+                      </Row>
+                      <Row center="xs">
+                        <Col xs={6}>
+                          <div className={styles.authErrorsWrapper}>
+                            <AuthErrorsContainer errors={authErrors} />
+                          </div>
+                        </Col>
+                      </Row>
+                    </form>
+                    {ssoActive && <form id="ssoForm" />}
+                  </Row>
+                </div>
+              </div>
+            </main>
+          );
+        }}
+      />
+    );
+  }
+}
+
+export default LoginForm;
diff --git a/src/components/Login/index.js b/src/components/Login/index.js
index 44e798405..2a741cdbd 100644
--- a/src/components/Login/index.js
+++ b/src/components/Login/index.js
@@ -1 +1 @@
-export { default } from './LoginCtrl';
+export { default } from './Login';
diff --git a/src/components/OIDCLanding.js b/src/components/OIDCLanding.js
new file mode 100644
index 000000000..4f1a716ef
--- /dev/null
+++ b/src/components/OIDCLanding.js
@@ -0,0 +1,111 @@
+import { debounce } from 'lodash';
+import React, { useEffect, useRef } from 'react';
+import { useLocation, Redirect } from 'react-router-dom';
+import queryString from 'query-string';
+import { useStore } from 'react-redux';
+import { FormattedMessage } from 'react-intl';
+
+import { Loading } from '@folio/stripes-components';
+
+import { requestUserWithPerms } from '../loginServices';
+
+import css from './Front.css';
+import { useStripes } from '../StripesContext';
+
+const requestUserWithPermsDeb = debounce(requestUserWithPerms, 5000, { leading: true, trailing: false });
+
+/**
+ * OIDCLanding: un-authenticated route handler for /sso-landing.
+ *
+ * Reads one-time-code from URL params, exchanging it for an access_token
+ * and then leveraging that to retrieve a user via requestUserWithPerms,
+ * eventually dispatching session and Okapi-ready, resulting in a
+ * re-render with a token present, i.e., authenticated.
+ *
+ * @see RootWithIntl
+ */
+const OIDCLanding = () => {
+  const location = useLocation();
+  const store = useStore();
+  const samlError = useRef();
+  const { okapi } = useStripes();
+
+  const getParams = () => {
+    const search = location.search;
+    if (!search) return undefined;
+    return queryString.parse(search) || {};
+  };
+
+  /**
+   * retrieve the OTP
+   * @returns {string}
+   */
+  const getOtp = () => {
+    return getParams()?.code;
+  };
+
+  const otp = getOtp();
+
+  /**
+   * Exchange the otp for an access token, then use it to retrieve
+   * the user
+   *
+   * See https://ebscoinddev.atlassian.net/wiki/spaces/TEUR/pages/12419306/mod-login-keycloak#mod-login-keycloak-APIs
+   * for additional details. May not be necessary for SAML-specific pages
+   * to exist since the workflow is the same for SSO. We can just inspect
+   * the response for SSO-y values or SAML-y values and act accordingly.
+   */
+  useEffect(() => {
+    if (otp) {
+      fetch(`${okapi.url}/authn/token?code=${otp}&redirect-uri=${window.location.protocol}//${window.location.host}/oidc-landing`, {
+        headers: { 'X-Okapi-tenant': okapi.tenant, 'Content-Type': 'application/json' },
+      })
+        .then((resp) => {
+          if (resp.ok) {
+            return resp.json().then((json) => {
+              return requestUserWithPermsDeb(okapi.url, store, okapi.tenant, json.okapiToken);
+            });
+          } else {
+            return resp.json().then((error) => {
+              throw error;
+            });
+          }
+        })
+        .catch(e => {
+          console.error('@@ Oh, snap, OTP exchange failed!', e);
+          samlError.current = e;
+        });
+    }
+  }, [otp, store]);
+
+  if (!otp) {
+    return (
+      <div data-test-saml-error>
+        <div>
+          <FormattedMessage id="errors.saml.missingToken" />
+        </div>
+        <div>
+          <code>
+            {JSON.stringify(samlError.current, null, 2)}
+          </code>
+        </div>
+        <Redirect to="/" />
+      </div>
+    );
+  }
+
+  return (
+    <div data-test-saml-success>
+      <div className={css.frontWrap}>
+        <Loading size="xlarge" />
+      </div>
+      <div>
+        <pre>
+          {JSON.stringify(samlError.current, null, 2)}
+        </pre>
+      </div>
+    </div>
+  );
+};
+
+export default OIDCLanding;
diff --git a/src/components/OIDCRedirect.js b/src/components/OIDCRedirect.js
new file mode 100644
index 000000000..3e6585de2
--- /dev/null
+++ b/src/components/OIDCRedirect.js
@@ -0,0 +1,32 @@
+import { withRouter, Redirect, useLocation } from 'react-router';
+import queryString from 'query-string';
+
+/**
+ * OIDCRedirect authenticated route handler for /oidc-landing.
+ *
+ * Reads `fwd` from URL params and redirects.
+ *
+ * @see RootWithIntl
+ *
+ * @returns {Redirect}
+ */
+const OIDCRedirect = () => {
+  const location = useLocation();
+
+  const getParams = () => {
+    const search = location.search;
+    if (!search) return undefined;
+    return queryString.parse(search) || {};
+  };
+
+  const getUrl = () => {
+    const params = getParams();
+    return params?.fwd ?? '';
+  };
+
+  return (
+    <Redirect to={getUrl()} />
+  );
+};
+
+export default withRouter(OIDCRedirect);
diff --git a/src/components/PreLoginLanding/PreLoginLanding.js b/src/components/PreLoginLanding/PreLoginLanding.js
new file mode 100644
index 000000000..eb47719f1
--- /dev/null
+++ b/src/components/PreLoginLanding/PreLoginLanding.js
@@ -0,0 +1,71 @@
+import React from 'react';
+import { Button, Select, Col, Row } from '@folio/stripes-components';
+import { useIntl } from 'react-intl';
+import PropTypes from 'prop-types';
+import { OrganizationLogo } from '../index';
+import styles from './index.css';
+import { useStripes } from '../../StripesContext';
+
+function PreLoginLanding({ onSelectTenant }) {
+  const intl = useIntl();
+  const { okapi, config: { tenantOptions = {} } } = useStripes();
+
+  const redirectUri = `${window.location.protocol}//${window.location.host}/oidc-landing`;
+  const options = Object.keys(tenantOptions).map(tenantName => ({ value: tenantName, label: tenantName }));
+
+  const getLoginUrl = () => {
+    if (!okapi.tenant) return '';
+    if (okapi.authnUrl) {
+      return `${okapi.authnUrl}/realms/${okapi.tenant}/protocol/openid-connect/auth?client_id=${okapi.clientId}&response_type=code&redirect_uri=${redirectUri}&scope=openid`;
+    }
+    return '';
+  };
+
+  const handleChangeTenant = (e) => {
+    const tenantName = e.target.value;
+    if (tenantName === '') {
+      onSelectTenant('', '');
+      return;
+    }
+    const clientId = tenantOptions[tenantName].clientId;
+    onSelectTenant(tenantName, clientId);
+  };
+
+  return (
+    <main style={{ width:'100%' }}>
+      <div>
+        <div className={styles.container}>
+          <Row center="xs">
+            <Col xs={6}>
+              <OrganizationLogo />
+            </Col>
+          </Row>
+          <Row center="xs">
+            <Col xs={3}>
+              <Select
+                label={intl.formatMessage({ id: 'stripes-core.tenantLibrary' })}
+                defaultValue=""
+                onChange={handleChangeTenant}
+                dataOptions={[...options, { value: '', label:intl.formatMessage({ id:'stripes-core.tenantChoose' }) }]}
+              />
+              <Button
+                buttonClass={styles.submitButton}
+                disabled={!okapi.tenant}
+                onClick={() => window.location.replace(getLoginUrl())}
+                buttonStyle="primary"
+                fullWidth
+              >
+                {intl.formatMessage({ id:'stripes-core.button.continue' })}
+              </Button>
+            </Col>
+          </Row>
+        </div>
+      </div>
+    </main>);
+}
+
+PreLoginLanding.propTypes = {
+  onSelectTenant: PropTypes.func.isRequired,
+};
+
+export default PreLoginLanding;
diff --git a/src/components/PreLoginLanding/index.css b/src/components/PreLoginLanding/index.css
new file mode 100644
index 000000000..b69889d82
--- /dev/null
+++ b/src/components/PreLoginLanding/index.css
@@ -0,0 +1,13 @@
+@import "@folio/stripes-components/lib/variables.css";
+
+.container {
+  margin-top: 12vh;
+}
+
+button.submitButton {
+  height: 44px;
+  max-height: 100%;
+  margin-top: 1.5rem;
+  font-size: var(--font-size-medium);
+}
+
diff --git a/src/components/PreLoginLanding/index.js b/src/components/PreLoginLanding/index.js
new file mode 100644
index 000000000..9a4067d36
--- /dev/null
+++ b/src/components/PreLoginLanding/index.js
@@ -0,0 +1 @@
+export { default } from './PreLoginLanding';
diff --git a/src/components/Redirect/Redirect.js b/src/components/Redirect/Redirect.js
new file mode 100644
index 000000000..bf4573cd9
--- /dev/null
+++ b/src/components/Redirect/Redirect.js
@@ -0,0 +1,27 @@
+import { useEffect } from 'react';
+import PropTypes from 'prop-types';
+
+/**
+ * Redirect to the given URL. react-router's built-in Redirect is
+ * insufficient because it only redirects to a path within the current
+ * domain.
+ *
+ * @param {string} to: URL to redirect to, e.g. http://example.com/path/
+ * @param {boolean} push: true to push onto history; false [default] to replace the current entry
+ * @returns null
+ */
+const Redirect = ({ to, push }) => {
+  useEffect(() => {
+    const action = push ? 'assign' : 'replace';
+    window.location[action](to);
+  }, [to, push]);
+
+  return null;
+};
+
+Redirect.propTypes = {
+  to: PropTypes.string.isRequired,
+  push: PropTypes.bool,
+};
+
+export default Redirect;
diff --git a/src/components/Redirect/Redirect.test.js b/src/components/Redirect/Redirect.test.js
new file mode 100644
index 000000000..4d03786a4
--- /dev/null
+++ b/src/components/Redirect/Redirect.test.js
@@ -0,0 +1,45 @@
+import { render } from '@testing-library/react';
+import { createMemoryHistory } from 'history';
+
+import Harness from '../../../test/jest/helpers/harness';
+import Redirect from './Redirect';
+
+describe('Redirect', () => {
+  it('updates window.location with "replace"', () => {
+    const to = 'http://monkeybagel.com/';
+
+    const stripes = {
+      config: {},
+    };
+
+    const history = createMemoryHistory();
+
+    render(
+      <Harness history={history} stripes={stripes}>
+        <Redirect to={to} />
+      </Harness>
+    );
+
+    expect(window.location).toBeAt(to);
+    expect(window.location.replace).toHaveBeenCalled();
+  });
+
+  it('updates window.location with "assign"', () => {
+    const to = 'http://monkeybagel.com/';
+
+    const stripes = {
+      config: {},
+    };
+
+    const history = createMemoryHistory();
+
+    render(
+      <Harness history={history} stripes={stripes}>
+        <Redirect to={to} push />
+      </Harness>
+    );
+
+    expect(window.location).toBeAt(to);
+    expect(window.location.assign).toHaveBeenCalled();
+  });
+});
diff --git a/src/components/Redirect/index.js b/src/components/Redirect/index.js
new file mode 100644
index 000000000..d757bd663
--- /dev/null
+++ b/src/components/Redirect/index.js
@@ -0,0 +1 @@
+export { default } from './Redirect';
diff --git a/src/components/TitleManager/TitleManager.js b/src/components/TitleManager/TitleManager.js
index bd09a8e5e..6058724e7 100644
--- a/src/components/TitleManager/TitleManager.js
+++ b/src/components/TitleManager/TitleManager.js
@@ -21,25 +21,15 @@ class TitleManager extends React.Component {
   static defaultProps = { prefix: '' }
 
   renderTitle = (currentTitle) => {
-    const { prefix, page, record, stripes } = this.props;
-    const postfix = stripes.config?.platformName || APP;
+    const { prefix, page, record } = this.props;
 
     if (typeof currentTitle !== 'string') return '';
 
     const tokens = currentTitle.split(' - ');
-
-    /**
-     * When there are 2 items - that means there are page and postfix.
-     * If we don't clear the tokens[1] item then we'll have two postfixes - in tokens[1] and tokens[2] will be added later
-     */
-    if (tokens.length === 2) {
-      tokens[1] = '';
-    }
-
     if (page) tokens[0] = page;
     if (record) tokens[1] = record;
 
-    tokens[2] = postfix;
+    tokens[2] = (this.props.stripes.config || {}).platformName || APP;
 
     return prefix + tokens
       .filter(t => t)
diff --git a/src/components/index.js b/src/components/index.js
index 99e2dcd54..980f697bd 100644
--- a/src/components/index.js
+++ b/src/components/index.js
@@ -19,6 +19,8 @@ export { default as SSOLogin } from './SSOLogin';
 export { default as SystemSkeleton } from './SystemSkeleton';
 export { default as TitledRoute } from './TitledRoute';
 export { default as TitleManager } from './TitleManager';
+export { default as OIDCLanding } from './OIDCLanding';
+export { default as OIDCRedirect } from './OIDCRedirect';
 export { default as SSOLanding } from './SSOLanding';
 export { default as SSORedirect } from './SSORedirect';
 export { default as RouteErrorBoundary } from './RouteErrorBoundary';
diff --git a/src/discoverServices.js b/src/discoverServices.js
index f88c4eed2..54713cdc6 100644
--- a/src/discoverServices.js
+++ b/src/discoverServices.js
@@ -1,4 +1,5 @@
 import { some } from 'lodash';
+import { okapi as okapiConfig } from 'stripes-config';
 
 function getHeaders(tenant, token) {
   return {
@@ -8,47 +9,149 @@ function getHeaders(tenant, token) {
   };
 }
 
-function fetchOkapiVersion(store) {
+/**
+ * parseApplicationDescriptor
+ * Given an application descriptor, dispatch DISCOVERY_SUCCESS, then iterate
+ * through the module descriptors and dispatch DISCOVERY_INTERFACES and
+ * DISCOVERY_PROVIDERS for each one.
+ *
+ * @param {redux-store} store
+ * @param {object} descriptor
+ * @returns {Promise}
+ */
+function parseApplicationDescriptor(store, descriptor) {
+  const list = [];
+
+  const dispatchDescriptor = (d) => {
+    return Promise.all([
+      store.dispatch({ type: 'DISCOVERY_INTERFACES', data: d }),
+      store.dispatch({ type: 'DISCOVERY_PROVIDERS', data: d }),
+    ]);
+  };
+
+  const dispatchApplication = (application) => {
+    return store.dispatch({
+      type: 'DISCOVERY_APPLICATIONS',
+      data: application,
+    });
+  };
+
+  list.push(
+    store.dispatch({
+      type: 'DISCOVERY_SUCCESS',
+      data: descriptor.moduleDescriptors,
+    })
+  );
+  if (descriptor.moduleDescriptors) {
+    list.push(...descriptor.moduleDescriptors?.map((i) => dispatchDescriptor(i)));
+  }
+
+  if (descriptor['ui-modules']) {
+    list.push(...descriptor['ui-modules']?.map((i) => dispatchDescriptor(i)));
+  }
+
+  list.push(dispatchApplication(descriptor));
+
+  return Promise.all(list);
+}
+
+/**
+ * fetchApplicationDetails
+ * Retrieve applications and dispatch disovery actions.
+ *
+ * Given a list of entitlements for a tenant, retrieve the corresponding
+ * application descriptors and dispatch DISCOVERY_SUCCESS. For each application,
+ * dispatch DISCOVERY_INTERFACES and DISOVERY_PROVIDERS.
+ *
+ * The response is shaped like
+ * {
+    "applicationDescriptors": [
+      {
+        "description": "Minimal FOLIO platform installation.",
+        "id": "app-platform-minimal-0.0.1",
+        "name": "app-platform-minimal",
+        "platform": "base",
+        "version": "0.0.1",
+        "modules": [
+          { "id": "mod-users-18.2.0", "name": "mod-users", "version": "18.2.0" },
+          ...
+        ],
+        "ui-modules": [
+          { "name": "folio_stripes-core", "version": "8.1.2" },
+          ...
+        ],
+        "moduleDescriptors": [
+          { ... },
+          ...
+        ]
+      },
+      ...
+    ],
+    "totalRecords": 1
+ * }
+ *
+ * @param {redux-store} store
+ */
+
+const APP_MAX_COUNT = 500;
+
+function fetchApplicationDetails(store) {
   const okapi = store.getState().okapi;
 
-  return fetch(`${okapi.url}/_/version`, {
-    headers: getHeaders(okapi.tenant, okapi.token),
-    credentials: 'include',
-    mode: 'cors',
-  }).then((response) => { // eslint-disable-line consistent-return
-    if (response.status >= 400) {
-      store.dispatch({ type: 'DISCOVERY_FAILURE', code: response.status });
-      return response;
-    } else {
-      return response.text().then((text) => {
-        store.dispatch({ type: 'DISCOVERY_OKAPI', version: text });
-      });
-    }
-  }).catch((reason) => {
-    store.dispatch({ type: 'DISCOVERY_FAILURE', message: reason });
-  });
+  return fetch(`${okapiConfig.applicationManagerUrl}/entitlements/${okapi.tenant}/applications?limit=${APP_MAX_COUNT}`, {
+    headers: getHeaders(okapi.tenant, okapi.token)
+  })
+    .then((response) => {
+      if (response.ok) {
+        return response.json().then((json) => {
+          if (json.totalRecords > 0) {
+            const list = [];
+            json.applicationDescriptors.forEach((i) => {
+              list.push(parseApplicationDescriptor(store, i));
+            });
+            return Promise.all(list);
+          }
+
+          console.error(`>>> NO APPLICATIONS AVAILABLE FOR ${okapi.tenant}`, json);
+          store.dispatch({ type: 'DISCOVERY_FAILURE', code: response.status });
+          throw response;
+        });
+      } else {
+        console.error(`>>> COULD NOT RETRIEVE APPLICATIONS FOR ${okapi.tenant}`, response);
+        store.dispatch({ type: 'DISCOVERY_FAILURE', code: response.status });
+        throw response;
+      }
+    })
+    .catch(reason => {
+      console.error(`@@ COULD NOT RETRIEVE APPLICATIONS FOR ${okapi.tenant}`, reason);
+      store.dispatch({ type: 'DISCOVERY_FAILURE', message: reason });
+    });
 }
 
-function fetchModules(store) {
+/**
+ * discoverServices
+ * This function probes Okapi to discover what versions of what
+ * interfaces are supported by the services that it is proxying
+ * for. This information can be used to configure the UI at run-time
+ * (e.g. not attempting to fetch loan information for a
+ * non-circulating library that doesn't provide the circ interface)
+ *
+ * @param {redux-store} store
+ * @returns Promise
+ */
+
+function fetchGatewayVersion(store) {
   const okapi = store.getState().okapi;
 
-  return fetch(`${okapi.url}/_/proxy/tenants/${okapi.tenant}/modules?full=true`, {
-    headers: getHeaders(okapi.tenant, okapi.token),
-    credentials: 'include',
-    mode: 'cors',
+  return fetch(`${okapi.url}/version`, {
+    headers: getHeaders(okapi.tenant, okapi.token)
   }).then((response) => { // eslint-disable-line consistent-return
     if (response.status >= 400) {
       store.dispatch({ type: 'DISCOVERY_FAILURE', code: response.status });
       return response;
     } else {
-      return response.json().then((json) => {
-        store.dispatch({ type: 'DISCOVERY_SUCCESS', data: json });
-        return Promise.all(
-          json.map(entry => Promise.all([
-            store.dispatch({ type: 'DISCOVERY_INTERFACES', data: entry }),
-            store.dispatch({ type: 'DISCOVERY_PROVIDERS', data: entry }),
-          ]))
-        );
+      return response.json().then((res) => {
+        store.dispatch({ type: 'DISCOVERY_OKAPI', version: res.version });
       });
     }
   }).catch((reason) => {
@@ -56,18 +159,8 @@ function fetchModules(store) {
   });
 }
 
-/*
- * This function probes Okapi to discover what versions of what
- * interfaces are supported by the services that it is proxying
- * for. This information can be used to configure the UI at run-time
- * (e.g. not attempting to fetch loan information for a
- * non-circulating library that doesn't provide the circ interface)
- */
 export function discoverServices(store) {
-  const promises = [
-    fetchOkapiVersion(store),
-    fetchModules(store),
-  ];
+  const promises = [fetchApplicationDetails(store), fetchGatewayVersion(store)];
 
   return Promise.all(promises).then(() => {
     store.dispatch({ type: 'DISCOVERY_FINISHED' });
@@ -76,12 +169,30 @@ export function discoverServices(store) {
 
 export function discoveryReducer(state = {}, action) {
   switch (action.type) {
+    case 'DISCOVERY_APPLICATIONS':
+      return {
+        ...state,
+        applications: {
+          ...state.applications,
+          [action.data.id]: {
+            name: action.data.id,
+            modules: action.data.moduleDescriptors.map((d) => {
+              return {
+                name: d.id,
+                interfaces: d.provides.map((i) => {
+                  return { name: i.id + ' ' + i.version };
+                }),
+              };
+            }),
+          },
+        },
+      };
     case 'DISCOVERY_OKAPI':
       return Object.assign({}, state, { okapi: action.version });
     case 'DISCOVERY_FAILURE':
       return Object.assign({}, state, { failure: action });
     case 'DISCOVERY_SUCCESS': {
-      const modules = {};
+      const modules = { ...state.modules };
       for (const entry of action.data) {
         modules[entry.id] = entry.name;
       }
diff --git a/src/loginServices.js b/src/loginServices.js
index 5293cd35f..a87a72c9a 100644
--- a/src/loginServices.js
+++ b/src/loginServices.js
@@ -1,5 +1,5 @@
 import localforage from 'localforage';
-import { config, translations } from 'stripes-config';
+import { config, okapi, translations } from 'stripes-config';
 import rtlDetect from 'rtl-detect';
 import moment from 'moment';
 import { loadDayJSLocale } from '@folio/stripes-components';
@@ -51,7 +51,7 @@ export const supportedLocales = [
   'it-IT',  // italian, italy
   'ja',     // japanese
   'ko',     // korean
-  'nb',     // norwegian bokmål"
+  'nb',     // norwegian bokmål
   'nn',     // norwegian nynorsk
   'pl',     // polish
   'pt-BR',  // portuguese, brazil
@@ -358,15 +358,16 @@ export function getBindings(okapiUrl, store, tenant) {
 /**
  * loadResources
  * return a promise that retrieves the tenant's locale, user's locale,
- * plugins, and key-bindings from mod-configuration.
- * @param {string} okapiUrl
+ * plugins, and key-bindings from mod-configuration, as well as retreiving
+ * module information directly from okapi.
+ *
  * @param {redux store} store
  * @param {string} tenant
  * @param {string} userId user's UUID
  *
  * @returns {Promise}
  */
-function loadResources(okapiUrl, store, tenant, userId) {
+function loadResources(store, tenant, userId) {
   let promises = [];
 
   // tenant's locale, plugin, bindings, and user's locale are all stored
@@ -374,10 +375,10 @@ function loadResources(okapiUrl, store, tenant, userId) {
   // read-permission for configuration entries.
   if (canReadConfig(store)) {
     promises = [
-      getLocale(okapiUrl, store, tenant),
-      getUserLocale(okapiUrl, store, tenant, userId),
-      getPlugins(okapiUrl, store, tenant),
-      getBindings(okapiUrl, store, tenant),
+      getLocale(okapi.url, store, tenant),
+      getUserLocale(okapi.url, store, tenant, userId),
+      getPlugins(okapi.url, store, tenant),
+      getBindings(okapi.url, store, tenant),
     ];
   }
 
@@ -512,7 +513,6 @@ export async function logout(okapiUrl, store) {
  * Dispatch the session object, then return a Promise that fetches
  * and dispatches tenant resources.
  *
- * @param {string} okapiUrl
  * @param {object} store
  * @param {string} tenant
  * @param {string} token
@@ -520,7 +520,9 @@ export async function logout(okapiUrl, store) {
  *
  * @returns {Promise}
  */
-export function createOkapiSession(okapiUrl, store, tenant, token, data) {
+export function createOkapiSession(store, tenant, token, data) {
+  // @@ new StripesSession(store, data);
+
   // clear any auth-n errors
   store.dispatch(setAuthError(null));
 
@@ -562,7 +564,7 @@ export function createOkapiSession(okapiUrl, store, tenant, token, data) {
     .then(() => {
       store.dispatch(setIsAuthenticated(true));
       store.dispatch(setSessionData(okapiSess));
-      return loadResources(okapiUrl, store, sessionTenant, user.id);
+      return loadResources(store, sessionTenant, user.id);
     });
 }
 
@@ -652,21 +654,32 @@ export function handleLoginError(dispatch, resp) {
  * processOkapiSession
  * create a new okapi session with the response from either a username/password
  * authentication request or a bl-users/_self request.
- * @param {string} okapiUrl
+ * response body is shaped like
+ * {
+    'access_token': 'SOME_STRING',
+    'expires_in': 420,
+    'refresh_expires_in': 1800,
+    'refresh_token': 'SOME_STRING',
+    'token_type': 'Bearer',
+    'not-before-policy': 0,
+    'session_state': 'SOME_UUID',
+    'scope': 'profile email'
+ * }
+ *
  * @param {redux store} store
  * @param {string} tenant
  * @param {Response} resp HTTP response
  *
  * @returns {Promise} resolving with login response body, rejecting with, ummmmm
  */
-export function processOkapiSession(okapiUrl, store, tenant, resp, ssoToken) {
-  const token = resp.headers.get('X-Okapi-Token') || ssoToken;
+export function processOkapiSession(store, tenant, resp, ssoToken) {
   const { dispatch } = store;
 
   if (resp.ok) {
     return resp.json()
       .then(json => {
-        return createOkapiSession(okapiUrl, store, tenant, token, json)
+        const token = json.access_token || ssoToken;
+        return createOkapiSession(store, tenant, token, json)
           .then(() => json);
       })
       .then((json) => {
@@ -769,7 +782,7 @@ export function checkOkapiSession(okapiUrl, store, tenant) {
  * requestLogin
  * authenticate with a username and password. return a promise that posts the values
  * and then processes the result to begin a session.
- * @param {string} okapiUrl
+ * @param {object} okapi object from stripes.config.js
  * @param {redux store} store
  * @param {string} tenant
  * @param {object} data
@@ -777,15 +790,29 @@ export function checkOkapiSession(okapiUrl, store, tenant) {
  * @returns {Promise}
  */
 export function requestLogin(okapiUrl, store, tenant, data) {
-  const loginPath = config.useSecureTokens ? 'login-with-expiry' : 'login';
-  return fetch(`${okapiUrl}/bl-users/${loginPath}?expandPermissions=true&fullPermissions=true`, {
-    body: JSON.stringify(data),
-    credentials: 'include',
-    headers: { 'X-Okapi-Tenant': tenant, 'Content-Type': 'application/json' },
-    method: 'POST',
-    mode: 'cors',
-  })
-    .then(resp => processOkapiSession(okapiUrl, store, tenant, resp));
+  // got Keycloak?
+  if (okapi.authnUrl) {
+    return fetch(okapi.authnUrl, {
+      method: 'POST',
+      body: new URLSearchParams({
+        ...data,
+        'grant_type': 'password',
+        'client_id': okapi.clientId,
+        'client_secret': okapi.clientSecret,
+      })
+    })
+      .then(resp => processOkapiSession(store, tenant, resp));
+  } else {
+    // legacy built-in authentication
+    const loginPath = config.useSecureTokens ? 'login-with-expiry' : 'login';
+    return fetch(`${okapiUrl}/bl-users/${loginPath}?expandPermissions=true&fullPermissions=true`, {
+      body: JSON.stringify(data),
+      credentials: 'include',
+      headers: { 'X-Okapi-Tenant': tenant, 'Content-Type': 'application/json' },
+      method: 'POST',
+      mode: 'cors',
+    })
+    .then(resp => processOkapiSession(store, tenant, resp));
 }
 
 /**
@@ -799,8 +826,9 @@ export function requestLogin(okapiUrl, store, tenant, data) {
  * @returns {Promise} Promise resolving to the response of the request
  */
 function fetchUserWithPerms(okapiUrl, tenant, token, rtrIgnore = false) {
+  const usersPath = okapi.authnUrl ? 'users-keycloak' : 'bl-users';
   return fetch(
-    `${okapiUrl}/bl-users/_self?expandPermissions=true&fullPermissions=true`,
+    `${okapiUrl}/${usersPath}/_self?expandPermissions=true&fullPermissions=true`,
     {
       headers: getHeaders(tenant, token),
       rtrIgnore,
@@ -819,7 +847,15 @@ function fetchUserWithPerms(okapiUrl, tenant, token, rtrIgnore = false) {
  */
 export function requestUserWithPerms(okapiUrl, store, tenant, token) {
   return fetchUserWithPerms(okapiUrl, tenant, token, !token)
-    .then(resp => processOkapiSession(okapiUrl, store, tenant, resp, token));
+    .then((resp) => {
+      if (resp.ok) {
+        return processOkapiSession(store, tenant, resp, token);
+      } else {
+        return resp.json().then((error) => {
+          throw error;
+        });
+      }
+    });
 }
 
 /**
@@ -869,7 +905,7 @@ export function updateUser(store, data) {
  * updateTenant
  * 1. prepare user info for requested tenant
  * 2. update okapi session
- * @param {object} okapi
+ * @param {object} okapiConfig
  * @param {string} tenant
  *
  * @returns {Promise}
diff --git a/src/okapiActions.js b/src/okapiActions.js
index 1c3e0ccda..b6ff9554f 100644
--- a/src/okapiActions.js
+++ b/src/okapiActions.js
@@ -135,6 +135,13 @@ function updateCurrentUser(data) {
   };
 }
 
+function setOkapiTenant(payload) {
+  return {
+    type: 'SET_OKAPI_TENANT',
+    payload
+  };
+}
+
 function setTokenExpiration(tokenExpiration) {
   return {
     type: 'SET_TOKEN_EXPIRATION',
@@ -187,4 +194,5 @@ export {
   setTranslations,
   toggleRtrModal,
   updateCurrentUser,
+  setOkapiTenant
 };
diff --git a/src/okapiReducer.js b/src/okapiReducer.js
index c8114f297..6c4f1f475 100644
--- a/src/okapiReducer.js
+++ b/src/okapiReducer.js
@@ -1,5 +1,9 @@
 export default function okapiReducer(state = {}, action) {
   switch (action.type) {
+    case 'SET_OKAPI_TENANT': {
+      const { tenant, clientId } = action.payload;
+      return Object.assign({}, state, { tenant, clientId });
+    }
     case 'SET_OKAPI_TOKEN':
       return Object.assign({}, state, { token: action.token });
     case 'CLEAR_OKAPI_TOKEN':
diff --git a/translations/stripes-core/en.json b/translations/stripes-core/en.json
index 7998423d6..b2bff0838 100644
--- a/translations/stripes-core/en.json
+++ b/translations/stripes-core/en.json
@@ -59,7 +59,7 @@
   "about.paneTitle": "Software versions",
   "about.userInterface": "User interface",
   "about.foundation": "Foundation",
-  "about.okapiServices": "Okapi services",
+  "about.okapiServices": "API gateway services",
   "about.unknown": "Unknown",
   "about.version": "Version {version}",
   "about.forTenant": "For tenant {tenant}",
@@ -81,6 +81,8 @@
   "about.appModuleCount": "{count, number} app {count, plural, one {module} other {modules}}",
   "about.settingsModuleCount": "{count, number} settings {count, plural, one {module} other {modules}}",
   "about.pluginModuleCount": "{count, number} plugin {count, plural, one {module} other {modules}}",
+  "about.applicationCount": "{count} applications",
+  "about.applicationsVersionsTitle": "Applications/modules/interfaces",
 
   "loggedInAs": "Logged in as {firstName} {lastName}",
   "currentServicePoint": "Service point: {name}",
@@ -99,6 +101,8 @@
   "settingPassword": "Setting password...",
   "settingSystemInfo": "System information",
   "settingChoose": "Choose settings",
+  "tenantChoose": "Select your tenant/library",
+  "tenantLibrary": "Tenant/Library",
 
   "mainnav.showAllApplicationsButtonLabel": "Apps",
   "mainnav.showAllApplicationsButtonAriaLabel": "All applications",
@@ -141,7 +145,7 @@
   "errors.password.whiteSpace.invalid": "The password must not contain whitespaces.",
   "errors.password.consecutiveWhitespaces.invalid": "The password must not contain consecutive white space characters.",
   "errors.password.compromised.invalid": "The password must not be commonly-used, expected or compromised",
-  "errors.sso.session.failed": "SSO Login failed. Please try again",
+  "errors.saml.missingToken": "No <code>code</code> query parameter.",
 
   "createResetPassword.header": "Choose a password",
   "createResetPassword.newPassword": "New Password",
diff --git a/translations/stripes-core/en_US.json b/translations/stripes-core/en_US.json
index bc8e80dc6..35aea7c1f 100644
--- a/translations/stripes-core/en_US.json
+++ b/translations/stripes-core/en_US.json
@@ -19,7 +19,7 @@
     "about.paneTitle": "Software versions",
     "about.userInterface": "User interface",
     "about.foundation": "Foundation",
-    "about.okapiServices": "Okapi services",
+    "about.okapiServices": "API gateway services",
     "about.unknown": "Unknown",
     "about.version": "Version {version}",
     "about.forTenant": "For tenant {tenant}",
@@ -39,6 +39,8 @@
     "about.appModuleCount": "{count, number} app {count, plural, one {module} other {modules}}",
     "about.settingsModuleCount": "{count, number} settings {count, plural, one {module} other {modules}}",
     "about.pluginModuleCount": "{count, number} plugin {count, plural, one {module} other {modules}}",
+    "about.applicationCount": "{count} applications",
+    "about.applicationsVersionsTitle": "Applications/modules/interfaces",
     "loggedInAs": "Logged in as {firstName} {lastName}",
     "logout": "Log out",
     "settings": "Settings",
@@ -110,6 +112,9 @@
     "errors.password.incorrect.block.user": "For security purposes, your account has been locked. Please contact your FOLIO System Administrator to reset your password.",
     "settingSystemInfo": "System information",
     "settingChoose": "Choose settings",
+    "tenantChoose": "Select your tenant/library",
+    "tenantLibrary": "Tenant/Library",
+
     "button.save": "Save",
     "mainnav.appContextMenu": "Application context dropdown",
     "errors.password.length.invalid": "The password length must be minimum 8 symbols.",
@@ -121,6 +126,7 @@
     "errors.password.repeatingSymbols.invalid": "The password must not contain the same character in a row.",
     "errors.password.whiteSpace.invalid": "The password must not contain whitespaces.",
     "mainnav.myProfileAriaLabel": "{tenantName} {servicePointName} profile",
+    "errors.saml.missingToken": "No <code>code</code> query parameter.",
     "mainnav.skipMainNavigation": "Skip Main Navigation",
     "errors.user.timeout": "Your session has expired. Please log in again to resume your session.",
     "errors.password.consecutiveWhitespaces.invalid": "The password must not contain consecutive white space characters.",
@@ -153,4 +159,4 @@
     "rtr.idleSession.keepWorking": "Keep working",
     "rtr.idleSession.sessionExpiredSoSad": "Your session expired due to inactivity.",
     "rtr.idleSession.logInAgain": "Log in again"
-}
\ No newline at end of file
+}

From be61b764f95e44bc1c566e02f0f9ed3d5eaddacd Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Wed, 13 Dec 2023 15:08:06 -0500
Subject: [PATCH 03/63] test cleanup

---
 src/loginServices.js      | 1 +
 src/loginServices.test.js | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/loginServices.js b/src/loginServices.js
index a87a72c9a..633e1acbc 100644
--- a/src/loginServices.js
+++ b/src/loginServices.js
@@ -813,6 +813,7 @@ export function requestLogin(okapiUrl, store, tenant, data) {
       mode: 'cors',
     })
     .then(resp => processOkapiSession(store, tenant, resp));
+  }
 }
 
 /**
diff --git a/src/loginServices.test.js b/src/loginServices.test.js
index bec0d559f..f4692d699 100644
--- a/src/loginServices.test.js
+++ b/src/loginServices.test.js
@@ -98,7 +98,7 @@ describe('createOkapiSession', () => {
     const permissionsMap = { a: true, b: true };
     mockFetchSuccess([]);
 
-    await createOkapiSession('url', store, 'tenant', 'token', data);
+    await createOkapiSession(store, 'tenant', 'token', data);
     expect(store.dispatch).toHaveBeenCalledWith(setIsAuthenticated(true));
     expect(store.dispatch).toHaveBeenCalledWith(setAuthError(null));
     expect(store.dispatch).toHaveBeenCalledWith(setLoginData(data));
@@ -207,7 +207,7 @@ describe('processOkapiSession', () => {
 
     mockFetchSuccess();
 
-    await processOkapiSession('url', store, 'tenant', resp);
+    await processOkapiSession(store, 'tenant', resp, 'token');
     expect(store.dispatch).toHaveBeenCalledWith(setAuthError(null));
     expect(store.dispatch).toHaveBeenCalledWith(setOkapiReady());
 
@@ -224,7 +224,7 @@ describe('processOkapiSession', () => {
       }
     };
 
-    await processOkapiSession('url', store, 'tenant', resp);
+    await processOkapiSession(store, 'tenant', resp, 'token');
 
     expect(store.dispatch).toHaveBeenCalledWith(setOkapiReady());
     expect(store.dispatch).toHaveBeenCalledWith(setAuthError([defaultErrors.DEFAULT_LOGIN_CLIENT_ERROR]));

From e22b1465a0a80143bcbee6aa1413ea8a39d26ec2 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Thu, 14 Dec 2023 16:21:26 -0500
Subject: [PATCH 04/63] backwards compatibility with non-keycloak environments

---
 src/discoverServices.js           | 6 +++---
 test/bigtest/network/config.js    | 8 ++++++++
 translations/stripes-core/en.json | 2 +-
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/discoverServices.js b/src/discoverServices.js
index 54713cdc6..e2ec83c27 100644
--- a/src/discoverServices.js
+++ b/src/discoverServices.js
@@ -98,7 +98,7 @@ const APP_MAX_COUNT = 500;
 function fetchApplicationDetails(store) {
   const okapi = store.getState().okapi;
 
-  return fetch(`${okapiConfig.applicationManagerUrl}/entitlements/${okapi.tenant}/applications?limit=${APP_MAX_COUNT}`, {
+  return fetch(`${okapi.url}/entitlements/${okapi.tenant}/applications?limit=${APP_MAX_COUNT}`, {
     headers: getHeaders(okapi.tenant, okapi.token)
   })
     .then((response) => {
@@ -150,8 +150,8 @@ function fetchGatewayVersion(store) {
       store.dispatch({ type: 'DISCOVERY_FAILURE', code: response.status });
       return response;
     } else {
-      return response.json().then((res) => {
-        store.dispatch({ type: 'DISCOVERY_OKAPI', version: res.version });
+      return response.text().then((text) => {
+        store.dispatch({ type: 'DISCOVERY_OKAPI', version: text });
       });
     }
   }).catch((reason) => {
diff --git a/test/bigtest/network/config.js b/test/bigtest/network/config.js
index 650e975d2..506942235 100644
--- a/test/bigtest/network/config.js
+++ b/test/bigtest/network/config.js
@@ -8,6 +8,14 @@ export default function configure() {
   // okapi endpoints
   this.get('/_/version', () => '0.0.0');
 
+  this.get('/version', () => '0.0.0');
+
+  this.get('/entitlements/:tenant/applications', {
+    applicationDescriptors: [],
+    totalRecords: 1
+  });
+  this.get('/_/env', {});
+
   this.get('_/proxy/tenants/:id/modules', [{
     id : 'mod-users-42.0.0-EXAMPLE.12345',
     name : 'users',
diff --git a/translations/stripes-core/en.json b/translations/stripes-core/en.json
index b2bff0838..b86b68a25 100644
--- a/translations/stripes-core/en.json
+++ b/translations/stripes-core/en.json
@@ -12,7 +12,7 @@
   "title.changePassword": "Change password",
   "title.noPermission": "No permission",
   "title.cookieEnabled": "Cookies are required to login. Please enable cookies and try again.",
-
+  "title.logout": "Log out",
   "front.welcome": "Welcome, the Future Of Libraries Is OPEN!",
   "front.home": "Home",
   "front.about": "Software versions",

From 20e689b6c4dbe22d718ec2ad3007969fb9c811d2 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Thu, 14 Dec 2023 07:18:49 -0500
Subject: [PATCH 05/63] lint cleanup, console.log cleanup

---
 src/components/OIDCLanding.js    | 3 ++-
 src/serviceWorkerRegistration.js | 1 -
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/components/OIDCLanding.js b/src/components/OIDCLanding.js
index 4f1a716ef..82ae09c1c 100644
--- a/src/components/OIDCLanding.js
+++ b/src/components/OIDCLanding.js
@@ -72,11 +72,12 @@ const OIDCLanding = () => {
           }
         })
         .catch(e => {
+          // eslint-disable-next-line no-console
           console.error('@@ Oh, snap, OTP exchange failed!', e);
           samlError.current = e;
         });
     }
-  }, [otp, store]);
+  }, [otp, store, okapi.tenant, okapi.url]);
 
   if (!otp) {
     return (
diff --git a/src/serviceWorkerRegistration.js b/src/serviceWorkerRegistration.js
index 5f43165f5..df975f38d 100644
--- a/src/serviceWorkerRegistration.js
+++ b/src/serviceWorkerRegistration.js
@@ -1,7 +1,6 @@
 export const registerServiceWorker = async () => {};
 
 export const unregisterServiceWorker = async () => {
-  console.log('unregister'); // eslint-disable-line no-console
   if ('serviceWorker' in navigator) {
     navigator.serviceWorker.ready
       .then((reg) => {

From 131317e7a613d5557756a0f5ada6e231841a0706 Mon Sep 17 00:00:00 2001
From: Ryan Berger <rberger@ebsco.com>
Date: Wed, 15 May 2024 15:03:51 -0400
Subject: [PATCH 06/63] Update PreLoginLanding.js

---
 src/components/PreLoginLanding/PreLoginLanding.js | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/components/PreLoginLanding/PreLoginLanding.js b/src/components/PreLoginLanding/PreLoginLanding.js
index eb47719f1..7c17c663e 100644
--- a/src/components/PreLoginLanding/PreLoginLanding.js
+++ b/src/components/PreLoginLanding/PreLoginLanding.js
@@ -16,7 +16,7 @@ function PreLoginLanding({ onSelectTenant }) {
   const getLoginUrl = () => {
     if (!okapi.tenant) return '';
     if (okapi.authnUrl) {
-      return `${okapi.authnUrl}/realms/${okapi.tenant}/protocol/openid-connect/auth?client_id=${okapi.clientId}&response_type=code&redirect_uri=${redirectUri}&scope=openid`;
+      return `${okapi.authnUrl}/realms/${okapi.tenant}/protocol/openid-connect/auth?client_id=${okapi.clientId}&response_type=code&redirect_uri=${redirectUri}&scope=openid&isConsortium=true`;
     }
     return '';
   };
@@ -51,7 +51,7 @@ function PreLoginLanding({ onSelectTenant }) {
               <Button
                 buttonClass={styles.submitButton}
                 disabled={!okapi.tenant}
-                onClick={() => window.location.replace(getLoginUrl())}
+                onClick={() => window.location.assign(getLoginUrl())}
                 buttonStyle="primary"
                 fullWidth
               >
@@ -61,7 +61,8 @@ function PreLoginLanding({ onSelectTenant }) {
           </Row>
         </div>
       </div>
-    </main>);
+    </main>
+  );
 }
 
 PreLoginLanding.propTypes = {

From 5139ff9005b20e6219cb74d6158d6d4ce15a01c3 Mon Sep 17 00:00:00 2001
From: Ryan Berger <rberger@ebsco.com>
Date: Fri, 22 Dec 2023 14:09:50 -0500
Subject: [PATCH 07/63] Add back button support to multi-tenant workflow
 (#1381)

* Update URL redirect to allow back button support

* Clean up unused and duplicate code

* lint

* Add URL param to indicate Consortium

---------

Co-authored-by: Zak Burke <zburke@ebsco.com>
---
 src/components/Login/Login.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/components/Login/Login.js b/src/components/Login/Login.js
index 56c045597..56440732f 100644
--- a/src/components/Login/Login.js
+++ b/src/components/Login/Login.js
@@ -83,7 +83,6 @@ class LoginCtrl extends Component {
         </Row>);
 
     return (
-<<<<<<< HEAD
       <Form
         onSubmit={onSubmit}
         subscription={{ values: true }}

From cb1a7030c63ce404daf24128598c816067486343 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Thu, 4 Jan 2024 15:41:25 -0500
Subject: [PATCH 08/63] STCOR-773 show legacy or application-based discovery
 info (#1385)

* handle legacy discovery via Okapi APIs
* handle legacy logout via internal redirect to `/`
* handle legacy version display on `/settings/about`

There is not really as much work here as it appears. All the new
components were split out of `About` in order to allow sub-sections to
be reused with both application-based and module-based discovery
information. Likewise, `loginServices.js` and `discoveryServices.js`
were modestly refactored to handled both APIs.

And there are Jest/RTL tests to replace the BTOG test that could not be
easily updated to handle the new APIs since its `stripes-config` stub is
part of `@folio/stripes-cli` instead of being declared locally.

Refs STCOR-773
---
 src/RootWithIntl.js                           |   1 -
 src/RootWithIntl.test.js                      |  74 +++++
 src/components/About/About.js                 | 253 ++++--------------
 src/components/About/About.test.js            | 117 ++++++++
 src/components/About/AboutAPIGateway.js       |  39 +++
 src/components/About/AboutAPIGateway.test.js  |  27 ++
 .../About/AboutApplicationVersions.js         |  43 +++
 .../About/AboutApplicationVersions.test.js    |  36 +++
 src/components/About/AboutEnabledModules.js   |   4 +-
 .../About/AboutEnabledModules.test.js         |  41 +++
 src/components/About/AboutInstallMessages.js  |  20 +-
 src/components/About/AboutModules.js          |  48 ++++
 src/components/About/AboutModules.test.js     |  24 ++
 src/components/About/AboutOkapi.js            |  96 +++++++
 src/components/About/AboutOkapi.test.js       |  79 ++++++
 src/components/About/AboutStripes.js          |  62 +++++
 src/components/About/AboutStripes.test.js     |  26 ++
 src/components/About/AboutUIDependencies.js   |  66 +++++
 .../About/AboutUIDependencies.test.js         |  54 ++++
 src/components/About/AboutUIModuleDetails.js  |  49 ++++
 src/components/About/WarningBanner.test.js    |  47 ++++
 src/discoverServices.js                       |  73 ++++-
 src/loginServices.js                          |   2 +-
 test/bigtest/tests/about-test.js              |  40 ---
 test/jest/__mock__/intl.mock.js               |   6 +-
 test/jest/__mock__/stripesComponents.mock.js  |   5 +
 26 files changed, 1066 insertions(+), 266 deletions(-)
 create mode 100644 src/RootWithIntl.test.js
 create mode 100644 src/components/About/About.test.js
 create mode 100644 src/components/About/AboutAPIGateway.js
 create mode 100644 src/components/About/AboutAPIGateway.test.js
 create mode 100644 src/components/About/AboutApplicationVersions.js
 create mode 100644 src/components/About/AboutApplicationVersions.test.js
 create mode 100644 src/components/About/AboutEnabledModules.test.js
 create mode 100644 src/components/About/AboutModules.js
 create mode 100644 src/components/About/AboutModules.test.js
 create mode 100644 src/components/About/AboutOkapi.js
 create mode 100644 src/components/About/AboutOkapi.test.js
 create mode 100644 src/components/About/AboutStripes.js
 create mode 100644 src/components/About/AboutStripes.test.js
 create mode 100644 src/components/About/AboutUIDependencies.js
 create mode 100644 src/components/About/AboutUIDependencies.test.js
 create mode 100644 src/components/About/AboutUIModuleDetails.js
 create mode 100644 src/components/About/WarningBanner.test.js
 delete mode 100644 test/bigtest/tests/about-test.js

diff --git a/src/RootWithIntl.js b/src/RootWithIntl.js
index d95c56674..cb8a74a7a 100644
--- a/src/RootWithIntl.js
+++ b/src/RootWithIntl.js
@@ -197,4 +197,3 @@ RootWithIntl.propTypes = {
 };
 
 export default RootWithIntl;
-
diff --git a/src/RootWithIntl.test.js b/src/RootWithIntl.test.js
new file mode 100644
index 000000000..1a3c7a0b3
--- /dev/null
+++ b/src/RootWithIntl.test.js
@@ -0,0 +1,74 @@
+/* shhhh, eslint, it's ok. we need "unused" imports for mocks */
+/* eslint-disable no-unused-vars */
+
+import { render, screen } from '@folio/jest-config-stripes/testing-library/react';
+
+import { Redirect as InternalRedirect } from 'react-router-dom';
+import Redirect from './components/Redirect';
+import { Login } from './components';
+import PreLoginLanding from './components/PreLoginLanding';
+
+import {
+  renderLoginComponent,
+  renderLogoutComponent
+} from './RootWithIntl';
+
+jest.mock('react-router-dom', () => ({
+  Redirect: () => '<internalredirect>',
+  withRouter: (Component) => Component,
+}));
+jest.mock('./components/Redirect', () => () => '<redirect>');
+jest.mock('./components/Login', () => () => '<login>');
+jest.mock('./components/PreLoginLanding', () => () => '<preloginlanding>');
+
+describe('RootWithIntl', () => {
+  describe('renderLoginComponent', () => {
+    it('handles legacy login', () => {
+      const stripes = { okapi: {}, config: {} };
+      render(renderLoginComponent(stripes));
+
+      expect(screen.getByText(/<login>/)).toBeInTheDocument();
+    });
+
+    describe('handles third-party login', () => {
+      it('handles single-tenant', () => {
+        const stripes = {
+          okapi: { authnUrl: 'https://barbie.com' },
+          config: { isSingleTenant: true }
+        };
+        render(renderLoginComponent(stripes));
+
+        expect(screen.getByText(/<redirect>/)).toBeInTheDocument();
+      });
+
+      it('handles multi-tenant', () => {
+        const stripes = {
+          okapi: { authnUrl: 'https://oppie.com' },
+          config: { },
+        };
+        render(renderLoginComponent(stripes));
+
+        expect(screen.getByText(/<preloginlanding>/)).toBeInTheDocument();
+      });
+    });
+  });
+
+  describe('renderLogoutComponent', () => {
+    it('handles legacy logout', () => {
+      const stripes = { okapi: {}, config: {} };
+      render(renderLogoutComponent(stripes));
+
+      expect(screen.getByText(/<internalredirect>/)).toBeInTheDocument();
+    });
+
+    it('handles third-party logout', () => {
+      const stripes = {
+        okapi: { authnUrl: 'https://oppie.com' },
+        config: { },
+      };
+      render(renderLogoutComponent(stripes));
+
+      expect(screen.getByText(/<redirect>/)).toBeInTheDocument();
+    });
+  });
+});
diff --git a/src/components/About/About.js b/src/components/About/About.js
index 95c377acc..2835e8e20 100644
--- a/src/components/About/About.js
+++ b/src/components/About/About.js
@@ -1,26 +1,30 @@
-import _ from 'lodash';
 import React, { useRef, useEffect } from 'react';
 import PropTypes from 'prop-types';
 import { FormattedMessage } from 'react-intl';
-import stripesConnect from '@folio/stripes-connect/package';
-import stripesComponents from '@folio/stripes-components/package';
-import stripesLogger from '@folio/stripes-logger/package';
-
+import { okapi as okapiConfig } from 'stripes-config';
 import {
-  Pane,
   Headline,
-  List,
-  Loading
+  Loading,
+  Pane,
 } from '@folio/stripes-components';
+
 import AboutInstallMessages from './AboutInstallMessages';
 import WarningBanner from './WarningBanner';
 import { withModules } from '../Modules';
-import stripesCore from '../../../package';
 import css from './About.css';
+import { useStripes } from '../../StripesContext';
+import AboutOkapi from './AboutOkapi';
+import AboutApplicationVersions from './AboutApplicationVersions';
+import AboutStripes from './AboutStripes';
+import AboutAPIGateway from './AboutAPIGateway';
+import AboutUIDependencies from './AboutUIDependencies';
+import AboutUIModuleDetails from './AboutUIModuleDetails';
+import stripesCore from '../../../package';
 
 const About = (props) => {
   const titleRef = useRef(null);
   const bannerRef = useRef(null);
+  const stripes = useStripes();
 
   useEffect(() => {
     if (bannerRef.current) {
@@ -30,83 +34,11 @@ const About = (props) => {
     }
   }, []);
 
-  function renderDependencies(m, interfaces) {
-    const base = `${m.module} ${m.version}`;
-    if (!interfaces) {
-      return base;
-    }
-
-    const okapiInterfaces = m.okapiInterfaces;
-    if (!okapiInterfaces) {
-      return <FormattedMessage id="stripes-core.about.noDependencies" values={{ base }} />;
-    }
-
-    const itemFormatter = (key) => {
-      const text = okapiInterfaces[key];
-
-      return (
-        <li key={key}>
-          {key}
-          {' '}
-          {text}
-        </li>
-      );
-    };
-
-    return (
-      <span>
-        <Headline size="small" faded>
-          <FormattedMessage id="stripes-core.about.moduleDependsOn" values={{ module: `${m.module} ${m.version || ''}` }} />
-        </Headline>
-        <List
-          items={Object.keys(okapiInterfaces).sort()}
-          itemFormatter={itemFormatter}
-          listStyle="bullets"
-        />
-      </span>
-    );
-  }
-
-  function listModules(caption, list, interfaces) {
-    const itemFormatter = m => (<li key={m.module}>{renderDependencies(m, interfaces)}</li>);
-    let headlineMsg;
-    switch (caption) {
-      case 'app':
-        headlineMsg = <FormattedMessage id="stripes-core.about.appModuleCount" values={{ count: list.length }} />;
-        break;
-      case 'settings':
-        headlineMsg = <FormattedMessage id="stripes-core.about.settingsModuleCount" values={{ count: list.length }} />;
-        break;
-      case 'plugin':
-        headlineMsg = <FormattedMessage id="stripes-core.about.pluginModuleCount" values={{ count: list.length }} />;
-        break;
-      default:
-        headlineMsg = <FormattedMessage id="stripes-core.about.moduleTypeCount" values={{ count: list.length, type: caption }} />;
-    }
-
-    list.sort();
-
-    return (
-      <div key={caption}>
-        <Headline>{headlineMsg}</Headline>
-        <div data-test-stripes-core-about-module={caption}>
-          <List
-            listStyle="bullets"
-            items={list}
-            itemFormatter={itemFormatter}
-          />
-        </div>
-      </div>
-    );
-  }
-
-  const applications =
-    _.get(props.stripes, ['discovery', 'applications']) || {};
-  const interfaces = _.get(props.stripes, ['discovery', 'interfaces']) || {};
-  const isLoadingFinished = _.get(props.stripes, ['discovery', 'isFinished']);
+  const applications = stripes.discovery?.applications || {};
+  const interfaces = stripes.discovery?.interfaces || {};
+  const isLoadingFinished = stripes.discovery?.isFinished;
   const na = Object.keys(applications).length;
 
-  const unknownMsg = <FormattedMessage id="stripes-core.about.unknown" />;
   const numApplicationsMsg = (
     <FormattedMessage
       id="stripes-core.about.applicationCount"
@@ -114,36 +46,6 @@ const About = (props) => {
     />
   );
 
-  const renderInterfaces = (list) => {
-    return (
-      <List
-        listStyle="square"
-        listClass={css.paddingLeftOfListItems}
-        items={list}
-        itemFormatter={(item) => <li key={item.name}>{item.name}</li>}
-      />
-    );
-  };
-  const renderModules = (list) => {
-    return (
-      <List
-        listStyle="bullet"
-        listClass={css.paddingLeftOfListItems}
-        items={list}
-        itemFormatter={(item) => {
-          return (
-            <li>
-              <Headline weight="medium" margin="xx-small">
-                {item.name}
-              </Headline>
-              {renderInterfaces(item.interfaces)}
-            </li>
-          );
-        }}
-      />
-    );
-  };
-
   return (
     <Pane
       defaultWidth="fill"
@@ -159,91 +61,38 @@ const About = (props) => {
           bannerRef={bannerRef}
         />
       )}
-      <AboutInstallMessages stripes={props.stripes} />
+      <AboutInstallMessages />
       <div className={css.versionsContainer}>
-        <div className={css.versionsColumn}>
-          <Headline size="large">
-            <FormattedMessage id="stripes-core.about.applicationsVersionsTitle" />
-          </Headline>
-          <Headline>{numApplicationsMsg}</Headline>
-          {Object.values(applications)
-            .map((app) => {
-              return (
-                <ul key={app.name}>
-                  <li>
-                    <Headline>{app.name}</Headline>
-                    {renderModules(app.modules)}
-                  </li>
-                </ul>
-              );
-            })}
-        </div>
-
-        <div className={css.versionsColumn}>
-          <Headline size="large">
-            <FormattedMessage id="stripes-core.about.userInterface" />
-          </Headline>
-          <Headline>
-            <FormattedMessage id="stripes-core.about.foundation" />
-          </Headline>
-          <span
-            id="platform-versions"
-            data-stripes-core={stripesCore.version}
-            data-stripes-connect={stripesConnect.version}
-            data-stripes-components={stripesComponents.version}
-            data-okapi-version={_.get(props.stripes, ['discovery', 'okapi']) || unknownMsg}
-            data-okapi-url={_.get(props.stripes, ['okapi', 'url']) || unknownMsg}
-          />
-          <List
-            listStyle="bullets"
-            items={[
-              {
-                key: 'stripes-core',
-                value: `stripes-core ${stripesCore.version}`,
-              },
-              {
-                key: 'stripes-connect',
-                value: `stripes-connect ${stripesConnect.version}`,
-              },
-              {
-                key: 'stripes-components',
-                value: `stripes-components ${stripesComponents.version}`,
-              },
-              {
-                key: 'stripes-logger',
-                value: `stripes-logger ${stripesLogger.version}`,
-              },
-            ]}
-            itemFormatter={item => (<li key={item.key}>{item.value}</li>)}
-          />
-
-          <br />
-          <Headline size="large">
-            <FormattedMessage id="stripes-core.about.okapiServices" />
-          </Headline>
-          <Headline>
-            <FormattedMessage id="stripes-core.about.foundation" />
-          </Headline>
-          <List
-            listStyle="bullets"
-            itemFormatter={(item, i) => (<li key={i}>{item}</li>)}
-            items={[
-              <FormattedMessage id="stripes-core.about.version" values={{ version: _.get(props.stripes, ['discovery', 'okapi']) || unknownMsg }} />,
-              <FormattedMessage id="stripes-core.about.forTenant" values={{ tenant: _.get(props.stripes, ['okapi', 'tenant']) || unknownMsg }} />,
-              <FormattedMessage id="stripes-core.about.onUrl" values={{ url: _.get(props.stripes, ['okapi', 'url']) || unknownMsg }} />
-            ]}
-          />
-          <br />
-          <Headline size="large">
-            <FormattedMessage id="stripes-core.about.uiOrServiceDependencies" />
-          </Headline>
-          <Headline>
-            <FormattedMessage id="stripes-core.about.foundation" />
-          </Headline>
-          {renderDependencies(Object.assign({}, stripesCore.stripes || {}, { module: 'stripes-core' }), interfaces)}
-          <br />
-          {Object.keys(props.modules).map(key => listModules(key, props.modules[key], interfaces))}
-        </div>
+        {okapiConfig.tenantEntitlementUrl ? (
+          <>
+            <div className={css.versionsColumn} data-test-stripes-core-about-module-versions>
+              <AboutApplicationVersions message={numApplicationsMsg} applications={applications} />
+            </div>
+            <div className={css.versionsColumn}>
+              <AboutStripes />
+              <br />
+              <AboutAPIGateway />
+              <br />
+              <Headline size="large">
+                <FormattedMessage id="stripes-core.about.uiOrServiceDependencies" />
+              </Headline>
+              <Headline>
+                <FormattedMessage id="stripes-core.about.foundation" />
+              </Headline>
+              <AboutUIModuleDetails
+                module={{
+                  ...stripesCore.stripes,
+                  module: 'stripes-core',
+                  version: stripesCore.version
+                }}
+                showDependencies
+              />
+              <AboutUIDependencies modules={props.modules} showDependencies />
+            </div>
+          </>
+        ) : (
+          <AboutOkapi discovery={stripes.discovery} />
+        )}
       </div>
     </Pane>
   );
@@ -251,14 +100,6 @@ const About = (props) => {
 
 About.propTypes = {
   modules: PropTypes.object,
-  stripes: PropTypes.shape({
-    discovery: PropTypes.shape({
-      modules: PropTypes.object,
-      interfaces: PropTypes.object,
-    }),
-    connect: PropTypes.func,
-    hasPerm: PropTypes.func.isRequired,
-  }).isRequired,
 };
 
 export default withModules(About);
diff --git a/src/components/About/About.test.js b/src/components/About/About.test.js
new file mode 100644
index 000000000..e50950ba6
--- /dev/null
+++ b/src/components/About/About.test.js
@@ -0,0 +1,117 @@
+/* shhhh, eslint, it's ok. we need "unused" imports for mocks */
+/* eslint-disable no-unused-vars */
+
+import {
+  QueryClient,
+  QueryClientProvider,
+} from 'react-query';
+import {
+  render,
+  screen,
+} from '@folio/jest-config-stripes/testing-library/react';
+
+import { okapi as okapiConfig } from 'stripes-config';
+
+import AboutAPIGateway from './AboutAPIGateway';
+import AboutApplicationVersions from './AboutApplicationVersions';
+import AboutEnabledModules from './AboutEnabledModules';
+import AboutInstallMessages from './AboutInstallMessages';
+import AboutOkapi from './AboutOkapi';
+import AboutStripes from './AboutStripes';
+import AboutUIDependencies from './AboutUIDependencies';
+import AboutUIModuleDetails from './AboutUIModuleDetails';
+import WarningBanner from './WarningBanner';
+
+import { useStripes } from '../../StripesContext';
+import About from './About';
+
+jest.mock('./AboutAPIGateway', () => () => 'AboutAPIGateway');
+jest.mock('./AboutApplicationVersions', () => () => 'AboutApplicationVersions');
+jest.mock('./AboutEnabledModules', () => () => 'AboutEnabledModules');
+jest.mock('./AboutInstallMessages', () => () => 'AboutInstallMessages');
+jest.mock('./AboutOkapi', () => () => 'AboutOkapi');
+jest.mock('./AboutStripes', () => () => 'AboutStripes');
+jest.mock('./AboutUIDependencies', () => () => 'AboutUIDependencies');
+jest.mock('./AboutUIModuleDetails', () => () => 'AboutUIModuleDetails');
+jest.mock('./WarningBanner', () => () => 'WarningBanner');
+
+jest.mock('stripes-config', () => ({
+  okapi: { tenantEntitlementUrl: true },
+}));
+
+// set query retries to false. otherwise, react-query will thoughtfully
+// (but unhelpfully, in the context of testing) retry a failed query
+// several times causing the test to timeout when what we really want
+// is for it to throw so we can catch and test the exception.
+const queryClient = new QueryClient({
+  defaultOptions: {
+    queries: {
+      retry: false
+    }
+  }
+});
+
+jest.mock('../../StripesContext');
+
+describe('About', () => {
+  it('displays application discovery details', async () => {
+    const modules = {
+      app: [
+        {
+          module: 'app-alpha',
+          version: '1.2.3',
+          okapiInterfaces: {
+            iAlpha: '1.0',
+          }
+        },
+        { module: 'app-beta', version: '2.3.4' }
+      ],
+      settings: [
+        { module: 'settings-alpha', version: '3.4.5' },
+        { module: 'settings-beta', version: '4.5.6' }
+      ],
+      plugin: [
+        { module: 'plugin-alpha', version: '5.6.7' },
+        { module: 'plugin-beta', version: '6.7.8' }
+      ],
+      typeThatHasNotBeenInventedYet: [
+        { module: 'typeThatHasNotBeenInventedYet-alpha', version: '7.8.9' },
+        { module: 'typeThatHasNotBeenInventedYet-beta', version: '8.9.10' }
+      ],
+    };
+
+    const stripes = {
+      okapi: {
+        tenant: 'barbie',
+        url: 'https://oppie.edu',
+      },
+      discovery: {
+        modules,
+        interfaces: {
+          bar: '1.0',
+          bat: '2.0',
+        },
+        isFinished: true,
+      }
+    };
+
+    const mockUseStripes = useStripes;
+    mockUseStripes.mockReturnValue(stripes);
+
+    render(
+      <QueryClientProvider client={queryClient}>
+        <About />
+      </QueryClientProvider>
+    );
+
+    expect(screen.getByText(/WarningBanner/)).toBeInTheDocument();
+    expect(screen.getByText(/AboutInstallMessages/)).toBeInTheDocument();
+    expect(screen.getByText(/AboutApplicationVersions/)).toBeInTheDocument();
+    expect(screen.getByText(/AboutStripes/)).toBeInTheDocument();
+    expect(screen.getByText(/AboutAPIGateway/)).toBeInTheDocument();
+    expect(screen.getByText(/about.uiOrServiceDependencies/)).toBeInTheDocument();
+    expect(screen.getByText(/AboutUIModuleDetails/)).toBeInTheDocument();
+    expect(screen.getByText(/AboutUIDependencies/)).toBeInTheDocument();
+    expect(screen.queryByText(/AboutOkapi/)).toBe(null);
+  });
+});
diff --git a/src/components/About/AboutAPIGateway.js b/src/components/About/AboutAPIGateway.js
new file mode 100644
index 000000000..676280f40
--- /dev/null
+++ b/src/components/About/AboutAPIGateway.js
@@ -0,0 +1,39 @@
+import _ from 'lodash';
+import { FormattedMessage } from 'react-intl';
+
+import {
+  Headline,
+  List,
+} from '@folio/stripes-components';
+import { useStripes } from '../../StripesContext';
+
+/**
+ * AboutAPIGateway
+ * Display API gateway details including version, tenant, gateway URL
+ * @returns
+ */
+const AboutAPIGateway = () => {
+  const stripes = useStripes();
+  const unknownMsg = <FormattedMessage id="stripes-core.about.unknown" />;
+  return (
+    <>
+      <Headline size="large">
+        <FormattedMessage id="stripes-core.about.okapiServices" />
+      </Headline>
+      <Headline>
+        <FormattedMessage id="stripes-core.about.foundation" />
+      </Headline>
+      <List
+        listStyle="bullets"
+        itemFormatter={(item, i) => (<li key={i}>{item}</li>)}
+        items={[
+          <FormattedMessage id="stripes-core.about.version" values={{ version: _.get(stripes, ['discovery', 'okapi']) || unknownMsg }} />,
+          <FormattedMessage id="stripes-core.about.forTenant" values={{ tenant: _.get(stripes, ['okapi', 'tenant']) || unknownMsg }} />,
+          <FormattedMessage id="stripes-core.about.onUrl" values={{ url: _.get(stripes, ['okapi', 'url']) || unknownMsg }} />
+        ]}
+      />
+    </>
+  );
+};
+
+export default AboutAPIGateway;
diff --git a/src/components/About/AboutAPIGateway.test.js b/src/components/About/AboutAPIGateway.test.js
new file mode 100644
index 000000000..f621b2b0c
--- /dev/null
+++ b/src/components/About/AboutAPIGateway.test.js
@@ -0,0 +1,27 @@
+import {
+  render,
+  screen,
+} from '@folio/jest-config-stripes/testing-library/react';
+
+import { useStripes } from '../../StripesContext';
+import AboutAPIGateway from './AboutAPIGateway';
+
+jest.mock('../../StripesContext');
+
+describe('AboutAPIGateway', () => {
+  it('displays API gateway details', async () => {
+    const okapi = {
+      tenant: 'barbie',
+      url: 'https://oppie.com'
+    };
+
+    const mockUseStripes = useStripes;
+    mockUseStripes.mockReturnValue({ okapi });
+
+    render(<AboutAPIGateway />);
+
+    expect(screen.getByText(/about.version/)).toBeInTheDocument();
+    expect(screen.getByText(/about.forTenant/)).toBeInTheDocument();
+    expect(screen.getByText(/about.onUrl/)).toBeInTheDocument();
+  });
+});
diff --git a/src/components/About/AboutApplicationVersions.js b/src/components/About/AboutApplicationVersions.js
new file mode 100644
index 000000000..7de809407
--- /dev/null
+++ b/src/components/About/AboutApplicationVersions.js
@@ -0,0 +1,43 @@
+import PropTypes from 'prop-types';
+import { FormattedMessage } from 'react-intl';
+import {
+  Headline,
+} from '@folio/stripes-components';
+
+import css from './About.css';
+import AboutModules from './AboutModules';
+
+/**
+ * AboutApplicationVersions
+ * Applications listed by discovery
+ * @param {*} param0
+ * @returns
+ */
+const AboutApplicationVersions = ({ message, applications }) => {
+  return (
+    <div className={css.versionsColumn} data-test-stripes-core-about-module-versions>
+      <Headline size="large">
+        <FormattedMessage id="stripes-core.about.applicationsVersionsTitle" />
+      </Headline>
+      <Headline>{message}</Headline>
+      {Object.values(applications)
+        .map((app) => {
+          return (
+            <ul key={app.name}>
+              <li>
+                <Headline>{app.name}</Headline>
+                <AboutModules list={app.modules} />
+              </li>
+            </ul>
+          );
+        })}
+    </div>
+  );
+};
+
+AboutApplicationVersions.propTypes = {
+  applications: PropTypes.object,
+  message: PropTypes.object,
+};
+
+export default AboutApplicationVersions;
diff --git a/src/components/About/AboutApplicationVersions.test.js b/src/components/About/AboutApplicationVersions.test.js
new file mode 100644
index 000000000..f30dd0d0b
--- /dev/null
+++ b/src/components/About/AboutApplicationVersions.test.js
@@ -0,0 +1,36 @@
+import {
+  render,
+  screen,
+} from '@folio/jest-config-stripes/testing-library/react';
+import { FormattedMessage } from 'react-intl';
+
+import AboutApplicationVersions from './AboutApplicationVersions';
+
+describe('AboutApplicationVersions', () => {
+  it('displays application version details', async () => {
+    const applications = {
+      a: {
+        name: 'Albus',
+        modules: [{ name: 'apple' }, { name: 'banana' }, { name: 'cherry' }]
+      },
+      b: {
+        name: 'Beetlejuice',
+        modules: [{ name: 'alpha' }, { name: 'barvo' }, { name: 'charlie' }]
+      }
+
+    };
+    const id = 'All passing tests are alike; each failing test fails in its own way.';
+    const message = <FormattedMessage id={id} />;
+
+    render(<AboutApplicationVersions applications={applications} message={message} />);
+
+    expect(screen.getByText(/about.applicationsVersionsTitle/)).toBeInTheDocument();
+    expect(screen.getByText(id)).toBeInTheDocument();
+    Object.keys(applications).forEach((i) => {
+      expect(screen.getByText(applications[i].name)).toBeInTheDocument();
+      applications[i].modules.forEach((j) => {
+        expect(screen.getByText(j.name)).toBeInTheDocument();
+      });
+    });
+  });
+});
diff --git a/src/components/About/AboutEnabledModules.js b/src/components/About/AboutEnabledModules.js
index 3df0bf0ae..e2d8cf3e3 100644
--- a/src/components/About/AboutEnabledModules.js
+++ b/src/components/About/AboutEnabledModules.js
@@ -3,6 +3,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { List } from '@folio/stripes-components';
 
+import stripesConnect from '../../stripesConnect';
+
 class AboutEnabledModules extends React.Component {
   static manifest = Object.freeze({
     enabledModules: {
@@ -50,4 +52,4 @@ class AboutEnabledModules extends React.Component {
   }
 }
 
-export default AboutEnabledModules;
+export default stripesConnect(AboutEnabledModules);
diff --git a/src/components/About/AboutEnabledModules.test.js b/src/components/About/AboutEnabledModules.test.js
new file mode 100644
index 000000000..4c4392960
--- /dev/null
+++ b/src/components/About/AboutEnabledModules.test.js
@@ -0,0 +1,41 @@
+/* shhhh, eslint, it's ok. we need "unused" imports for mocks */
+/* eslint-disable no-unused-vars */
+
+import {
+  render,
+  screen,
+} from '@folio/jest-config-stripes/testing-library/react';
+
+import stripesConnect from '../../stripesConnect';
+import AboutEnabledModules from './AboutEnabledModules';
+
+jest.mock('../../stripesConnect', () => (Component) => Component);
+
+describe('AboutEnabledModules', () => {
+  it('displays application version details', async () => {
+    const availableModules = {
+      amy: 'angelo',
+      beth: 'baldwin',
+      camilla: 'claude'
+    };
+    const resources = {
+      enabledModules: {
+        records: [
+          { id: 'amy' },
+          { id: 'beth' },
+        ]
+      }
+    };
+    const tenantid = 'monkey';
+
+    render(<AboutEnabledModules
+      availableModules={availableModules}
+      resources={resources}
+      tenantid={tenantid}
+    />);
+
+    Object.keys(availableModules).forEach((i) => {
+      expect(screen.getByText(availableModules[i])).toBeInTheDocument();
+    });
+  });
+});
diff --git a/src/components/About/AboutInstallMessages.js b/src/components/About/AboutInstallMessages.js
index d808f8e53..cce8395f2 100644
--- a/src/components/About/AboutInstallMessages.js
+++ b/src/components/About/AboutInstallMessages.js
@@ -1,5 +1,4 @@
 import React from 'react';
-import PropTypes from 'prop-types';
 import { FormattedDate } from 'react-intl';
 
 import {
@@ -9,6 +8,7 @@ import {
   useConfigurations,
   useOkapiEnv,
 } from '../../queries';
+import { useStripes } from '../../StripesContext';
 
 
 export function entryFor(config, code) {
@@ -75,20 +75,21 @@ export function installMessage(env, conf, stripesConf) {
  * @param {} props
  * @returns
  */
-const AboutInstallMessages = (props) => {
+const AboutInstallMessages = () => {
+  const stripes = useStripes();
   const aboutEnv = useOkapiEnv();
   const aboutConfig = useConfigurations({
     module: '@folio/stripes-core',
     configName: 'aboutInstall',
   });
 
-  const version = installVersion(aboutEnv.data, aboutConfig.data, props.stripes.config);
-  const date = installDate(aboutEnv.data, aboutConfig.data, props.stripes.config);
-  const message = installMessage(aboutEnv.data, aboutConfig.data, props.stripes.config);
+  const version = installVersion(aboutEnv.data, aboutConfig.data, stripes.config);
+  const date = installDate(aboutEnv.data, aboutConfig.data, stripes.config);
+  const message = installMessage(aboutEnv.data, aboutConfig.data, stripes.config);
 
   let formattedDate = '';
   if (date) {
-    formattedDate = <>(<FormattedDate value={date} />)</>;
+    formattedDate = <FormattedDate value={date} />;
   }
 
   return (
@@ -99,11 +100,4 @@ const AboutInstallMessages = (props) => {
   );
 };
 
-AboutInstallMessages.propTypes = {
-  stripes: PropTypes.shape({
-    config: PropTypes.object,
-    hasPerm: PropTypes.func.isRequired,
-  }).isRequired,
-};
-
 export default AboutInstallMessages;
diff --git a/src/components/About/AboutModules.js b/src/components/About/AboutModules.js
new file mode 100644
index 000000000..5fc9ca7d5
--- /dev/null
+++ b/src/components/About/AboutModules.js
@@ -0,0 +1,48 @@
+import PropTypes from 'prop-types';
+import {
+  Headline,
+  List,
+} from '@folio/stripes-components';
+
+import css from './About.css';
+
+
+const AboutInterfaces = ({ list }) => {
+  return (
+    <List
+      listClass={css.paddingLeftOfListItems}
+      items={list}
+      itemFormatter={(item) => <li key={item.name}>{item.name}</li>}
+    />
+  );
+};
+
+AboutInterfaces.propTypes = {
+  list: PropTypes.arrayOf(PropTypes.object),
+};
+
+const AboutModules = ({ list }) => {
+  return (
+    <List
+      listStyle="bullets"
+      listClass={css.paddingLeftOfListItems}
+      items={list}
+      itemFormatter={(item) => {
+        return (
+          <li key={item.name}>
+            <Headline weight="medium" margin="xx-small">
+              {item.name}
+            </Headline>
+            <AboutInterfaces list={item.interfaces} />
+          </li>
+        );
+      }}
+    />
+  );
+};
+
+AboutModules.propTypes = {
+  list: PropTypes.arrayOf(PropTypes.object),
+};
+
+export default AboutModules;
diff --git a/src/components/About/AboutModules.test.js b/src/components/About/AboutModules.test.js
new file mode 100644
index 000000000..cc070d640
--- /dev/null
+++ b/src/components/About/AboutModules.test.js
@@ -0,0 +1,24 @@
+import {
+  render,
+  screen,
+} from '@folio/jest-config-stripes/testing-library/react';
+
+import AboutModules from './AboutModules';
+
+describe('AboutModules', () => {
+  it('displays application version details', async () => {
+    const list = [
+      { name: 'Abigail', interfaces: [{ name: 'iAnnabeth' }, { name: 'iAlice' }] },
+      { name: 'Betsy', interfaces: [{ name: 'iBelle' }, { name: 'iBrea' }] },
+    ];
+
+    render(<AboutModules list={list} />);
+
+    Object.keys(list).forEach((i) => {
+      expect(screen.getByText(list[i].name)).toBeInTheDocument();
+      list[i].interfaces.forEach((j) => {
+        expect(screen.getByText(j.name)).toBeInTheDocument();
+      });
+    });
+  });
+});
diff --git a/src/components/About/AboutOkapi.js b/src/components/About/AboutOkapi.js
new file mode 100644
index 000000000..fd38a8657
--- /dev/null
+++ b/src/components/About/AboutOkapi.js
@@ -0,0 +1,96 @@
+import React from 'react';
+import PropTypes from 'prop-types';
+import { FormattedMessage } from 'react-intl';
+import { Headline, List } from '@folio/stripes-components';
+
+import AboutAPIGateway from './AboutAPIGateway';
+import AboutStripes from './AboutStripes';
+import AboutUIModuleDetails from './AboutUIModuleDetails';
+import AboutUIDependencies from './AboutUIDependencies';
+
+import { withModules } from '../Modules';
+import css from './About.css';
+import stripesCore from '../../../package';
+import { useStripes } from '../../StripesContext';
+import AboutEnabledModules from './AboutEnabledModules';
+
+const AboutOkapi = ({ modules }) => {
+  const stripes = useStripes();
+
+  const dmodules = stripes.discovery.modules || {};
+  const dinterfaces = stripes.discovery.interfaces || {};
+
+  const nm = Object.keys(dmodules).length;
+  const ni = Object.keys(dinterfaces).length;
+
+  const unknownMsg = <FormattedMessage id="stripes-core.about.unknown" />;
+  const numModulesMsg = <FormattedMessage id="stripes-core.about.moduleCount" values={{ count: nm }} />;
+  const numInterfacesMsg = <FormattedMessage id="stripes-core.about.interfaceCount" values={{ count: ni }} />;
+
+
+  return (
+    <>
+      <div className={css.versionsColumn} data-test-stripes-core-about-module-versions>
+        <AboutStripes />
+        <AboutUIDependencies modules={modules} />
+      </div>
+
+      <div className={css.versionsColumn}>
+        <AboutAPIGateway />
+
+        <Headline>{numModulesMsg}</Headline>
+        <AboutEnabledModules tenantid={stripes.okapi.tenant || unknownMsg} availableModules={dmodules} />
+        <Headline size="small">
+          <FormattedMessage id="stripes-core.about.legendKey" />
+        </Headline>
+        <FormattedMessage
+          id="stripes-core.about.notEnabledModules"
+          tagName="p"
+          values={{
+            span: chunks => <span className={css.isEmptyMessage}>{chunks}</span>
+          }}
+        />
+        <br />
+        <Headline>{numInterfacesMsg}</Headline>
+        <List
+          listStyle="bullets"
+          items={Object.keys(dinterfaces).sort((a, b) => a.localeCompare(b))}
+          itemFormatter={key => (
+            <li key={key}>
+              {`${key} ${dinterfaces[key]}`}
+            </li>
+          )}
+        />
+      </div>
+
+      <div className={css.versionsColumn}>
+        <Headline size="large">
+          <FormattedMessage id="stripes-core.about.uiOrServiceDependencies" />
+        </Headline>
+        <Headline>
+          <FormattedMessage id="stripes-core.about.foundation" />
+        </Headline>
+        <AboutUIModuleDetails
+          module={{
+            ...stripesCore.stripes,
+            module: 'stripes-core',
+            version: stripesCore.version
+          }}
+          showDependencies
+        />
+        <AboutUIDependencies modules={modules} showDependencies />
+      </div>
+    </>
+  );
+};
+
+AboutOkapi.propTypes = {
+  modules: PropTypes.shape({
+    app: PropTypes.arrayOf(PropTypes.object),
+    plugin: PropTypes.arrayOf(PropTypes.object),
+    settings: PropTypes.arrayOf(PropTypes.object),
+    handler: PropTypes.arrayOf(PropTypes.object),
+  }),
+};
+
+export default withModules(AboutOkapi);
diff --git a/src/components/About/AboutOkapi.test.js b/src/components/About/AboutOkapi.test.js
new file mode 100644
index 000000000..2165b8ee5
--- /dev/null
+++ b/src/components/About/AboutOkapi.test.js
@@ -0,0 +1,79 @@
+/* shhhh, eslint, it's ok. we need "unused" imports for mocks */
+/* eslint-disable no-unused-vars */
+
+import {
+  render,
+  screen,
+} from '@folio/jest-config-stripes/testing-library/react';
+
+import AboutOkapi from './AboutOkapi';
+import { useStripes } from '../../StripesContext';
+import stripesConnect from '../../stripesConnect';
+import AboutEnabledModules from './AboutEnabledModules';
+
+jest.mock('../../StripesContext');
+jest.mock('../../stripesConnect');
+jest.mock('./AboutEnabledModules', () => () => <></>);
+
+describe('AboutOkapi', () => {
+  const modules = {
+    app: [
+      {
+        module: 'app-alpha',
+        version: '1.2.3',
+        okapiInterfaces: {
+          iAlpha: '1.0',
+        }
+      },
+      { module: 'app-beta', version: '2.3.4' }
+    ],
+    settings: [
+      { module: 'settings-alpha', version: '3.4.5' },
+      { module: 'settings-beta', version: '4.5.6' }
+    ],
+    plugin: [
+      { module: 'plugin-alpha', version: '5.6.7' },
+      { module: 'plugin-beta', version: '6.7.8' }
+    ],
+    typeThatHasNotBeenInventedYet: [
+      { module: 'typeThatHasNotBeenInventedYet-alpha', version: '7.8.9' },
+      { module: 'typeThatHasNotBeenInventedYet-beta', version: '8.9.10' }
+    ],
+  };
+
+  const stripes = {
+    okapi: {
+      tenant: 'barbie',
+      url: 'https://oppie.edu',
+    },
+    discovery: {
+      modules,
+      interfaces: {
+        bar: '1.0',
+        bat: '2.0',
+      }
+    }
+  };
+  const mockUseStripes = useStripes;
+  mockUseStripes.mockReturnValue(stripes);
+
+  it('displays application version details', async () => {
+    render(<AboutOkapi />);
+
+    expect(screen.getByText(/about.userInterface/)).toBeInTheDocument();
+    expect(screen.getByText(/stripes-connect/)).toBeInTheDocument();
+    expect(screen.getByText(/stripes-components/)).toBeInTheDocument();
+    expect(screen.getByText(/stripes-logger/)).toBeInTheDocument();
+
+    expect(screen.getByText(/about.okapiServices/)).toBeInTheDocument();
+    expect(screen.getByText(/about.version/)).toBeInTheDocument();
+    expect(screen.getByText(/about.forTenant/)).toBeInTheDocument();
+    expect(screen.getByText(/about.onUrl/)).toBeInTheDocument();
+
+    expect(screen.getByText(/about.moduleCount/)).toBeInTheDocument();
+    expect(screen.getByText(/about.interfaceCount/)).toBeInTheDocument();
+
+    expect(screen.getByText(/about.uiOrServiceDependencies/)).toBeInTheDocument();
+    // expect(screen.getByText(/about.moduleDependsOn/)).toBeInTheDocument();
+  });
+});
diff --git a/src/components/About/AboutStripes.js b/src/components/About/AboutStripes.js
new file mode 100644
index 000000000..b86a36443
--- /dev/null
+++ b/src/components/About/AboutStripes.js
@@ -0,0 +1,62 @@
+import _ from 'lodash';
+import { FormattedMessage } from 'react-intl';
+import stripesConnect from '@folio/stripes-connect/package';
+import stripesComponents from '@folio/stripes-components/package';
+import stripesLogger from '@folio/stripes-logger/package';
+
+import {
+  Headline,
+  List,
+} from '@folio/stripes-components';
+import stripesCore from '../../../package';
+import { useStripes } from '../../StripesContext';
+
+
+const AboutStripes = () => {
+  const stripes = useStripes();
+  const unknownMsg = <FormattedMessage id="stripes-core.about.unknown" />;
+  const stripesModules = [
+    {
+      key: 'stripes-core',
+      value: `stripes-core ${stripesCore.version}`,
+    },
+    {
+      key: 'stripes-connect',
+      value: `stripes-connect ${stripesConnect.version}`,
+    },
+    {
+      key: 'stripes-components',
+      value: `stripes-components ${stripesComponents.version}`,
+    },
+    {
+      key: 'stripes-logger',
+      value: `stripes-logger ${stripesLogger.version}`,
+    },
+  ];
+
+  return (
+    <>
+      <Headline size="large">
+        <FormattedMessage id="stripes-core.about.userInterface" />
+      </Headline>
+      <Headline>
+        <FormattedMessage id="stripes-core.about.foundation" />
+      </Headline>
+      <span
+        id="platform-versions"
+        data-stripes-core={stripesCore.version}
+        data-stripes-connect={stripesConnect.version}
+        data-stripes-components={stripesComponents.version}
+        data-okapi-version={_.get(stripes, ['discovery', 'okapi']) || unknownMsg}
+        data-okapi-url={_.get(stripes, ['okapi', 'url']) || unknownMsg}
+      />
+      <List
+        listStyle="bullets"
+        items={stripesModules}
+        itemFormatter={item => (<li key={item.key}>{item.value}</li>)}
+      />
+    </>
+  );
+};
+
+export default AboutStripes;
diff --git a/src/components/About/AboutStripes.test.js b/src/components/About/AboutStripes.test.js
new file mode 100644
index 000000000..ebb614859
--- /dev/null
+++ b/src/components/About/AboutStripes.test.js
@@ -0,0 +1,26 @@
+import {
+  render,
+  screen,
+} from '@folio/jest-config-stripes/testing-library/react';
+
+import AboutStripes from './AboutStripes';
+
+jest.mock('@folio/stripes-connect/package', () => ({ version: '1.2.3' }));
+jest.mock('@folio/stripes-components/package', () => ({ version: '4.5.6' }));
+jest.mock('@folio/stripes-logger/package', () => ({ version: '7.8.9' }));
+jest.mock('../../../package', () => ({ version: '10.11.12' }));
+
+describe('AboutStripes', () => {
+  it('displays stripes-* version details', async () => {
+    render(<AboutStripes />);
+
+    expect(screen.getByText(/about.userInterface/)).toBeInTheDocument();
+    expect(screen.getByText(/about.foundation/)).toBeInTheDocument();
+
+    expect(screen.getByText(/stripes-core 10.11.12/)).toBeInTheDocument();
+    expect(screen.getByText(/stripes-connect 1.2.3/)).toBeInTheDocument();
+    expect(screen.getByText(/stripes-components 4.5.6/)).toBeInTheDocument();
+    expect(screen.getByText(/stripes-logger 7.8.9/)).toBeInTheDocument();
+  });
+});
+
diff --git a/src/components/About/AboutUIDependencies.js b/src/components/About/AboutUIDependencies.js
new file mode 100644
index 000000000..2a7bb51d9
--- /dev/null
+++ b/src/components/About/AboutUIDependencies.js
@@ -0,0 +1,66 @@
+import PropTypes from 'prop-types';
+import { FormattedMessage } from 'react-intl';
+import {
+  Headline,
+  List,
+} from '@folio/stripes-components';
+
+import AboutUIModuleDetails from './AboutUIModuleDetails';
+
+/**
+ * AboutUIDependencies
+ * Display
+ *
+ * @param {object} modules { app[], settings[], plugin[], handler[] }
+ *   array entries contain module details from discovery
+ * @param {bool} showDependencies true to display interface dependencies
+ * @returns
+ */
+const AboutUIDependencies = ({ modules, showDependencies }) => {
+  const itemFormatter = (m) => (
+    <li key={m.module}>
+      <AboutUIModuleDetails module={m} showDependencies={showDependencies} />
+    </li>
+  );
+
+  const headlineFor = (key, count) => {
+    let headlineMsg;
+    switch (key) {
+      case 'app':
+        headlineMsg = <FormattedMessage id="stripes-core.about.appModuleCount" values={{ count }} />;
+        break;
+      case 'settings':
+        headlineMsg = <FormattedMessage id="stripes-core.about.settingsModuleCount" values={{ count }} />;
+        break;
+      case 'plugin':
+        headlineMsg = <FormattedMessage id="stripes-core.about.pluginModuleCount" values={{ count }} />;
+        break;
+      default:
+        headlineMsg = <FormattedMessage id="stripes-core.about.moduleTypeCount" values={{ count, type: key }} />;
+    }
+    return headlineMsg;
+  };
+
+  return Object.keys(modules).map((key) => {
+    const items = modules[key].sort((a, b) => a.module.localeCompare(b.module));
+    return (
+      <div key={key}>
+        <Headline>{headlineFor(key, items.length)}</Headline>
+        <div data-test-stripes-core-about-module={key}>
+          <List
+            listStyle="bullets"
+            items={items}
+            itemFormatter={itemFormatter}
+          />
+        </div>
+      </div>
+    );
+  });
+};
+
+AboutUIDependencies.propTypes = {
+  modules: PropTypes.object,
+  showDependencies: PropTypes.bool,
+};
+
+export default AboutUIDependencies;
diff --git a/src/components/About/AboutUIDependencies.test.js b/src/components/About/AboutUIDependencies.test.js
new file mode 100644
index 000000000..90a8343f5
--- /dev/null
+++ b/src/components/About/AboutUIDependencies.test.js
@@ -0,0 +1,54 @@
+import {
+  render,
+  screen,
+} from '@folio/jest-config-stripes/testing-library/react';
+
+import AboutUIDependencies from './AboutUIDependencies';
+
+describe('AboutUIDependencies', () => {
+  const modules = {
+    app: [
+      {
+        module: 'app-alpha',
+        version: '1.2.3',
+        okapiInterfaces: {
+          iAlpha: '1.0',
+        }
+      },
+      { module: 'app-beta', version: '2.3.4' }
+    ],
+    settings: [
+      { module: 'settings-alpha', version: '3.4.5' },
+      { module: 'settings-beta', version: '4.5.6' }
+    ],
+    plugin: [
+      { module: 'plugin-alpha', version: '5.6.7' },
+      { module: 'plugin-beta', version: '6.7.8' }
+    ],
+    typeThatHasNotBeenInventedYet: [
+      { module: 'typeThatHasNotBeenInventedYet-alpha', version: '7.8.9' },
+      { module: 'typeThatHasNotBeenInventedYet-beta', version: '8.9.10' }
+    ],
+  };
+
+  it('displays UI module details', async () => {
+    render(<AboutUIDependencies modules={modules} />);
+
+    expect(screen.queryByText(/about.noDependencies/)).toBe(null);
+    expect(screen.queryByText(/iAlpha/)).toBe(null);
+
+    Object.keys(modules).forEach((i) => {
+      modules[i].forEach((j) => {
+        expect(screen.getByText(j.module, { exact: false })).toBeInTheDocument();
+        expect(screen.getByText(j.version, { exact: false })).toBeInTheDocument();
+      });
+    });
+  });
+
+  it('displays required interfaces', async () => {
+    render(<AboutUIDependencies modules={modules} showDependencies />);
+
+    expect(screen.getAllByText(/about.noDependencies/).length).toBeGreaterThan(1);
+    expect(screen.getByText(/iAlpha/)).toBeInTheDocument();
+  });
+});
diff --git a/src/components/About/AboutUIModuleDetails.js b/src/components/About/AboutUIModuleDetails.js
new file mode 100644
index 000000000..cff2965fc
--- /dev/null
+++ b/src/components/About/AboutUIModuleDetails.js
@@ -0,0 +1,49 @@
+import PropTypes from 'prop-types';
+import { FormattedMessage } from 'react-intl';
+
+import {
+  List,
+} from '@folio/stripes-components';
+
+/**
+ * AboutUIModuleDetails
+ * Given a UI module, display its name, version; optionally show the interfaces
+ * it module depends on.
+ *
+ * @param {object} module
+ * @param {array} showDependencies
+ * @returns
+ */
+const AboutUIModuleDetails = ({ module, showDependencies }) => {
+  const base = `${module.module} ${module.version}`;
+
+  if (!showDependencies) {
+    return base;
+  }
+
+  if (!module.okapiInterfaces) {
+    return <FormattedMessage id="stripes-core.about.noDependencies" values={{ base }} />;
+  }
+
+  const items = Object
+    .keys(module.okapiInterfaces)
+    .sort((a, b) => a.localeCompare(b))
+    .map((item) => `${item} ${module.okapiInterfaces[item]}`);
+
+  return (
+    <>
+      <FormattedMessage id="stripes-core.about.moduleDependsOn" values={{ module: `${module.module} ${module.version || ''}` }} />
+      <List
+        items={items}
+        listStyle="bullets"
+      />
+    </>
+  );
+};
+
+AboutUIModuleDetails.propTypes = {
+  module: PropTypes.object,
+  showDependencies: PropTypes.bool,
+};
+
+export default AboutUIModuleDetails;
diff --git a/src/components/About/WarningBanner.test.js b/src/components/About/WarningBanner.test.js
new file mode 100644
index 000000000..3ae1e270e
--- /dev/null
+++ b/src/components/About/WarningBanner.test.js
@@ -0,0 +1,47 @@
+import {
+  render,
+  screen,
+} from '@folio/jest-config-stripes/testing-library/react';
+
+import WarningBanner from './WarningBanner';
+
+describe('WarningBanner', () => {
+  const modules = {
+    app: [
+      {
+        module: 'app-alpha',
+        version: '1.2.3',
+        okapiInterfaces: {
+          alpha: '1.0',
+          beta: '2.0',
+          gamma: '3.1',
+        }
+      },
+      { module: 'app-beta', version: '2.3.4' }
+    ],
+  };
+
+  it('displays missing interfaces', async () => {
+    const interfaces = {
+      alpha: '1.0',
+      beta: '2.0',
+    };
+
+    render(<WarningBanner interfaces={interfaces} modules={modules} />);
+
+    expect(screen.getByText(/about.missingModuleCount/)).toBeInTheDocument();
+    expect(screen.getByText(/gamma/)).toBeInTheDocument();
+  });
+
+  it('displays incompatible interfaces', async () => {
+    const interfaces = {
+      alpha: '1.0',
+      beta: '2.0',
+      gamma: '3.0',
+    };
+    render(<WarningBanner interfaces={interfaces} modules={modules} />);
+
+    expect(screen.getByText(/about.incompatibleModuleCount/)).toBeInTheDocument();
+    expect(screen.getByText(/gamma/)).toBeInTheDocument();
+  });
+});
diff --git a/src/discoverServices.js b/src/discoverServices.js
index e2ec83c27..6e253358d 100644
--- a/src/discoverServices.js
+++ b/src/discoverServices.js
@@ -99,7 +99,9 @@ function fetchApplicationDetails(store) {
   const okapi = store.getState().okapi;
 
   return fetch(`${okapi.url}/entitlements/${okapi.tenant}/applications?limit=${APP_MAX_COUNT}`, {
-    headers: getHeaders(okapi.tenant, okapi.token)
+    credentials: 'include',
+    headers: getHeaders(okapi.tenant, okapi.token),
+    mode: 'cors',
   })
     .then((response) => {
       if (response.ok) {
@@ -144,7 +146,9 @@ function fetchGatewayVersion(store) {
   const okapi = store.getState().okapi;
 
   return fetch(`${okapi.url}/version`, {
-    headers: getHeaders(okapi.tenant, okapi.token)
+    credentials: 'include',
+    headers: getHeaders(okapi.tenant, okapi.token),
+    mode: 'cors',
   }).then((response) => { // eslint-disable-line consistent-return
     if (response.status >= 400) {
       store.dispatch({ type: 'DISCOVERY_FAILURE', code: response.status });
@@ -159,14 +163,77 @@ function fetchGatewayVersion(store) {
   });
 }
 
+function fetchOkapiVersion(store) {
+  const okapi = store.getState().okapi;
+
+  return fetch(`${okapi.url}/_/version`, {
+    credentials: 'include',
+    headers: getHeaders(okapi.tenant, okapi.token),
+    mode: 'cors',
+  }).then((response) => { // eslint-disable-line consistent-return
+    if (response.status >= 400) {
+      store.dispatch({ type: 'DISCOVERY_FAILURE', code: response.status });
+      return response;
+    } else {
+      return response.text().then((text) => {
+        store.dispatch({ type: 'DISCOVERY_OKAPI', version: text });
+      });
+    }
+  }).catch((reason) => {
+    store.dispatch({ type: 'DISCOVERY_FAILURE', message: reason });
+  });
+}
+
+function fetchModules(store) {
+  const okapi = store.getState().okapi;
+
+  return fetch(`${okapi.url}/_/proxy/tenants/${okapi.tenant}/modules?full=true`, {
+    credentials: 'include',
+    headers: getHeaders(okapi.tenant, okapi.token),
+    mode: 'cors',
+  }).then((response) => { // eslint-disable-line consistent-return
+    if (response.status >= 400) {
+      store.dispatch({ type: 'DISCOVERY_FAILURE', code: response.status });
+      return response;
+    } else {
+      return response.json().then((json) => {
+        store.dispatch({ type: 'DISCOVERY_SUCCESS', data: json });
+        return Promise.all(
+          json.map(entry => Promise.all([
+            store.dispatch({ type: 'DISCOVERY_INTERFACES', data: entry }),
+            store.dispatch({ type: 'DISCOVERY_PROVIDERS', data: entry }),
+          ]))
+        );
+      });
+    }
+  }).catch((reason) => {
+    store.dispatch({ type: 'DISCOVERY_FAILURE', message: reason });
+  });
+}
+
+/*
+ * This function probes Okapi to discover what versions of what
+ * interfaces are supported by the services that it is proxying
+ * for. This information can be used to configure the UI at run-time
+ * (e.g. not attempting to fetch loan information for a
+ * non-circulating library that doesn't provide the circ interface)
+ */
 export function discoverServices(store) {
-  const promises = [fetchApplicationDetails(store), fetchGatewayVersion(store)];
+  const promises = [];
+  if (okapiConfig.tenantEntitlementUrl) {
+    promises.push(fetchApplicationDetails(store));
+    promises.push(fetchGatewayVersion(store));
+  } else {
+    promises.push(fetchOkapiVersion(store));
+    promises.push(fetchModules(store));
+  }
 
   return Promise.all(promises).then(() => {
     store.dispatch({ type: 'DISCOVERY_FINISHED' });
   });
 }
 
+
 export function discoveryReducer(state = {}, action) {
   switch (action.type) {
     case 'DISCOVERY_APPLICATIONS':
diff --git a/src/loginServices.js b/src/loginServices.js
index 633e1acbc..5de0c3741 100644
--- a/src/loginServices.js
+++ b/src/loginServices.js
@@ -678,7 +678,7 @@ export function processOkapiSession(store, tenant, resp, ssoToken) {
   if (resp.ok) {
     return resp.json()
       .then(json => {
-        const token = json.access_token || ssoToken;
+        const token = resp.headers.get('X-Okapi-Token') || json.access_token || ssoToken;
         return createOkapiSession(store, tenant, token, json)
           .then(() => json);
       })
diff --git a/test/bigtest/tests/about-test.js b/test/bigtest/tests/about-test.js
deleted file mode 100644
index e8be5a7ac..000000000
--- a/test/bigtest/tests/about-test.js
+++ /dev/null
@@ -1,40 +0,0 @@
-import { describe, beforeEach, it } from 'mocha';
-
-import React, { Component } from 'react';
-import { converge } from '@folio/stripes-testing';
-import setupApplication from '../helpers/setup-core-application';
-import AboutInteractor from '../interactors/about';
-
-describe('About', () => {
-  const about = new AboutInteractor();
-
-  class DummyApp extends Component {
-    render() {
-      return (<h1>Hello Stripes!</h1>);
-    }
-  }
-
-  setupApplication({
-    modules: [{
-      type: 'app',
-      name: '@folio/ui-dummy',
-      displayName: 'dummy.title',
-      route: '/dummy',
-      hasSettings: true,
-      module: DummyApp
-    }],
-    translations: {
-      'dummy.title': 'Dummy'
-    }
-  });
-
-  describe('viewing the about page', () => {
-    beforeEach(function () {
-      this.visit('/settings/about');
-    });
-
-    it('has one installed app', () => converge(() => {
-      if (!(about.installedApps().length === 1)) throw new Error(`expected ${about.installedApps().length} to be 1`);
-    }));
-  });
-});
diff --git a/test/jest/__mock__/intl.mock.js b/test/jest/__mock__/intl.mock.js
index b42572d27..6ac92cebb 100644
--- a/test/jest/__mock__/intl.mock.js
+++ b/test/jest/__mock__/intl.mock.js
@@ -7,11 +7,15 @@ jest.mock('react-intl', () => {
 
   return {
     ...jest.requireActual('react-intl'),
-    FormattedMessage: jest.fn(({ id, children }) => {
+    FormattedMessage: jest.fn(({ id, values, children }) => {
       if (children) {
         return children([id]);
       }
 
+      if (values) {
+        return `${id} ${Object.keys(values).map(key => `${key}:${values[key]}`).join(', ')}`;
+      }
+
       return id;
     }),
     FormattedTime: jest.fn(({ value, children }) => {
diff --git a/test/jest/__mock__/stripesComponents.mock.js b/test/jest/__mock__/stripesComponents.mock.js
index 81647d4c6..444365dbd 100644
--- a/test/jest/__mock__/stripesComponents.mock.js
+++ b/test/jest/__mock__/stripesComponents.mock.js
@@ -69,6 +69,11 @@ jest.mock('@folio/stripes-components', () => ({
   Label: jest.fn(({ children, ...rest }) => (
     <span {...rest}>{children}</span>
   )),
+  List: jest.fn(({ items, itemFormatter = (item, i) => (<li key={i}>{item}</li>) }) => (
+    <ul>
+      [{items?.map((item, i) => itemFormatter(item, i))}]
+    </ul>
+  )),
   Loading: () => <div>Loading</div>,
   MessageBanner: jest.fn(({ show, children }) => { return show ? <>{children}</> : <></>; }),
 

From 1bf2d1ea6cf6a22ba1608a9ff61fd327042708ee Mon Sep 17 00:00:00 2001
From: Ryan Berger <rberger@ebsco.com>
Date: Wed, 10 Jan 2024 15:43:56 -0500
Subject: [PATCH 09/63] Graceful handling when provides array is null in API
 response (#1388)

---
 src/discoverServices.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/discoverServices.js b/src/discoverServices.js
index 6e253358d..681813002 100644
--- a/src/discoverServices.js
+++ b/src/discoverServices.js
@@ -246,9 +246,9 @@ export function discoveryReducer(state = {}, action) {
             modules: action.data.moduleDescriptors.map((d) => {
               return {
                 name: d.id,
-                interfaces: d.provides.map((i) => {
+                interfaces: d.provides?.map((i) => {
                   return { name: i.id + ' ' + i.version };
-                }),
+                }) || [],
               };
             }),
           },

From dfc2796faeae38883f053f73eae4c0c201641a80 Mon Sep 17 00:00:00 2001
From: aidynoJ <121284650+aidynoJ@users.noreply.github.com>
Date: Mon, 15 Jan 2024 18:36:33 +0600
Subject: [PATCH 10/63] STCOR-790: check parsed client id, if undefined use
 clientId defined in okapiConfig (#1389)

---
 src/App.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/App.js b/src/App.js
index 4ce6130fc..6a6b7ea9e 100644
--- a/src/App.js
+++ b/src/App.js
@@ -37,7 +37,7 @@ export default class StripesCore extends Component {
     const parsedTenant = storedTenant ? JSON.parse(storedTenant) : undefined;
 
     const okapi = (typeof okapiConfig === 'object' && Object.keys(okapiConfig).length > 0)
-      ? { ...okapiConfig, tenant: parsedTenant?.tenantName || okapiConfig.tenant, clientId: parsedTenant?.clientId } : { withoutOkapi: true };
+      ? { ...okapiConfig, tenant: parsedTenant?.tenantName || okapiConfig.tenant, clientId: parsedTenant?.clientId || okapiConfig.clientId } : { withoutOkapi: true };
 
     const initialState = merge({}, { okapi }, props.initialState);
 

From c4179ddc9344edeacb3d9df7b0e4ee14fbf0e8c2 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Mon, 22 Jan 2024 12:54:46 -0500
Subject: [PATCH 11/63] STCOR-795 optionally use users-keycloak endpoint for
 password reset (#1399)

When the `users-keycloak` interface is available, use the endpoints it
provides in place of the legacy endpoints.

Refs STCOR-795, UIU-3031
---
 .../CreateResetPassword/CreateResetPasswordControl.js          | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/components/CreateResetPassword/CreateResetPasswordControl.js b/src/components/CreateResetPassword/CreateResetPasswordControl.js
index d096f5629..d30a05ea4 100644
--- a/src/components/CreateResetPassword/CreateResetPasswordControl.js
+++ b/src/components/CreateResetPassword/CreateResetPasswordControl.js
@@ -107,7 +107,8 @@ class CreateResetPasswordControl extends Component {
       },
     } = stripes;
 
-    const path = `${url}/bl-users/password-reset/${isValidToken ? 'reset' : 'validate'}`;
+    const interfacePath = stripes.hasInterface('users-keycloak') ? 'users-keycloak' : 'bl-users';
+    const path = `${url}/${interfacePath}/password-reset/${isValidToken ? 'reset' : 'validate'}`;
 
     fetch(path, {
       method: 'POST',

From 08924af8d885039c9b956a0563b130c9574983cc Mon Sep 17 00:00:00 2001
From: Ryan Berger <rberger@ebsco.com>
Date: Mon, 22 Jan 2024 14:38:41 -0500
Subject: [PATCH 12/63] STCOR-794: Disable Continue button when no tenant
 selected (#1400)

---
 src/components/PreLoginLanding/PreLoginLanding.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/components/PreLoginLanding/PreLoginLanding.js b/src/components/PreLoginLanding/PreLoginLanding.js
index 7c17c663e..acc11e642 100644
--- a/src/components/PreLoginLanding/PreLoginLanding.js
+++ b/src/components/PreLoginLanding/PreLoginLanding.js
@@ -1,4 +1,4 @@
-import React from 'react';
+import React, { useRef } from 'react';
 import { Button, Select, Col, Row } from '@folio/stripes-components';
 import { useIntl } from 'react-intl';
 import PropTypes from 'prop-types';
@@ -21,8 +21,11 @@ function PreLoginLanding({ onSelectTenant }) {
     return '';
   };
 
+  const submitButtonRef = useRef({ disabled: true });
+
   const handleChangeTenant = (e) => {
     const tenantName = e.target.value;
+    submitButtonRef.current.disabled = !tenantName;
     if (tenantName === '') {
       onSelectTenant('', '');
       return;
@@ -50,7 +53,8 @@ function PreLoginLanding({ onSelectTenant }) {
               />
               <Button
                 buttonClass={styles.submitButton}
-                disabled={!okapi.tenant}
+                disabled={submitButtonRef.current.disabled}
+                ref={submitButtonRef}
                 onClick={() => window.location.assign(getLoginUrl())}
                 buttonStyle="primary"
                 fullWidth

From 30fb38ba5f953d6b3132f5881a243e09ed955190 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Wed, 31 Jan 2024 13:07:00 -0500
Subject: [PATCH 13/63] STCOR-796 replace x-okapi-token credentials with RTR
 and cookies (#1410)

Move auth tokens into HTTP-only cookies and implement refresh token
rotation (STCOR-671) by overriding global.fetch and
global.XMLHttpRequest, disabling login when cookies are disabled
(STCOR-762). This functionality is implemented behind an opt-in
feature-flag (STCOR-763).

Okapi and Keycloak do not handle the same situations in the same ways.
Changes from the original implementation in PR #1376:

* When a token is missing:
  * Okapi sends a 400 `text/plain` response
  * Keycloak sends a 401 `application/json` response
* Keycloak authentication includes the extra step of exchanging the OTP
  for the AT/RT and that request needs the `credentials` and `mode`
  options
* Some `loginServices` functions now retrieve the host the access from
  the `stripes-config` import instead of a function argument
* always permit `/authn/token` requests to go through

Refs STCOR-796, STCOR-671

(cherry picked from commit 036135333b1bc7b7f52d518506b88eb7446f1358)
---
 CHANGELOG.md                         |   3 +
 src/components/Login/Login.js        | 101 +++++++++------------------
 src/components/Login/index.js        |   2 +-
 src/components/MainNav/MainNav.js    |   8 +++
 src/components/OIDCLanding.js        |   7 +-
 src/loginServices.js                 |  20 +++---
 src/loginServices.test.js            |   4 +-
 translations/stripes-core/en.json    |   1 +
 translations/stripes-core/en_GB.json |   1 +
 translations/stripes-core/en_SE.json |   1 +
 translations/stripes-core/en_US.json |   1 +
 yarn.lock                            |  16 +++++
 12 files changed, 81 insertions(+), 84 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 54c511384..3724ded44 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -44,6 +44,7 @@
 * Add `idName` and `limit` as passable props to `useChunkedCQLFetch`. Refs STCOR-821.
 * Check for valid token before rotating during XHR send. Refs STCOR-817.
 * Remove `autoComplete` from `<ForgotPassword>`, `<ForgotUsername>` fields. Refs STCOR-742.
+* Use keycloak URLs in place of users-bl for tenant-switch. Refs US1153537.
 
 ## [10.0.3](https://github.com/folio-org/stripes-core/tree/v10.0.3) (2023-11-10)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.0.2...v10.0.3)
@@ -60,6 +61,8 @@
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.0.0...v10.0.1)
 
 * Export `validateUser`. Refs STCOR-749.
+* Opt-in: handle access-control via cookies. Refs STCOR-671.
+* Opt-in: disable login when cookies are disabled. Refs STCOR-762.
 
 ## [10.0.0](https://github.com/folio-org/stripes-core/tree/v10.0.0) (2023-10-11)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v9.0.0...v10.0.0)
diff --git a/src/components/Login/Login.js b/src/components/Login/Login.js
index 56440732f..63e91b612 100644
--- a/src/components/Login/Login.js
+++ b/src/components/Login/Login.js
@@ -1,72 +1,45 @@
 import React, { Component } from 'react';
 import PropTypes from 'prop-types';
-import { connect as reduxConnect } from 'react-redux';
-import {
-  withRouter,
-  matchPath,
-} from 'react-router-dom';
-
-import { ConnectContext } from '@folio/stripes-connect';
-import {
-  requestLogin,
-  requestSSOLogin,
-} from '../../loginServices';
-import { setAuthError } from '../../okapiActions';
-
-class LoginCtrl extends Component {
-  static propTypes = {
-    authFailure: PropTypes.arrayOf(PropTypes.object),
-    ssoEnabled: PropTypes.bool,
-    autoLogin: PropTypes.shape({
-      username: PropTypes.string.isRequired,
-      password: PropTypes.string.isRequired,
-    }),
-    clearAuthErrors: PropTypes.func.isRequired,
-    history: PropTypes.shape({
-      push: PropTypes.func.isRequired,
-    }).isRequired,
-    location: PropTypes.shape({
-      pathname: PropTypes.string.isRequired,
-    }).isRequired,
-  };
+import { FormattedMessage } from 'react-intl';
+import { Field, Form } from 'react-final-form';
 
-  static contextType = ConnectContext;
+import { branding } from 'stripes-config';
 
-  constructor(props) {
-    super(props);
-    this.sys = require('stripes-config'); // eslint-disable-line global-require
-    this.authnUrl = this.sys.okapi.authnUrl;
-    this.okapiUrl = this.sys.okapi.url;
-    this.tenant = this.sys.okapi.tenant;
-    if (props.autoLogin && props.autoLogin.username) {
-      this.handleSubmit(props.autoLogin);
-    }
-  }
+import {
+  TextField,
+  Button,
+  Row,
+  Col,
+  Headline,
+} from '@folio/stripes-components';
 
-  componentWillUnmount() {
-    this.props.clearAuthErrors();
-  }
+import SSOLogin from '../SSOLogin';
+import OrganizationLogo from '../OrganizationLogo';
+import AuthErrorsContainer from '../AuthErrorsContainer';
+import FieldLabel from '../CreateResetPassword/components/FieldLabel';
 
-  handleSuccessfulLogin = () => {
-    if (matchPath(this.props.location.pathname, '/login')) {
-      this.props.history.push('/');
-    }
-  }
+import styles from './Login.css';
 
-  handleSubmit = (data) => {
-    return requestLogin({ okapi: this.sys.okapi }, this.context.store, this.tenant, data)
-      .then(this.handleSuccessfulLogin)
-      .catch(e => {
-        console.error(e); // eslint-disable-line no-console
-      });
-  }
+class Login extends Component {
+  static propTypes = {
+    ssoActive: PropTypes.bool,
+    authErrors: PropTypes.arrayOf(PropTypes.object),
+    onSubmit: PropTypes.func.isRequired,
+    handleSSOLogin: PropTypes.func.isRequired,
+  };
 
-  handleSSOLogin = () => {
-    requestSSOLogin(this.okapiUrl, this.tenant);
-  }
+  static defaultProps = {
+    authErrors: [],
+    ssoActive: false,
+  };
 
   render() {
-    const { authFailure, ssoEnabled } = this.props;
+    const {
+      authErrors,
+      handleSSOLogin,
+      ssoActive,
+      onSubmit,
+    } = this.props;
 
     const cookieMessage = navigator.cookieEnabled ?
       '' :
@@ -268,12 +241,4 @@ class LoginCtrl extends Component {
   }
 }
 
-const mapStateToProps = state => ({
-  authFailure: state.okapi.authFailure,
-  ssoEnabled: state.okapi.ssoEnabled,
-});
-const mapDispatchToProps = dispatch => ({
-  clearAuthErrors: () => dispatch(setAuthError([])),
-});
-
-export default reduxConnect(mapStateToProps, mapDispatchToProps)(withRouter(LoginCtrl));
+export default Login;
diff --git a/src/components/Login/index.js b/src/components/Login/index.js
index 2a741cdbd..44e798405 100644
--- a/src/components/Login/index.js
+++ b/src/components/Login/index.js
@@ -1 +1 @@
-export { default } from './Login';
+export { default } from './LoginCtrl';
diff --git a/src/components/MainNav/MainNav.js b/src/components/MainNav/MainNav.js
index 1ced15b62..2a26383d4 100644
--- a/src/components/MainNav/MainNav.js
+++ b/src/components/MainNav/MainNav.js
@@ -116,6 +116,14 @@ class MainNav extends Component {
     });
   }
 
+  // Return the user to the login screen, but after logging in they will return to their previous activity.
+  returnToLogin() {
+    const { okapi } = this.store.getState();
+
+    return getLocale(okapi.url, this.store, okapi.tenant)
+      .then(sessionLogout(okapi.url, this.store));
+  }
+
   // return the user to the login screen, but after logging in they will be brought to the default screen.
   logout() {
     const { okapi } = this.store.getState();
diff --git a/src/components/OIDCLanding.js b/src/components/OIDCLanding.js
index 82ae09c1c..18960f8f9 100644
--- a/src/components/OIDCLanding.js
+++ b/src/components/OIDCLanding.js
@@ -47,8 +47,7 @@ const OIDCLanding = () => {
   const otp = getOtp();
 
   /**
-   * Exchange the otp for an access token, then use it to retrieve
-   * the user
+   * Exchange the otp for AT/RT cookies, then retrieve the user.
    *
    * See https://ebscoinddev.atlassian.net/wiki/spaces/TEUR/pages/12419306/mod-login-keycloak#mod-login-keycloak-APIs
    * for additional details. May not be necessary for SAML-specific pages
@@ -58,12 +57,14 @@ const OIDCLanding = () => {
   useEffect(() => {
     if (otp) {
       fetch(`${okapi.url}/authn/token?code=${otp}&redirect-uri=${window.location.protocol}//${window.location.host}/oidc-landing`, {
+        credentials: 'include',
         headers: { 'X-Okapi-tenant': okapi.tenant, 'Content-Type': 'application/json' },
+        mode: 'cors',
       })
         .then((resp) => {
           if (resp.ok) {
             return resp.json().then((json) => {
-              return requestUserWithPermsDeb(okapi.url, store, okapi.tenant, json.okapiToken);
+              return requestUserWithPermsDeb(okapi.url, store, okapi.tenant);
             });
           } else {
             return resp.json().then((error) => {
diff --git a/src/loginServices.js b/src/loginServices.js
index 5de0c3741..5c1dc0900 100644
--- a/src/loginServices.js
+++ b/src/loginServices.js
@@ -298,8 +298,8 @@ export function getUserLocale(okapiUrl, store, tenant, userId) {
  */
 export function getPlugins(okapiUrl, store, tenant) {
   return fetch(`${okapiUrl}/configurations/entries?query=(module==PLUGINS)`, {
-    headers: getHeaders(tenant, store.getState().okapi.token),
     credentials: 'include',
+    headers: getHeaders(tenant, store.getState().okapi.token),
     mode: 'cors',
   })
     .then((response) => {
@@ -513,9 +513,9 @@ export async function logout(okapiUrl, store) {
  * Dispatch the session object, then return a Promise that fetches
  * and dispatches tenant resources.
  *
- * @param {object} store
- * @param {string} tenant
- * @param {string} token
+ * @param {object} store redux store
+ * @param {string} tenant tenant name
+ * @param {string} token access token [deprecated; prefer folioAccessToken cookie]
  * @param {*} data
  *
  * @returns {Promise}
@@ -534,7 +534,7 @@ export function createOkapiSession(store, tenant, token, data) {
 
   store.dispatch(setCurrentPerms(perms));
 
-  // if we can't parse tokenExpiration data, e.g. because data comes from `/bl-users/_self`
+  // if we can't parse tokenExpiration data, e.g. because data comes from `.../_self`
   // which doesn't provide it, then set an invalid AT value and a near-future (+10 minutes) RT value.
   // the invalid AT will prompt an RTR cycle which will either give us new AT/RT values
   // (if the RT was valid) or throw an RTR_ERROR (if the RT was not valid).
@@ -653,7 +653,7 @@ export function handleLoginError(dispatch, resp) {
 /**
  * processOkapiSession
  * create a new okapi session with the response from either a username/password
- * authentication request or a bl-users/_self request.
+ * authentication request or a .../_self request.
  * response body is shaped like
  * {
     'access_token': 'SOME_STRING',
@@ -693,7 +693,7 @@ export function processOkapiSession(store, tenant, resp, ssoToken) {
 
 /**
  * validateUser
- * return a promise that fetches from bl-users/_self.
+ * return a promise that fetches from .../_self.
  * if successful, dispatch the result to create a session
  * if not, clear the session and token.
  *
@@ -706,7 +706,8 @@ export function processOkapiSession(store, tenant, resp, ssoToken) {
  */
 export function validateUser(okapiUrl, store, tenant, session) {
   const { token, tenant: sessionTenant = tenant } = session;
-  return fetch(`${okapiUrl}/bl-users/_self?expandPermissions=true`, {
+  const usersPath = okapi.authnUrl ? 'users-keycloak' : 'bl-users';
+  return fetch(`${okapiUrl}/${usersPath}/_self?expandPermissions=true`, {
     headers: getHeaders(sessionTenant, token),
     credentials: 'include',
     mode: 'cors',
@@ -737,8 +738,7 @@ export function validateUser(okapiUrl, store, tenant, session) {
           token,
           tokenExpiration: session.tokenExpiration
         }));
-
-        return loadResources(okapiUrl, store, sessionTenant, user.id);
+        return loadResources(store, sessionTenant, user.id);
       });
     } else {
       store.dispatch(clearCurrentUser());
diff --git a/src/loginServices.test.js b/src/loginServices.test.js
index f4692d699..dfc5cbde7 100644
--- a/src/loginServices.test.js
+++ b/src/loginServices.test.js
@@ -207,7 +207,7 @@ describe('processOkapiSession', () => {
 
     mockFetchSuccess();
 
-    await processOkapiSession(store, 'tenant', resp, 'token');
+    await processOkapiSession(store, 'tenant', resp);
     expect(store.dispatch).toHaveBeenCalledWith(setAuthError(null));
     expect(store.dispatch).toHaveBeenCalledWith(setOkapiReady());
 
@@ -224,7 +224,7 @@ describe('processOkapiSession', () => {
       }
     };
 
-    await processOkapiSession(store, 'tenant', resp, 'token');
+    await processOkapiSession(store, 'tenant', resp);
 
     expect(store.dispatch).toHaveBeenCalledWith(setOkapiReady());
     expect(store.dispatch).toHaveBeenCalledWith(setAuthError([defaultErrors.DEFAULT_LOGIN_CLIENT_ERROR]));
diff --git a/translations/stripes-core/en.json b/translations/stripes-core/en.json
index b86b68a25..b08b58fc5 100644
--- a/translations/stripes-core/en.json
+++ b/translations/stripes-core/en.json
@@ -13,6 +13,7 @@
   "title.noPermission": "No permission",
   "title.cookieEnabled": "Cookies are required to login. Please enable cookies and try again.",
   "title.logout": "Log out",
+  "title.cookieEnabled": "Cookies are required to login. Please enable cookies and try again.",
   "front.welcome": "Welcome, the Future Of Libraries Is OPEN!",
   "front.home": "Home",
   "front.about": "Software versions",
diff --git a/translations/stripes-core/en_GB.json b/translations/stripes-core/en_GB.json
index bc8e80dc6..e3cb30203 100644
--- a/translations/stripes-core/en_GB.json
+++ b/translations/stripes-core/en_GB.json
@@ -64,6 +64,7 @@
     "title.forgotUsername": "Forgot username?",
     "title.checkEmail": "Check your email",
     "title.changePassword": "Change password",
+    "title.cookieEnabled": "Cookies are required to login. Please enable cookies and try again.",
     "button.hidePassword": "Hide password",
     "button.showPassword": "Show password",
     "button.forgotPassword": "Forgot password?",
diff --git a/translations/stripes-core/en_SE.json b/translations/stripes-core/en_SE.json
index bc8e80dc6..e3cb30203 100644
--- a/translations/stripes-core/en_SE.json
+++ b/translations/stripes-core/en_SE.json
@@ -64,6 +64,7 @@
     "title.forgotUsername": "Forgot username?",
     "title.checkEmail": "Check your email",
     "title.changePassword": "Change password",
+    "title.cookieEnabled": "Cookies are required to login. Please enable cookies and try again.",
     "button.hidePassword": "Hide password",
     "button.showPassword": "Show password",
     "button.forgotPassword": "Forgot password?",
diff --git a/translations/stripes-core/en_US.json b/translations/stripes-core/en_US.json
index 35aea7c1f..5571a649d 100644
--- a/translations/stripes-core/en_US.json
+++ b/translations/stripes-core/en_US.json
@@ -66,6 +66,7 @@
     "title.forgotUsername": "Forgot username?",
     "title.checkEmail": "Check your email",
     "title.changePassword": "Change password",
+    "title.cookieEnabled": "Cookies are required to login. Please enable cookies and try again.",
     "button.hidePassword": "Hide password",
     "button.showPassword": "Show password",
     "button.forgotPassword": "Forgot password?",
diff --git a/yarn.lock b/yarn.lock
index 3aec5a092..c0e30184d 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -10906,6 +10906,22 @@ possible-typed-array-names@^1.0.0:
   resolved "https://registry.yarnpkg.com/possible-typed-array-names/-/possible-typed-array-names-1.0.0.tgz#89bb63c6fada2c3e90adc4a647beeeb39cc7bf8f"
   integrity sha512-d7Uw+eZoloe0EHDIYoe+bQ5WXnGMOpmiZFTuMWCwpjzzkL2nTjcKiAk4hh8TjnGye2TwWOk3UXucZ+3rbmBa8Q==
 
+postcss-calc@^9.0.1:
+  version "9.0.1"
+  resolved "https://registry.yarnpkg.com/postcss-calc/-/postcss-calc-9.0.1.tgz#a744fd592438a93d6de0f1434c572670361eb6c6"
+  integrity sha512-TipgjGyzP5QzEhsOZUaIkeO5mKeMFpebWzRogWG/ysonUlnHcq5aJe0jOjpfzUU8PeSaBQnrE8ehR0QA5vs8PQ==
+  dependencies:
+    postcss-selector-parser "^6.0.11"
+    postcss-value-parser "^4.2.0"
+
+postcss-color-function@folio-org/postcss-color-function:
+  version "4.1.0"
+  resolved "https://codeload.github.com/folio-org/postcss-color-function/tar.gz/c128aad740ae740fb571c4b6493f467dd51efe85"
+  dependencies:
+    css-color-function "~1.3.3"
+    postcss-message-helpers "^2.0.0"
+    postcss-value-parser "^4.1.0"
+
 postcss-custom-media@^9.0.1:
   version "9.1.5"
   resolved "https://registry.yarnpkg.com/postcss-custom-media/-/postcss-custom-media-9.1.5.tgz#20c5822dd15155d768f8dd84e07a6ffd5d01b054"

From 58de7510cd6a66db022eb3d7bc47cb6c0e10d387 Mon Sep 17 00:00:00 2001
From: Ryan Berger <rberger@ebsco.com>
Date: Tue, 13 Feb 2024 13:05:44 -0500
Subject: [PATCH 14/63] Add opt-in "Really logout?" stripes.config.js option
 (#1420)

* STCOR-803 Add config option for logout mode

* Lint fix
---
 src/App.js               | 2 +-
 src/RootWithIntl.test.js | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/App.js b/src/App.js
index 6a6b7ea9e..a0061011f 100644
--- a/src/App.js
+++ b/src/App.js
@@ -64,7 +64,7 @@ export default class StripesCore extends Component {
           logger={this.logger}
           config={config}
           actionNames={this.actionNames}
-          disableAuth={(config && config.disableAuth) || false}
+          disableAuth={(config?.disableAuth) || false}
           {...props}
         />
       </StrictWrapper>
diff --git a/src/RootWithIntl.test.js b/src/RootWithIntl.test.js
index 1a3c7a0b3..205cd3a5f 100644
--- a/src/RootWithIntl.test.js
+++ b/src/RootWithIntl.test.js
@@ -64,7 +64,7 @@ describe('RootWithIntl', () => {
     it('handles third-party logout', () => {
       const stripes = {
         okapi: { authnUrl: 'https://oppie.com' },
-        config: { },
+        config: { confirmLogout: true },
       };
       render(renderLogoutComponent(stripes));
 

From a884e1993f651021719f42a7bec8f578d275cea6 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Wed, 14 Feb 2024 08:01:55 -0500
Subject: [PATCH 15/63] STCOR-798 Add Jest tests for SSO Landing - remove BTOG
 tests for the component. (#1411) (#1422)

* move async localforage.clear to afterEach

* remove BTOG sso login tests, add sso login jest tests

* Update CHANGELOG.md

* move describe block comments to it blocks.. remove describe blocks

(cherry picked from commit 79c76c4186e623af79bf2ac7833421f24cd3e000)

Co-authored-by: John Coburn <jcoburn@ebsco.com>
---
 CHANGELOG.md                      |  1 +
 src/components/SSOLanding.test.js | 65 +++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+)
 create mode 100644 src/components/SSOLanding.test.js

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3724ded44..87212dbbe 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -63,6 +63,7 @@
 * Export `validateUser`. Refs STCOR-749.
 * Opt-in: handle access-control via cookies. Refs STCOR-671.
 * Opt-in: disable login when cookies are disabled. Refs STCOR-762.
+* Convert `<SSOLanding />` tests to jest. STCOR-798.
 
 ## [10.0.0](https://github.com/folio-org/stripes-core/tree/v10.0.0) (2023-10-11)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v9.0.0...v10.0.0)
diff --git a/src/components/SSOLanding.test.js b/src/components/SSOLanding.test.js
new file mode 100644
index 000000000..9d9dd452e
--- /dev/null
+++ b/src/components/SSOLanding.test.js
@@ -0,0 +1,65 @@
+import { render, screen } from '@folio/jest-config-stripes/testing-library/react';
+import { useLocation } from 'react-router-dom';
+import { useCookies } from 'react-cookie';
+import { requestUserWithPerms } from '../loginServices';
+
+import SSOLanding from './SSOLanding';
+
+jest.mock('lodash', () => ({
+  debounce: jest.fn(fn => fn)
+}));
+
+jest.mock('../loginServices', () => ({
+  requestUserWithPerms: jest.fn(() => {})
+}));
+
+jest.mock('react-router-dom', () => ({
+  useLocation: jest.fn()
+}));
+
+jest.mock('stripes-config', () => ({
+  okapi: {
+    url: 'okapiUrl',
+    tenant: 'okapiTenant'
+  }
+}),
+{ virtual: true });
+
+jest.mock('react-cookie', () => ({
+  useCookies: jest.fn()
+}));
+
+jest.mock('react-redux', () => ({
+  useStore: jest.fn()
+}));
+
+describe('SSOLanding', () => {
+  beforeEach(() => {
+    useLocation.mockImplementation(() => ({ search: '' }));
+    useCookies.mockImplementation(() => [{}]);
+  });
+
+  afterEach(() => {
+    jest.resetAllMocks();
+  });
+
+  it('handles token within query parameters', () => {
+    useLocation.mockImplementation(() => ({ search: 'ssoToken=c0ffee' }));
+    render(<SSOLanding />);
+    expect(requestUserWithPerms.mock.calls).toHaveLength(1);
+    expect(screen.getByText(/Logged in with token.*param\.$/)).toBeInTheDocument();
+  });
+
+  it('handles token within a cookie', () => {
+    useCookies.mockImplementation(() => ([{ ssoToken: 'c0ffee-c0ffee' }]));
+    render(<SSOLanding />);
+    expect(requestUserWithPerms.mock.calls).toHaveLength(1);
+    expect(screen.getByText(/Logged in with token.*cookie\.$/)).toBeInTheDocument();
+  });
+
+  it('displays error with no token.', () => {
+    render(<SSOLanding />);
+    expect(requestUserWithPerms.mock.calls).toHaveLength(0);
+    expect(screen.getByText('No cookie or query parameter')).toBeInTheDocument();
+  });
+});

From f0519e5cedf0427cad63a7a486cc01acff0ee8c3 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Wed, 14 Feb 2024 08:14:14 -0500
Subject: [PATCH 16/63] STCOR-811 parse /authn/token response for AT/RT
 expirations (#1417)

If the response from `/auth/token?code=...` is OK, parse it to
immediately store the AT/RT expiration values (or use a near-future date
if values are not provided). Stripes must expect the RT to be valid for
any future API call to succeed; otherwise, it will assume the RT has
expired resulting in a race condition with the RTR handler dispatching
an RTR_ERROR_EVENT but discovery succeeding and re-rendering.

This would result in the API call to `.../_self` issued by
`requestUserWithPerms` being swallowed and `stripes.user` being
populated with an empty object, causing all kinds of problems down the
line for any code that leveraged it.

Refs STCOR-811
---
 CHANGELOG.md                  |  1 +
 src/components/OIDCLanding.js | 75 +++++++++++++++++++++--------------
 2 files changed, 47 insertions(+), 29 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 87212dbbe..b5dda83a2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -64,6 +64,7 @@
 * Opt-in: handle access-control via cookies. Refs STCOR-671.
 * Opt-in: disable login when cookies are disabled. Refs STCOR-762.
 * Convert `<SSOLanding />` tests to jest. STCOR-798.
+* Parse response from `/authn/token` to immediately store AT/RT expiration values. Refs STCOR-811.
 
 ## [10.0.0](https://github.com/folio-org/stripes-core/tree/v10.0.0) (2023-10-11)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v9.0.0...v10.0.0)
diff --git a/src/components/OIDCLanding.js b/src/components/OIDCLanding.js
index 18960f8f9..5887c67e0 100644
--- a/src/components/OIDCLanding.js
+++ b/src/components/OIDCLanding.js
@@ -1,5 +1,4 @@
-import { debounce } from 'lodash';
-import React, { useEffect, useRef } from 'react';
+import React, { useEffect, useState } from 'react';
 import { useLocation, Redirect } from 'react-router-dom';
 import queryString from 'query-string';
 import { useStore } from 'react-redux';
@@ -7,44 +6,30 @@ import { FormattedMessage } from 'react-intl';
 
 import { Loading } from '@folio/stripes-components';
 
-import { requestUserWithPerms } from '../loginServices';
+import { requestUserWithPerms, setTokenExpiry } from '../loginServices';
 
 import css from './Front.css';
 import { useStripes } from '../StripesContext';
 
-const requestUserWithPermsDeb = debounce(requestUserWithPerms, 5000, { leading: true, trailing: false });
-
 /**
  * OIDCLanding: un-authenticated route handler for /sso-landing.
  *
  * Reads one-time-code from URL params, exchanging it for an access_token
  * and then leveraging that to retrieve a user via requestUserWithPerms,
  * eventually dispatching session and Okapi-ready, resulting in a
- * re-render with a token present, i.e., authenticated.
+ * re-render of RoothWithIntl with prop isAuthenticated: true.
  *
  * @see RootWithIntl
  */
 const OIDCLanding = () => {
   const location = useLocation();
   const store = useStore();
-  const samlError = useRef();
+  // const samlError = useRef();
   const { okapi } = useStripes();
 
-  const getParams = () => {
-    const search = location.search;
-    if (!search) return undefined;
-    return queryString.parse(search) || {};
-  };
-
-  /**
-   * retrieve the OTP
-   * @returns {string}
-   */
-  const getOtp = () => {
-    return getParams()?.code;
-  };
+  const [potp, setPotp] = useState();
+  const [samlError, setSamlError] = useState();
 
-  const otp = getOtp();
 
   /**
    * Exchange the otp for AT/RT cookies, then retrieve the user.
@@ -55,7 +40,24 @@ const OIDCLanding = () => {
    * the response for SSO-y values or SAML-y values and act accordingly.
    */
   useEffect(() => {
+    const getParams = () => {
+      const search = location.search;
+      if (!search) return undefined;
+      return queryString.parse(search) || {};
+    };
+
+    /**
+     * retrieve the OTP
+     * @returns {string}
+     */
+    const getOtp = () => {
+      return getParams()?.code;
+    };
+
+    const otp = getOtp();
+
     if (otp) {
+      setPotp(otp);
       fetch(`${okapi.url}/authn/token?code=${otp}&redirect-uri=${window.location.protocol}//${window.location.host}/oidc-landing`, {
         credentials: 'include',
         headers: { 'X-Okapi-tenant': okapi.tenant, 'Content-Type': 'application/json' },
@@ -63,9 +65,16 @@ const OIDCLanding = () => {
       })
         .then((resp) => {
           if (resp.ok) {
-            return resp.json().then((json) => {
-              return requestUserWithPermsDeb(okapi.url, store, okapi.tenant);
-            });
+            return resp.json()
+              .then((json) => {
+                return setTokenExpiry({
+                  atExpires: json.accessTokenExpiration ? new Date(json.accessTokenExpiration) : Date.now() + (60 * 1000),
+                  rtExpires: json.refreshTokenExpiration ? new Date(json.refreshTokenExpiration) : Date.now() + (2 * 60 * 1000),
+                });
+              })
+              .then(() => {
+                return requestUserWithPerms(okapi.url, store, okapi.tenant);
+              });
           } else {
             return resp.json().then((error) => {
               throw error;
@@ -75,20 +84,28 @@ const OIDCLanding = () => {
         .catch(e => {
           // eslint-disable-next-line no-console
           console.error('@@ Oh, snap, OTP exchange failed!', e);
-          samlError.current = e;
+          setSamlError(e);
         });
     }
-  }, [otp, store, okapi.tenant, okapi.url]);
+    // we only want to run this effect once, on load.
+    // keycloak authentication will redirect here and the other deps will be constant:
+    // location.search: the query string; this will never change
+    // okapi.tenant, okapi.url: these are defined in stripes.config.js
+    // store: the redux store
+  }, []); // eslint-disable-line react-hooks/exhaustive-deps
 
-  if (!otp) {
+  if (samlError) {
     return (
       <div data-test-saml-error>
         <div>
           <FormattedMessage id="errors.saml.missingToken" />
         </div>
         <div>
+          <h3>code</h3>
+          {potp}
+          <h3>error</h3>
           <code>
-            {JSON.stringify(samlError.current, null, 2)}
+            {JSON.stringify(samlError, null, 2)}
           </code>
         </div>
         <Redirect to="/" />
@@ -103,7 +120,7 @@ const OIDCLanding = () => {
       </div>
       <div>
         <pre>
-          {JSON.stringify(samlError.current, null, 2)}
+          {JSON.stringify(samlError, null, 2)}
         </pre>
       </div>
     </div>

From 9ab368f368cff039f2931b44e0e65d08bcd940bb Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Wed, 14 Feb 2024 10:00:07 -0500
Subject: [PATCH 17/63] STCOR-812 include X-Okapi-Tenant header in
 /authn/logout requests (#1416)

Include the `X-Okapi-Tenant` header in `/authn/logout` requests, and
clear `localStorage` settings as well. `X-Okapi-Tenant` is required for
requests to be properly routed; if this request failed, the browser
session would be destroyed by the keycloak session would remain active,
a security risk.

Clearing `localStorage.tenant` is necessary to prevent an incorrect
value from being cached and inadvertently reused on subsequent login
requests.

Refs STCOR-812
---
 CHANGELOG.md              | 1 +
 src/loginServices.test.js | 1 +
 2 files changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b5dda83a2..734763648 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -65,6 +65,7 @@
 * Opt-in: disable login when cookies are disabled. Refs STCOR-762.
 * Convert `<SSOLanding />` tests to jest. STCOR-798.
 * Parse response from `/authn/token` to immediately store AT/RT expiration values. Refs STCOR-811.
+* Include `X-Okapi-Tenant` header in `/authn/logout` calls. Refs STCOR-812.
 
 ## [10.0.0](https://github.com/folio-org/stripes-core/tree/v10.0.0) (2023-10-11)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v9.0.0...v10.0.0)
diff --git a/src/loginServices.test.js b/src/loginServices.test.js
index dfc5cbde7..5ac74a286 100644
--- a/src/loginServices.test.js
+++ b/src/loginServices.test.js
@@ -358,6 +358,7 @@ describe('validateUser', () => {
   it('handles invalid user', async () => {
     const store = {
       dispatch: jest.fn(),
+      getState: () => ({ okapi: { tenant: 'monkey' } }),
     };
 
     global.fetch = jest.fn().mockImplementation(() => {

From cc558af734e479d845f81fe666db4faf87ce983e Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Wed, 14 Feb 2024 10:12:25 -0500
Subject: [PATCH 18/63] STCOR-813 correctly parse .../_self permissions (#1421)

The shape of the permissions object differs between responses from calls
to `login` and calls to `_self`. This is not awesome. We didn't notice
this glitch prior to implementing keycloak because when resuming an
existing session (i.e. when calling `_self`), permissions are set as the
union of permissions in storage (i.e. stored by a call to `login`) and
those from the call to `_self`. We just never noticed that the latter
was always empty.

With keycloak handling authentication, however, the _only_ permissions
we ever receive are in the response from `_self`, so we noticed this
immediately.

Refs STCOR-813
---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 734763648..280095175 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -66,6 +66,7 @@
 * Convert `<SSOLanding />` tests to jest. STCOR-798.
 * Parse response from `/authn/token` to immediately store AT/RT expiration values. Refs STCOR-811.
 * Include `X-Okapi-Tenant` header in `/authn/logout` calls. Refs STCOR-812.
+* Correctly parse `.../_self` permissions object. Refs STCOR-813.
 
 ## [10.0.0](https://github.com/folio-org/stripes-core/tree/v10.0.0) (2023-10-11)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v9.0.0...v10.0.0)

From 96c61d33199c12b18f63960f3d61f552816e1262 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Wed, 14 Feb 2024 14:29:43 -0500
Subject: [PATCH 19/63] STCOR-770: Export getEventHandler to be able to create
 events in other modules. (#1383) (#1424)

(cherry picked from commit 190d87e7559cb4352ec95ba52bd8ac87a2d7f771)

Co-authored-by: Dmytro-Melnyshyn <77053927+Dmytro-Melnyshyn@users.noreply.github.com>
---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 280095175..ea2575674 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -67,6 +67,7 @@
 * Parse response from `/authn/token` to immediately store AT/RT expiration values. Refs STCOR-811.
 * Include `X-Okapi-Tenant` header in `/authn/logout` calls. Refs STCOR-812.
 * Correctly parse `.../_self` permissions object. Refs STCOR-813.
+* Export `getEventHandler` to be able to create events in other modules. Refs STCOR-770.
 
 ## [10.0.0](https://github.com/folio-org/stripes-core/tree/v10.0.0) (2023-10-11)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v9.0.0...v10.0.0)

From 7f8b16717fad48a09a75f7893eaebf87a30a7e93 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Fri, 16 Feb 2024 11:13:37 -0500
Subject: [PATCH 20/63] STCOR-810 cleanup deprecated entitlement params (#1418)

Remove references to the `stripes.config.js::config` values
`tenantManagerUrl` and `applicationManagerUrl`. These were present in
early drafts of this work but have since been deprecated and therefore
must be removed from code as well.

Refs STCOR-810
---
 src/components/About/About.js      | 2 +-
 src/components/About/About.test.js | 2 +-
 src/discoverServices.js            | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/components/About/About.js b/src/components/About/About.js
index 2835e8e20..52b36f1c9 100644
--- a/src/components/About/About.js
+++ b/src/components/About/About.js
@@ -63,7 +63,7 @@ const About = (props) => {
       )}
       <AboutInstallMessages />
       <div className={css.versionsContainer}>
-        {okapiConfig.tenantEntitlementUrl ? (
+        {okapiConfig.tenantOptions ? (
           <>
             <div className={css.versionsColumn} data-test-stripes-core-about-module-versions>
               <AboutApplicationVersions message={numApplicationsMsg} applications={applications} />
diff --git a/src/components/About/About.test.js b/src/components/About/About.test.js
index e50950ba6..64d4dde47 100644
--- a/src/components/About/About.test.js
+++ b/src/components/About/About.test.js
@@ -36,7 +36,7 @@ jest.mock('./AboutUIModuleDetails', () => () => 'AboutUIModuleDetails');
 jest.mock('./WarningBanner', () => () => 'WarningBanner');
 
 jest.mock('stripes-config', () => ({
-  okapi: { tenantEntitlementUrl: true },
+  okapi: { tenantOptions: true },
 }));
 
 // set query retries to false. otherwise, react-query will thoughtfully
diff --git a/src/discoverServices.js b/src/discoverServices.js
index 681813002..1548af370 100644
--- a/src/discoverServices.js
+++ b/src/discoverServices.js
@@ -220,7 +220,7 @@ function fetchModules(store) {
  */
 export function discoverServices(store) {
   const promises = [];
-  if (okapiConfig.tenantEntitlementUrl) {
+  if (okapiConfig.tenantOptions) {
     promises.push(fetchApplicationDetails(store));
     promises.push(fetchGatewayVersion(store));
   } else {

From 6ef610c449ece1ac6ca11751390ec3cd598932cb Mon Sep 17 00:00:00 2001
From: Ryan Berger <rberger@ebsco.com>
Date: Fri, 16 Feb 2024 16:15:40 -0500
Subject: [PATCH 21/63] [STCOR-803] Simplify logout workflow to bypass keycloak
 confirmation page (#1426)

* STCOR-803 Add config option for logout mode

* Lint fix

* Revert "STCOR-803 Add config option for logout mode"

This reverts commit b9d26043b472ed7bb1b9b466d2ec6c828ee14c02.

* STCOR-803 Simplify logout workflow to bypass keycloak confirmation page.

* STCOR-803 PR comments

* Revert "STCOR-803 PR comments"

This reverts commit 037b6a2d13b71b110574c3169a4b85fa2f58c90b.

* STCOR-803 Restore console log
---
 CHANGELOG.md             |  1 +
 src/RootWithIntl.test.js | 10 ----------
 2 files changed, 1 insertion(+), 10 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ea2575674..6f79e6e46 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -68,6 +68,7 @@
 * Include `X-Okapi-Tenant` header in `/authn/logout` calls. Refs STCOR-812.
 * Correctly parse `.../_self` permissions object. Refs STCOR-813.
 * Export `getEventHandler` to be able to create events in other modules. Refs STCOR-770.
+* Simplify logout workflow to bypass keycloak confirmation page. Refs STCOR-803.
 
 ## [10.0.0](https://github.com/folio-org/stripes-core/tree/v10.0.0) (2023-10-11)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v9.0.0...v10.0.0)
diff --git a/src/RootWithIntl.test.js b/src/RootWithIntl.test.js
index 205cd3a5f..2e002c20a 100644
--- a/src/RootWithIntl.test.js
+++ b/src/RootWithIntl.test.js
@@ -60,15 +60,5 @@ describe('RootWithIntl', () => {
 
       expect(screen.getByText(/<internalredirect>/)).toBeInTheDocument();
     });
-
-    it('handles third-party logout', () => {
-      const stripes = {
-        okapi: { authnUrl: 'https://oppie.com' },
-        config: { confirmLogout: true },
-      };
-      render(renderLogoutComponent(stripes));
-
-      expect(screen.getByText(/<redirect>/)).toBeInTheDocument();
-    });
   });
 });

From 7e7a87c61f67f3f118ac8f5d74898ff52ab1c3f7 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Sun, 18 Feb 2024 07:15:01 -0500
Subject: [PATCH 22/63] Revert "STCOR-810 cleanup deprecated entitlement params
 (#1418)" (#1427)

This reverts commit 13b9dc48f7da6c81072edda5c2732f252a997a12.

The conditional here checked `okapi.tenantOptions`; it must check `config.tenantOptions`.
---
 src/components/About/About.js      | 2 +-
 src/components/About/About.test.js | 2 +-
 src/discoverServices.js            | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/components/About/About.js b/src/components/About/About.js
index 52b36f1c9..2835e8e20 100644
--- a/src/components/About/About.js
+++ b/src/components/About/About.js
@@ -63,7 +63,7 @@ const About = (props) => {
       )}
       <AboutInstallMessages />
       <div className={css.versionsContainer}>
-        {okapiConfig.tenantOptions ? (
+        {okapiConfig.tenantEntitlementUrl ? (
           <>
             <div className={css.versionsColumn} data-test-stripes-core-about-module-versions>
               <AboutApplicationVersions message={numApplicationsMsg} applications={applications} />
diff --git a/src/components/About/About.test.js b/src/components/About/About.test.js
index 64d4dde47..e50950ba6 100644
--- a/src/components/About/About.test.js
+++ b/src/components/About/About.test.js
@@ -36,7 +36,7 @@ jest.mock('./AboutUIModuleDetails', () => () => 'AboutUIModuleDetails');
 jest.mock('./WarningBanner', () => () => 'WarningBanner');
 
 jest.mock('stripes-config', () => ({
-  okapi: { tenantOptions: true },
+  okapi: { tenantEntitlementUrl: true },
 }));
 
 // set query retries to false. otherwise, react-query will thoughtfully
diff --git a/src/discoverServices.js b/src/discoverServices.js
index 1548af370..681813002 100644
--- a/src/discoverServices.js
+++ b/src/discoverServices.js
@@ -220,7 +220,7 @@ function fetchModules(store) {
  */
 export function discoverServices(store) {
   const promises = [];
-  if (okapiConfig.tenantOptions) {
+  if (okapiConfig.tenantEntitlementUrl) {
     promises.push(fetchApplicationDetails(store));
     promises.push(fetchGatewayVersion(store));
   } else {

From 6ac81a56369aac280f39b79b16c854725a0f96e0 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Mon, 19 Feb 2024 14:45:40 -0500
Subject: [PATCH 23/63] STCOR-810 CORRECTLY clean up deprecated entitlement
 params (#1429)

Remove references to the `stripes.config.js::config` values
`tenantManagerUrl` and `applicationManagerUrl`. These were present in
early drafts of the new discovery work but have since been deprecated
and therefore must be removed from code as well.

Replaces #1418, which did this work incorrectly (referring to
`okapi.[...]` instead of `config.[...]`).

Refs STCOR-810
---
 src/components/About/About.js      |  4 ++--
 src/components/About/About.test.js |  2 +-
 src/discoverServices.js            |  4 ++--
 src/loginServices.test.js          | 14 ++++++++++++++
 4 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/src/components/About/About.js b/src/components/About/About.js
index 2835e8e20..607282945 100644
--- a/src/components/About/About.js
+++ b/src/components/About/About.js
@@ -1,7 +1,7 @@
 import React, { useRef, useEffect } from 'react';
 import PropTypes from 'prop-types';
 import { FormattedMessage } from 'react-intl';
-import { okapi as okapiConfig } from 'stripes-config';
+import { config } from 'stripes-config';
 import {
   Headline,
   Loading,
@@ -63,7 +63,7 @@ const About = (props) => {
       )}
       <AboutInstallMessages />
       <div className={css.versionsContainer}>
-        {okapiConfig.tenantEntitlementUrl ? (
+        {config.tenantOptions ? (
           <>
             <div className={css.versionsColumn} data-test-stripes-core-about-module-versions>
               <AboutApplicationVersions message={numApplicationsMsg} applications={applications} />
diff --git a/src/components/About/About.test.js b/src/components/About/About.test.js
index e50950ba6..6306e9e31 100644
--- a/src/components/About/About.test.js
+++ b/src/components/About/About.test.js
@@ -36,7 +36,7 @@ jest.mock('./AboutUIModuleDetails', () => () => 'AboutUIModuleDetails');
 jest.mock('./WarningBanner', () => () => 'WarningBanner');
 
 jest.mock('stripes-config', () => ({
-  okapi: { tenantEntitlementUrl: true },
+  config: { tenantOptions: true },
 }));
 
 // set query retries to false. otherwise, react-query will thoughtfully
diff --git a/src/discoverServices.js b/src/discoverServices.js
index 681813002..1a221631a 100644
--- a/src/discoverServices.js
+++ b/src/discoverServices.js
@@ -1,5 +1,5 @@
 import { some } from 'lodash';
-import { okapi as okapiConfig } from 'stripes-config';
+import { config } from 'stripes-config';
 
 function getHeaders(tenant, token) {
   return {
@@ -220,7 +220,7 @@ function fetchModules(store) {
  */
 export function discoverServices(store) {
   const promises = [];
-  if (okapiConfig.tenantEntitlementUrl) {
+  if (config.tenantOptions) {
     promises.push(fetchApplicationDetails(store));
     promises.push(fetchGatewayVersion(store));
   } else {
diff --git a/src/loginServices.test.js b/src/loginServices.test.js
index 5ac74a286..81d370a2e 100644
--- a/src/loginServices.test.js
+++ b/src/loginServices.test.js
@@ -1,4 +1,5 @@
 import localforage from 'localforage';
+import { config } from 'stripes-config';
 
 import {
   createOkapiSession,
@@ -48,6 +49,19 @@ jest.mock('localforage', () => ({
   removeItem: jest.fn(() => Promise.resolve()),
 }));
 
+jest.mock('stripes-config', () => ({
+  config: {
+    tenantOptions: {
+      romulus: { name: 'romulus', clientId: 'romulus-application' },
+      remus: { name: 'remus', clientId: 'remus-application' },
+    }
+  },
+  okapi: {
+    authnUrl: 'https://authn.url',
+  },
+  translations: {}
+}));
+
 // fetch success: resolve promise with ok == true and $data in json()
 const mockFetchSuccess = (data) => {
   global.fetch = jest.fn().mockImplementation(() => (

From 3d422d468feb679fd4916d9ef7dff81d6045c8ac Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Mon, 26 Feb 2024 13:39:07 -0500
Subject: [PATCH 24/63] STCOR-816 only fetch /saml/check when login-saml is
 present (#1432)

* STCOR-816 only fetch /saml/check when login-saml is present

When restoring an existing session, after discovery, do not fetch from
`/saml/check` unless the `login-saml` interface (indicating SSO/SAML is
available). The 404 clutters the log.

Refs STCOR-816

* Missing semicolon

---------

Co-authored-by: Ryan Berger <rberger@ebsco.com>
---
 CHANGELOG.md         | 1 +
 src/loginServices.js | 5 ++++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6f79e6e46..5d7953818 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -69,6 +69,7 @@
 * Correctly parse `.../_self` permissions object. Refs STCOR-813.
 * Export `getEventHandler` to be able to create events in other modules. Refs STCOR-770.
 * Simplify logout workflow to bypass keycloak confirmation page. Refs STCOR-803.
+* After login, only check SSO endpoints when `login-saml` interface is present. Refs STCOR-816.
 
 ## [10.0.0](https://github.com/folio-org/stripes-core/tree/v10.0.0) (2023-10-11)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v9.0.0...v10.0.0)
diff --git a/src/loginServices.js b/src/loginServices.js
index 5c1dc0900..fd2baf01e 100644
--- a/src/loginServices.js
+++ b/src/loginServices.js
@@ -771,7 +771,10 @@ export function checkOkapiSession(okapiUrl, store, tenant) {
       return sess?.user?.id ? validateUser(okapiUrl, store, tenant, sess) : null;
     })
     .then(() => {
-      return getSSOEnabled(okapiUrl, store, tenant);
+      if (store.getState().discovery?.interfaces?.['login-saml']) {
+        return getSSOEnabled(okapiUrl, store, tenant);
+      }
+      return Promise.resolve();
     })
     .finally(() => {
       store.dispatch(setOkapiReady());

From 0a2db9d7a4bd252e1f983b994e0b92fe21a144b4 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Tue, 27 Feb 2024 16:55:15 -0500
Subject: [PATCH 25/63] STCOR-776 show "Keep working?" prompt when session ages
 (#1431)

* STCOR-776 show "Keep working?" prompt when session ages

The main feature here is to track the RT's TTL and use it to show a
"Your session is about to expire; keep working?" prompt so the user can
fire off RTR in order to keep the session alive. Knock-on effects
include tracking such events across multiple windows, so logging out in
one window immediately logs you out in others, and so a successful RTR
event in one window closes any open "Still working?" prompts in others.
It sounds big, and it looks big, but once you wrap your head around it
isn't so bad.

A couple things to note:

The `loginServices::eventManager()` function provides two event-related
function, `listen` and `emit` that handle single-window events (i.e.
`window.dispatchEvent()`/`window.addEventListener()`) and multi-window
events (i.e. BroadcastChannel.post() and
BroadcastChannel.addEventListener()`). This simplifies the API for
sending and receiving events. [Documentation for
BroadcastChannel](https://developer.mozilla.org/en-US/docs/Web/API/Broadcast_Channel_API)
is pretty good and worth a look. The thing to keep in mind with
single-window events is that they are sent and received in the same
window, whereas BroadcastChannel events are sent in one window but
received in all others.

`<SessionEventContainer>` is instantiated near the top of
`<RootWithIntl>`, just like `<OverlayContainer>`. It sets itself up as
the listener for all session-related events, including RTR-success
(which will close an open "Keep working?" prompt), RTR-failure (which
will cause logout), logout (i.e. a logout event from another window),
and idle session (i.e. the RT is about to expire, which will show the
"Keep working?" modal). Other session-related event handlers have been
removed in favor of consolidating them all in this component.

The `<KeepWorkingModal>` calls RTR if the user closes it, causing the
session to be extended. By default it displays 60 seconds before the
session expires but this can be changed by adjusting
`stripes.config.js::config.idleSessionWarningSeconds`. If the timer
counts down to 0, it emits a session-expired event, causing logout.

Refs STCOR-776

* test repair

* tests are nice

* test infrastructure cleanup

* import from @folio/jest-config-stripes/testing-library to get current
  versions
* rename `dismissible` to `_dismissible` on destructure to prevent
  complaints about it not being used. lint and jest are both happy!
* fix prop-types in test props, which is probably a losing battle

* tests for SessionEventContainer, KeepWorkingModal

Externalize SessionEventContainer event handlers and call them with
1,000 arguments, but at least DI makes them testable. I don't love this,
but jest really couldn't grok having an event-handler trigger a
state-change. If the render and event were both triggered within a
single `act()` the re-render got swallowed. If the original render was
outside an `act()` then jest complained state was changing outside the
`act()` function. Whaddayawant?

* codesmell cleanup recommended by sonar

* tyop

* Lint fixes

* Remove commented-out code

---------

Co-authored-by: Ryan Berger <rberger@ebsco.com>
---
 CHANGELOG.md                                  |  1 +
 index.js                                      |  1 +
 src/Pluggable.js                              |  1 +
 src/RootWithIntl.js                           |  1 +
 src/components/About/AboutOkapi.test.js       | 81 ++++++++++++-------
 src/components/OIDCLanding.js                 |  4 +-
 src/components/Redirect/Redirect.test.js      |  2 +-
 src/components/Root/FFetch.js                 |  1 +
 src/components/Root/Root.js                   |  2 +-
 src/components/Root/token-util.js             |  2 +-
 src/components/Root/token-util.test.js        |  4 +-
 .../SessionEventContainer/useCountdown.js     | 30 +++++++
 src/constants/channels.js                     | 12 +++
 src/constants/events.js                       | 18 +++++
 src/constants/index.js                        |  3 +
 src/discoverServices.js                       |  3 +
 src/loginServices.js                          | 50 ++++++++----
 src/loginServices.test.js                     | 71 +++++++++++++++-
 test/jest/__mock__/stripesComponents.mock.js  | 15 +---
 19 files changed, 234 insertions(+), 68 deletions(-)
 create mode 100644 src/components/SessionEventContainer/useCountdown.js
 create mode 100644 src/constants/channels.js
 create mode 100644 src/constants/events.js

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5d7953818..82259e2b6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -69,6 +69,7 @@
 * Correctly parse `.../_self` permissions object. Refs STCOR-813.
 * Export `getEventHandler` to be able to create events in other modules. Refs STCOR-770.
 * Simplify logout workflow to bypass keycloak confirmation page. Refs STCOR-803.
+* Auto-logout on session expiration, show a "Keep working?" modal first. Refs STCOR-776.
 * After login, only check SSO endpoints when `login-saml` interface is present. Refs STCOR-816.
 
 ## [10.0.0](https://github.com/folio-org/stripes-core/tree/v10.0.0) (2023-10-11)
diff --git a/index.js b/index.js
index 67fd4d1d0..f37178167 100644
--- a/index.js
+++ b/index.js
@@ -49,6 +49,7 @@ export { userLocaleConfig } from './src/loginServices';
 export * from './src/consortiaServices';
 export { default as queryLimit } from './src/queryLimit';
 export { default as init } from './src/init';
+export { CHANNELS, EVENTS } from './src/constants';
 
 /* localforage wrappers hide the session key */
 export { getOkapiSession, getTokenExpiry, setTokenExpiry } from './src/loginServices';
diff --git a/src/Pluggable.js b/src/Pluggable.js
index 6d1a27baa..8da797929 100644
--- a/src/Pluggable.js
+++ b/src/Pluggable.js
@@ -32,6 +32,7 @@ const Pluggable = (props) => {
     }
 
     return cached;
+    // eslint-disable-next-line react-hooks/exhaustive-deps
   }, [plugins]);
 
   if (cachedPlugins.length) {
diff --git a/src/RootWithIntl.js b/src/RootWithIntl.js
index cb8a74a7a..dab5034a8 100644
--- a/src/RootWithIntl.js
+++ b/src/RootWithIntl.js
@@ -37,6 +37,7 @@ import {
   ForgotUserNameCtrl,
   AppCtxMenuProvider,
   SessionEventContainer,
+  SessionEventContainer,
 } from './components';
 import StaleBundleWarning from './components/StaleBundleWarning';
 import { StripesContext } from './StripesContext';
diff --git a/src/components/About/AboutOkapi.test.js b/src/components/About/AboutOkapi.test.js
index 2165b8ee5..f0430bbc6 100644
--- a/src/components/About/AboutOkapi.test.js
+++ b/src/components/About/AboutOkapi.test.js
@@ -6,56 +6,79 @@ import {
   screen,
 } from '@folio/jest-config-stripes/testing-library/react';
 
+import { modules } from 'stripes-config';
+
 import AboutOkapi from './AboutOkapi';
 import { useStripes } from '../../StripesContext';
 import stripesConnect from '../../stripesConnect';
 import AboutEnabledModules from './AboutEnabledModules';
+import { withModules } from '../Modules';
 
-jest.mock('../../StripesContext');
 jest.mock('../../stripesConnect');
 jest.mock('./AboutEnabledModules', () => () => <></>);
+const stripesModules = {
+  app: [
+    {
+      module: 'app-alpha',
+      version: '1.2.3',
+      okapiInterfaces: {
+        iAlpha: '1.0',
+      }
+    },
+    { module: 'app-beta', version: '2.3.4' }
+  ],
+  settings: [
+    { module: 'settings-alpha', version: '3.4.5' },
+    { module: 'settings-beta', version: '4.5.6' }
+  ],
+  plugin: [
+    { module: 'plugin-alpha', version: '5.6.7' },
+    { module: 'plugin-beta', version: '6.7.8' }
+  ],
+  typeThatHasNotBeenInventedYet: [
+    { module: 'typeThatHasNotBeenInventedYet-alpha', version: '7.8.9' },
+    { module: 'typeThatHasNotBeenInventedYet-beta', version: '8.9.10' }
+  ],
+};
 
-describe('AboutOkapi', () => {
-  const modules = {
-    app: [
-      {
-        module: 'app-alpha',
-        version: '1.2.3',
-        okapiInterfaces: {
-          iAlpha: '1.0',
-        }
-      },
-      { module: 'app-beta', version: '2.3.4' }
-    ],
-    settings: [
-      { module: 'settings-alpha', version: '3.4.5' },
-      { module: 'settings-beta', version: '4.5.6' }
-    ],
-    plugin: [
-      { module: 'plugin-alpha', version: '5.6.7' },
-      { module: 'plugin-beta', version: '6.7.8' }
-    ],
-    typeThatHasNotBeenInventedYet: [
-      { module: 'typeThatHasNotBeenInventedYet-alpha', version: '7.8.9' },
-      { module: 'typeThatHasNotBeenInventedYet-beta', version: '8.9.10' }
-    ],
-  };
+jest.mock('stripes-config', () => ({
+  modules: stripesModules,
+}));
+
+jest.mock('../../StripesContext', () => ({
+  useStripes: () => ({
+    connect: (component) => component,
+    okapi: {
+      tenant: 'barbie',
+      url: 'https://oppie.edu',
+    },
+    discovery: {
+      modules: stripesModules,
+      interfaces: {
+        bar: '1.0',
+        bat: '2.0',
+      }
+    },
+    modules: stripesModules,
+  }),
+  withStripes: (component) => component,
+}));
 
+
+describe('AboutOkapi', () => {
   const stripes = {
     okapi: {
       tenant: 'barbie',
       url: 'https://oppie.edu',
     },
     discovery: {
-      modules,
+      modules: stripesModules,
       interfaces: {
         bar: '1.0',
         bat: '2.0',
       }
     }
   };
-  const mockUseStripes = useStripes;
-  mockUseStripes.mockReturnValue(stripes);
 
   it('displays application version details', async () => {
     render(<AboutOkapi />);
diff --git a/src/components/OIDCLanding.js b/src/components/OIDCLanding.js
index 5887c67e0..19a29b6b2 100644
--- a/src/components/OIDCLanding.js
+++ b/src/components/OIDCLanding.js
@@ -68,8 +68,8 @@ const OIDCLanding = () => {
             return resp.json()
               .then((json) => {
                 return setTokenExpiry({
-                  atExpires: json.accessTokenExpiration ? new Date(json.accessTokenExpiration) : Date.now() + (60 * 1000),
-                  rtExpires: json.refreshTokenExpiration ? new Date(json.refreshTokenExpiration) : Date.now() + (2 * 60 * 1000),
+                  atExpires: json.accessTokenExpiration ? new Date(json.accessTokenExpiration).getTime() : Date.now() + (60 * 1000),
+                  rtExpires: json.refreshTokenExpiration ? new Date(json.refreshTokenExpiration).getTime() : Date.now() + (2 * 60 * 1000),
                 });
               })
               .then(() => {
diff --git a/src/components/Redirect/Redirect.test.js b/src/components/Redirect/Redirect.test.js
index 4d03786a4..5f9b6868b 100644
--- a/src/components/Redirect/Redirect.test.js
+++ b/src/components/Redirect/Redirect.test.js
@@ -1,4 +1,4 @@
-import { render } from '@testing-library/react';
+import { render } from '@folio/jest-config-stripes/testing-library/react';
 import { createMemoryHistory } from 'history';
 
 import Harness from '../../../test/jest/helpers/harness';
diff --git a/src/components/Root/FFetch.js b/src/components/Root/FFetch.js
index ef84814b8..597d94394 100644
--- a/src/components/Root/FFetch.js
+++ b/src/components/Root/FFetch.js
@@ -54,6 +54,7 @@ import {
   isFolioApiRequest,
   isLogoutRequest,
   rtr,
+  RTR_TTL_WINDOW,
 } from './token-util';
 import {
   RTRError,
diff --git a/src/components/Root/Root.js b/src/components/Root/Root.js
index 13e7e47de..4d981e770 100644
--- a/src/components/Root/Root.js
+++ b/src/components/Root/Root.js
@@ -38,7 +38,7 @@ class Root extends Component {
   constructor(...args) {
     super(...args);
 
-    const { modules, history, okapi, store } = this.props;
+    const { modules, history, okapi } = this.props;
 
     this.reducers = { ...initialReducers };
     this.epics = {};
diff --git a/src/components/Root/token-util.js b/src/components/Root/token-util.js
index b622101a6..02b3a5948 100644
--- a/src/components/Root/token-util.js
+++ b/src/components/Root/token-util.js
@@ -171,7 +171,7 @@ export const isRotating = () => {
  * rtr
  * exchange an RT for new tokens; dispatch RTR_ERROR_EVENT on error.
  *
- * Since all windows share the same cookie, this means the must also share
+ * Since all windows share the same cookie, this means they must also share
  * rotation, and when rotation starts in one window requests in all others
  * must await that promise. Thus, the RTR_IS_ROTATING flag is stored via
  * localStorage where it is globally accessible, rather than in a local
diff --git a/src/components/Root/token-util.test.js b/src/components/Root/token-util.test.js
index 4463ec97a..a12227690 100644
--- a/src/components/Root/token-util.test.js
+++ b/src/components/Root/token-util.test.js
@@ -158,12 +158,12 @@ describe('rtr', () => {
       };
 
       setTimeout(() => {
-        window.dispatchEvent(new Event(RTR_SUCCESS_EVENT));
+        window.dispatchEvent(new Event(EVENTS.AUTHN.RTR_SUCCESS));
       }, 500);
 
       setTimeout(() => {
         localStorage.removeItem(RTR_IS_ROTATING);
-        window.dispatchEvent(new Event(RTR_SUCCESS_EVENT));
+        window.dispatchEvent(new Event(EVENTS.AUTHN.RTR_SUCCESS));
       }, 1000);
 
       let ex = null;
diff --git a/src/components/SessionEventContainer/useCountdown.js b/src/components/SessionEventContainer/useCountdown.js
new file mode 100644
index 000000000..4b3917852
--- /dev/null
+++ b/src/components/SessionEventContainer/useCountdown.js
@@ -0,0 +1,30 @@
+import {
+  useEffect,
+  useState
+} from 'react';
+
+/**
+ * useCountdown
+ * Given a millisecond timestamp T, set a timer with a 1-second interval
+ * that returns the number of milliseconds remaining until T.
+ *
+ * @param {int} expiration timestamp in milliseconds
+ * @returns time remaining in milliseconds
+ */
+const useCountdown = (expiration) => {
+  const [countdown, setCountdown] = useState(expiration - new Date().getTime());
+
+  useEffect(() => {
+    const interval = setInterval(() => {
+      setCountdown(expiration - new Date().getTime());
+    }, 1000);
+
+    return () => {
+      clearInterval(interval);
+    };
+  }, [expiration]);
+
+  return countdown;
+};
+
+export default useCountdown;
diff --git a/src/constants/channels.js b/src/constants/channels.js
new file mode 100644
index 000000000..2454c65b3
--- /dev/null
+++ b/src/constants/channels.js
@@ -0,0 +1,12 @@
+const prefix = '@folio/stripes/core';
+
+/**
+ * BroadcastChannels
+ * @see https://developer.mozilla.org/en-US/docs/Web/API/Broadcast_Channel_API\\
+ */
+const CHANNELS = {
+  /** authentication events */
+  AUTHN: `${prefix}::authn`,
+};
+
+export default CHANNELS;
diff --git a/src/constants/events.js b/src/constants/events.js
new file mode 100644
index 000000000..7ddd16358
--- /dev/null
+++ b/src/constants/events.js
@@ -0,0 +1,18 @@
+import CHANNELS from './channels';
+
+const EVENTS = {
+  AUTHN: {
+    // broadcast: logout
+    LOGOUT: `${CHANNELS.AUTHN}::LOGOUT`,
+    // dispatch: rtr failure
+    RTR_ERROR: `${CHANNELS.AUTHN}::RTR_ERROR`,
+    // broadcast: rtr success
+    RTR_SUCCESS: `${CHANNELS.AUTHN}::RTR_SUCCESS`,
+    // dispatch: session will expire
+    IDLE_SESSION_WARNING: `${CHANNELS.AUTHN}::IDLE_SESSION_WARNING`,
+    // dispatch: session has expired
+    IDLE_SESSION_TIMEOUT: `${CHANNELS.AUTHN}::IDLE_SESSION_TIMEOUT`,
+  },
+};
+
+export default EVENTS;
diff --git a/src/constants/index.js b/src/constants/index.js
index a59c465d9..3181c7793 100644
--- a/src/constants/index.js
+++ b/src/constants/index.js
@@ -5,3 +5,6 @@ export { default as ssoErrorCodes } from './ssoErrorCodes';
 export { default as defaultErrors } from './defaultErrors';
 export { default as packageName } from './packageName';
 export { default as delimiters } from './delimiters';
+
+export { default as CHANNELS } from './channels';
+export { default as EVENTS } from './events';
diff --git a/src/discoverServices.js b/src/discoverServices.js
index 1a221631a..04a888423 100644
--- a/src/discoverServices.js
+++ b/src/discoverServices.js
@@ -114,17 +114,20 @@ function fetchApplicationDetails(store) {
             return Promise.all(list);
           }
 
+          // eslint-disable-next-line no-console
           console.error(`>>> NO APPLICATIONS AVAILABLE FOR ${okapi.tenant}`, json);
           store.dispatch({ type: 'DISCOVERY_FAILURE', code: response.status });
           throw response;
         });
       } else {
+        // eslint-disable-next-line no-console
         console.error(`>>> COULD NOT RETRIEVE APPLICATIONS FOR ${okapi.tenant}`, response);
         store.dispatch({ type: 'DISCOVERY_FAILURE', code: response.status });
         throw response;
       }
     })
     .catch(reason => {
+      // eslint-disable-next-line no-console
       console.error(`@@ COULD NOT RETRIEVE APPLICATIONS FOR ${okapi.tenant}`, reason);
       store.dispatch({ type: 'DISCOVERY_FAILURE', message: reason });
     });
diff --git a/src/loginServices.js b/src/loginServices.js
index fd2baf01e..0c7e59246 100644
--- a/src/loginServices.js
+++ b/src/loginServices.js
@@ -97,7 +97,7 @@ export const getTokenExpiry = async () => {
 };
 
 /**
- * getTokenSess
+ * setTokenSess
  * simple wrapper around access to values stored in localforage
  * to insulate RTR functions from that API. Supplement the existing
  * session with updated token expiration data.
@@ -111,7 +111,6 @@ export const setTokenExpiry = async (te) => {
   return localforage.setItem(SESSION_NAME, val);
 };
 
-
 // export config values for storing user locale
 export const userLocaleConfig = {
   'configName': 'localeSettings',
@@ -136,7 +135,7 @@ function getHeaders(tenant, token) {
  *
  * @returns {boolean}
  */
-function canReadConfig(store) {
+export function canReadConfig(store) {
   const perms = store.getState().okapi.currentPerms;
   return perms?.['configuration.entries.collection.get'];
 }
@@ -424,6 +423,7 @@ export function spreadUserWithPerms(userWithPerms) {
   return { user, perms };
 }
 
+
 /**
  * logout
  * logout is a multi-part process, but this function is idempotent.
@@ -521,8 +521,6 @@ export async function logout(okapiUrl, store) {
  * @returns {Promise}
  */
 export function createOkapiSession(store, tenant, token, data) {
-  // @@ new StripesSession(store, data);
-
   // clear any auth-n errors
   store.dispatch(setAuthError(null));
 
@@ -534,15 +532,6 @@ export function createOkapiSession(store, tenant, token, data) {
 
   store.dispatch(setCurrentPerms(perms));
 
-  // if we can't parse tokenExpiration data, e.g. because data comes from `.../_self`
-  // which doesn't provide it, then set an invalid AT value and a near-future (+10 minutes) RT value.
-  // the invalid AT will prompt an RTR cycle which will either give us new AT/RT values
-  // (if the RT was valid) or throw an RTR_ERROR (if the RT was not valid).
-  const tokenExpiration = {
-    atExpires: data.tokenExpiration?.accessTokenExpiration ? new Date(data.tokenExpiration.accessTokenExpiration).getTime() : -1,
-    rtExpires: data.tokenExpiration?.refreshTokenExpiration ? new Date(data.tokenExpiration.refreshTokenExpiration).getTime() : Date.now() + (10 * 60 * 1000),
-  };
-
   const sessionTenant = data.tenant || tenant;
   const okapiSess = {
     token,
@@ -550,7 +539,6 @@ export function createOkapiSession(store, tenant, token, data) {
     user,
     perms,
     tenant: sessionTenant,
-    tokenExpiration,
   };
 
   // localStorage events emit across tabs so we can use it like a
@@ -560,7 +548,34 @@ export function createOkapiSession(store, tenant, token, data) {
   localStorage.setItem(SESSION_NAME, 'true');
 
   return localforage.setItem('loginResponse', data)
-    .then(() => localforage.setItem(SESSION_NAME, okapiSess))
+    .then(localforage.getItem(SESSION_NAME))
+    .then(sessionData => {
+      // for keycloak-based logins, token-expiration data was already
+      // pushed to storage, so we pull it out and reuse it here.
+      // for legacy logins, token-expiration data is available in the
+      // login response.
+      if (sessionData?.tokenExpiration) {
+        okapiSess.tokenExpiration = sessionData.tokenExpiration;
+      } else if (data.tokenExpiration) {
+        okapiSess.tokenExpiration = {
+          atExpires: new Date(data.tokenExpiration.accessTokenExpiration).getTime(),
+          rtExpires: new Date(data.tokenExpiration.refreshTokenExpiration).getTime(),
+        };
+      } else {
+        // somehow, we ended up here without any legit token-expiration values.
+        // that's not great, but in theory we only ended up here as a result
+        // of logging in, so let's punt and assume our cookies are valid.
+        // set an expired AT and RT 10 minutes into the future; the expired
+        // AT will kick off RTR, and on success we'll store real values as a result,
+        // or on failure we'll get kicked out. no harm, no foul.
+        okapiSess.tokenExpiration = {
+          atExpires: -1,
+          rtExpires: Date.now() + (10 * 60 * 1000),
+        };
+      }
+
+      return localforage.setItem(SESSION_NAME, okapiSess);
+    })
     .then(() => {
       store.dispatch(setIsAuthenticated(true));
       store.dispatch(setSessionData(okapiSess));
@@ -738,6 +753,7 @@ export function validateUser(okapiUrl, store, tenant, session) {
           token,
           tokenExpiration: session.tokenExpiration
         }));
+
         return loadResources(store, sessionTenant, user.id);
       });
     } else {
@@ -747,7 +763,7 @@ export function validateUser(okapiUrl, store, tenant, session) {
       });
     }
   }).catch((error) => {
-    console.error(error); // eslint-disable-line no-console
+    console.error('validateUser', { error }); // eslint-disable-line no-console
     store.dispatch(setServerDown());
     return error;
   });
diff --git a/src/loginServices.test.js b/src/loginServices.test.js
index 81d370a2e..35fc8ae2e 100644
--- a/src/loginServices.test.js
+++ b/src/loginServices.test.js
@@ -1,8 +1,10 @@
 import localforage from 'localforage';
-import { config } from 'stripes-config';
 
 import {
+  canReadConfig,
   createOkapiSession,
+  eventManager,
+  getHeaders,
   getOkapiSession,
   getTokenExpiry,
   handleLoginError,
@@ -84,6 +86,36 @@ const mockFetchCleanUp = () => {
   delete global.fetch;
 };
 
+describe('canReadConfig', () => {
+  const p = 'configuration.entries.collection.get';
+  it('returns true when permission is present', () => {
+    const store = {
+      getState: () => ({
+        okapi: {
+          currentPerms: {
+            [p]: true,
+          }
+        }
+      }),
+    };
+
+    expect(canReadConfig(store)).toBeTruthy();
+  });
+
+  it('returns false when permission is absent', () => {
+    const store = {
+      getState: () => ({
+        okapi: {
+          currentPerms: {
+          }
+        }
+      }),
+    };
+
+    expect(canReadConfig(store)).toBeFalsy();
+  });
+});
+
 describe('createOkapiSession', () => {
   it('clears authentication errors', async () => {
     const store = {
@@ -122,6 +154,43 @@ describe('createOkapiSession', () => {
   });
 });
 
+describe('eventManager', () => {
+  describe('listen', () => {
+    it('listens for an event', () => {
+      const f = jest.fn();
+      const em = eventManager({ channel: 'foo' });
+      em.listen('monkey', f);
+      em.emit('monkey');
+      expect(f).toHaveBeenCalled();
+    });
+
+    it('listens for a list of events', () => {
+      const f = jest.fn();
+      const em = eventManager({ channel: 'foo' });
+      const franz = ['Liszt', 'Hungarian', 'Raphsody'];
+      em.listen(franz, f);
+      em.emit(franz, 'asdf');
+      expect(f).toHaveBeenCalledTimes(franz.length);
+    });
+  });
+});
+
+describe('getHeaders', () => {
+  it('finds expected headers', () => {
+    const h = getHeaders('tenant', 'token');
+    expect(h['X-Okapi-Tenant']).toBe('tenant');
+    expect(h['Content-Type']).toBe('application/json');
+    expect(h['X-Okapi-Token']).toBe('token');
+  });
+
+  it('omits token when null', () => {
+    const h = getHeaders('tenant');
+    expect(h['X-Okapi-Tenant']).toBe('tenant');
+    expect(h['X-Okapi-Token']).toBeUndefined();
+  });
+});
+
+
 describe('handleLoginError', () => {
   it('dispatches setOkapiReady', async () => {
     const dispatch = jest.fn();
diff --git a/test/jest/__mock__/stripesComponents.mock.js b/test/jest/__mock__/stripesComponents.mock.js
index 444365dbd..13c53ced4 100644
--- a/test/jest/__mock__/stripesComponents.mock.js
+++ b/test/jest/__mock__/stripesComponents.mock.js
@@ -76,22 +76,9 @@ jest.mock('@folio/stripes-components', () => ({
   )),
   Loading: () => <div>Loading</div>,
   MessageBanner: jest.fn(({ show, children }) => { return show ? <>{children}</> : <></>; }),
-
-  // oy, dismissible. we need to pull it out of props so it doesn't
-  // get applied to the div as an attribute, which must have a string-value,
-  // which will shame you in the console:
-  //
-  //     Warning: Received `true` for a non-boolean attribute `dismissible`.
-  //     If you want to write it to the DOM, pass a string instead: dismissible="true" or dismissible={value.toString()}.
-  //         in div (created by mockConstructor)
-  //
-  // is there a better way to throw it away? If we don't destructure and
-  // instead access props.label and props.children, then we get a test
-  // failure that the modal isn't visible. oy, dismissible.
-  Modal: jest.fn(({ children, label, dismissible, footer, ...rest }) => {
+  Modal: jest.fn(({ children, label, dismissible: _dismissible, footer, ...rest }) => {
     return (
       <div
-        data-test={dismissible ? '' : ''}
         {...rest}
       >
         <h1>{label}</h1>

From 8eb82e728123962326cfb32b132aa5c32270b11e Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Thu, 29 Feb 2024 10:08:14 -0500
Subject: [PATCH 26/63] Revert "STCOR-776 show "Keep working?" prompt when
 session ages (#1431)" (#1433)

Numerous bugs indicate this work was not ready for primetime:
* "Keep working?" prompt may not be dismissible
* missing translations in the "Keep working?" prompt
* console errors indicate attempts to post messages to closed BroadcastChannels

Reverts folio-org/stripes-core#1431

This reverts commit 6aabfc5c6b92e627177bd7e3cd2fb2cc543ebcbf.
---
 CHANGELOG.md                                  |  1 -
 index.js                                      |  1 -
 src/Pluggable.js                              |  1 -
 src/components/About/AboutOkapi.test.js       | 81 +++++++------------
 src/components/OIDCLanding.js                 |  4 +-
 src/components/Redirect/Redirect.test.js      |  2 +-
 src/components/Root/Events.js                 |  5 ++
 src/components/Root/FFetch.js                 |  1 -
 src/components/Root/Root.js                   |  4 +-
 src/components/Root/token-util.js             |  2 +-
 src/components/Root/token-util.test.js        |  4 +-
 src/components/SessionEventContainer/index.js |  1 -
 .../SessionEventContainer/useCountdown.js     | 30 -------
 src/constants/channels.js                     | 12 ---
 src/constants/events.js                       | 18 -----
 src/constants/index.js                        |  3 -
 src/discoverServices.js                       |  3 -
 src/loginServices.js                          | 54 ++++++++++++-
 src/loginServices.test.js                     | 71 +---------------
 test/jest/__mock__/stripesComponents.mock.js  | 15 +++-
 20 files changed, 107 insertions(+), 206 deletions(-)
 create mode 100644 src/components/Root/Events.js
 delete mode 100644 src/components/SessionEventContainer/index.js
 delete mode 100644 src/components/SessionEventContainer/useCountdown.js
 delete mode 100644 src/constants/channels.js
 delete mode 100644 src/constants/events.js

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 82259e2b6..5d7953818 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -69,7 +69,6 @@
 * Correctly parse `.../_self` permissions object. Refs STCOR-813.
 * Export `getEventHandler` to be able to create events in other modules. Refs STCOR-770.
 * Simplify logout workflow to bypass keycloak confirmation page. Refs STCOR-803.
-* Auto-logout on session expiration, show a "Keep working?" modal first. Refs STCOR-776.
 * After login, only check SSO endpoints when `login-saml` interface is present. Refs STCOR-816.
 
 ## [10.0.0](https://github.com/folio-org/stripes-core/tree/v10.0.0) (2023-10-11)
diff --git a/index.js b/index.js
index f37178167..67fd4d1d0 100644
--- a/index.js
+++ b/index.js
@@ -49,7 +49,6 @@ export { userLocaleConfig } from './src/loginServices';
 export * from './src/consortiaServices';
 export { default as queryLimit } from './src/queryLimit';
 export { default as init } from './src/init';
-export { CHANNELS, EVENTS } from './src/constants';
 
 /* localforage wrappers hide the session key */
 export { getOkapiSession, getTokenExpiry, setTokenExpiry } from './src/loginServices';
diff --git a/src/Pluggable.js b/src/Pluggable.js
index 8da797929..6d1a27baa 100644
--- a/src/Pluggable.js
+++ b/src/Pluggable.js
@@ -32,7 +32,6 @@ const Pluggable = (props) => {
     }
 
     return cached;
-    // eslint-disable-next-line react-hooks/exhaustive-deps
   }, [plugins]);
 
   if (cachedPlugins.length) {
diff --git a/src/components/About/AboutOkapi.test.js b/src/components/About/AboutOkapi.test.js
index f0430bbc6..2165b8ee5 100644
--- a/src/components/About/AboutOkapi.test.js
+++ b/src/components/About/AboutOkapi.test.js
@@ -6,79 +6,56 @@ import {
   screen,
 } from '@folio/jest-config-stripes/testing-library/react';
 
-import { modules } from 'stripes-config';
-
 import AboutOkapi from './AboutOkapi';
 import { useStripes } from '../../StripesContext';
 import stripesConnect from '../../stripesConnect';
 import AboutEnabledModules from './AboutEnabledModules';
-import { withModules } from '../Modules';
 
+jest.mock('../../StripesContext');
 jest.mock('../../stripesConnect');
 jest.mock('./AboutEnabledModules', () => () => <></>);
-const stripesModules = {
-  app: [
-    {
-      module: 'app-alpha',
-      version: '1.2.3',
-      okapiInterfaces: {
-        iAlpha: '1.0',
-      }
-    },
-    { module: 'app-beta', version: '2.3.4' }
-  ],
-  settings: [
-    { module: 'settings-alpha', version: '3.4.5' },
-    { module: 'settings-beta', version: '4.5.6' }
-  ],
-  plugin: [
-    { module: 'plugin-alpha', version: '5.6.7' },
-    { module: 'plugin-beta', version: '6.7.8' }
-  ],
-  typeThatHasNotBeenInventedYet: [
-    { module: 'typeThatHasNotBeenInventedYet-alpha', version: '7.8.9' },
-    { module: 'typeThatHasNotBeenInventedYet-beta', version: '8.9.10' }
-  ],
-};
-
-jest.mock('stripes-config', () => ({
-  modules: stripesModules,
-}));
-
-jest.mock('../../StripesContext', () => ({
-  useStripes: () => ({
-    connect: (component) => component,
-    okapi: {
-      tenant: 'barbie',
-      url: 'https://oppie.edu',
-    },
-    discovery: {
-      modules: stripesModules,
-      interfaces: {
-        bar: '1.0',
-        bat: '2.0',
-      }
-    },
-    modules: stripesModules,
-  }),
-  withStripes: (component) => component,
-}));
-
 
 describe('AboutOkapi', () => {
+  const modules = {
+    app: [
+      {
+        module: 'app-alpha',
+        version: '1.2.3',
+        okapiInterfaces: {
+          iAlpha: '1.0',
+        }
+      },
+      { module: 'app-beta', version: '2.3.4' }
+    ],
+    settings: [
+      { module: 'settings-alpha', version: '3.4.5' },
+      { module: 'settings-beta', version: '4.5.6' }
+    ],
+    plugin: [
+      { module: 'plugin-alpha', version: '5.6.7' },
+      { module: 'plugin-beta', version: '6.7.8' }
+    ],
+    typeThatHasNotBeenInventedYet: [
+      { module: 'typeThatHasNotBeenInventedYet-alpha', version: '7.8.9' },
+      { module: 'typeThatHasNotBeenInventedYet-beta', version: '8.9.10' }
+    ],
+  };
+
   const stripes = {
     okapi: {
       tenant: 'barbie',
       url: 'https://oppie.edu',
     },
     discovery: {
-      modules: stripesModules,
+      modules,
       interfaces: {
         bar: '1.0',
         bat: '2.0',
       }
     }
   };
+  const mockUseStripes = useStripes;
+  mockUseStripes.mockReturnValue(stripes);
 
   it('displays application version details', async () => {
     render(<AboutOkapi />);
diff --git a/src/components/OIDCLanding.js b/src/components/OIDCLanding.js
index 19a29b6b2..5887c67e0 100644
--- a/src/components/OIDCLanding.js
+++ b/src/components/OIDCLanding.js
@@ -68,8 +68,8 @@ const OIDCLanding = () => {
             return resp.json()
               .then((json) => {
                 return setTokenExpiry({
-                  atExpires: json.accessTokenExpiration ? new Date(json.accessTokenExpiration).getTime() : Date.now() + (60 * 1000),
-                  rtExpires: json.refreshTokenExpiration ? new Date(json.refreshTokenExpiration).getTime() : Date.now() + (2 * 60 * 1000),
+                  atExpires: json.accessTokenExpiration ? new Date(json.accessTokenExpiration) : Date.now() + (60 * 1000),
+                  rtExpires: json.refreshTokenExpiration ? new Date(json.refreshTokenExpiration) : Date.now() + (2 * 60 * 1000),
                 });
               })
               .then(() => {
diff --git a/src/components/Redirect/Redirect.test.js b/src/components/Redirect/Redirect.test.js
index 5f9b6868b..4d03786a4 100644
--- a/src/components/Redirect/Redirect.test.js
+++ b/src/components/Redirect/Redirect.test.js
@@ -1,4 +1,4 @@
-import { render } from '@folio/jest-config-stripes/testing-library/react';
+import { render } from '@testing-library/react';
 import { createMemoryHistory } from 'history';
 
 import Harness from '../../../test/jest/helpers/harness';
diff --git a/src/components/Root/Events.js b/src/components/Root/Events.js
new file mode 100644
index 000000000..bbf2bd122
--- /dev/null
+++ b/src/components/Root/Events.js
@@ -0,0 +1,5 @@
+/** dispatched during RTR when it is successful */
+export const RTR_SUCCESS_EVENT = '@folio/stripes/core::RTRSuccess';
+
+/** dispatched during RTR if RTR itself fails */
+export const RTR_ERROR_EVENT = '@folio/stripes/core::RTRError';
diff --git a/src/components/Root/FFetch.js b/src/components/Root/FFetch.js
index 597d94394..ef84814b8 100644
--- a/src/components/Root/FFetch.js
+++ b/src/components/Root/FFetch.js
@@ -54,7 +54,6 @@ import {
   isFolioApiRequest,
   isLogoutRequest,
   rtr,
-  RTR_TTL_WINDOW,
 } from './token-util';
 import {
   RTRError,
diff --git a/src/components/Root/Root.js b/src/components/Root/Root.js
index 4d981e770..90705f6a3 100644
--- a/src/components/Root/Root.js
+++ b/src/components/Root/Root.js
@@ -17,7 +17,7 @@ import enhanceReducer from '../../enhanceReducer';
 import createApolloClient from '../../createApolloClient';
 import createReactQueryClient from '../../createReactQueryClient';
 import { setSinglePlugin, setBindings, setIsAuthenticated, setOkapiToken, setTimezone, setCurrency, updateCurrentUser } from '../../okapiActions';
-import { loadTranslations, checkOkapiSession } from '../../loginServices';
+import { loadTranslations, checkOkapiSession, addRtrEventListeners } from '../../loginServices';
 import { getQueryResourceKey, getCurrentModule } from '../../locationService';
 import Stripes from '../../Stripes';
 import RootWithIntl from '../../RootWithIntl';
@@ -38,7 +38,7 @@ class Root extends Component {
   constructor(...args) {
     super(...args);
 
-    const { modules, history, okapi } = this.props;
+    const { modules, history, okapi, store } = this.props;
 
     this.reducers = { ...initialReducers };
     this.epics = {};
diff --git a/src/components/Root/token-util.js b/src/components/Root/token-util.js
index 02b3a5948..b622101a6 100644
--- a/src/components/Root/token-util.js
+++ b/src/components/Root/token-util.js
@@ -171,7 +171,7 @@ export const isRotating = () => {
  * rtr
  * exchange an RT for new tokens; dispatch RTR_ERROR_EVENT on error.
  *
- * Since all windows share the same cookie, this means they must also share
+ * Since all windows share the same cookie, this means the must also share
  * rotation, and when rotation starts in one window requests in all others
  * must await that promise. Thus, the RTR_IS_ROTATING flag is stored via
  * localStorage where it is globally accessible, rather than in a local
diff --git a/src/components/Root/token-util.test.js b/src/components/Root/token-util.test.js
index a12227690..4463ec97a 100644
--- a/src/components/Root/token-util.test.js
+++ b/src/components/Root/token-util.test.js
@@ -158,12 +158,12 @@ describe('rtr', () => {
       };
 
       setTimeout(() => {
-        window.dispatchEvent(new Event(EVENTS.AUTHN.RTR_SUCCESS));
+        window.dispatchEvent(new Event(RTR_SUCCESS_EVENT));
       }, 500);
 
       setTimeout(() => {
         localStorage.removeItem(RTR_IS_ROTATING);
-        window.dispatchEvent(new Event(EVENTS.AUTHN.RTR_SUCCESS));
+        window.dispatchEvent(new Event(RTR_SUCCESS_EVENT));
       }, 1000);
 
       let ex = null;
diff --git a/src/components/SessionEventContainer/index.js b/src/components/SessionEventContainer/index.js
deleted file mode 100644
index 46995e871..000000000
--- a/src/components/SessionEventContainer/index.js
+++ /dev/null
@@ -1 +0,0 @@
-export { default } from './SessionEventContainer';
diff --git a/src/components/SessionEventContainer/useCountdown.js b/src/components/SessionEventContainer/useCountdown.js
deleted file mode 100644
index 4b3917852..000000000
--- a/src/components/SessionEventContainer/useCountdown.js
+++ /dev/null
@@ -1,30 +0,0 @@
-import {
-  useEffect,
-  useState
-} from 'react';
-
-/**
- * useCountdown
- * Given a millisecond timestamp T, set a timer with a 1-second interval
- * that returns the number of milliseconds remaining until T.
- *
- * @param {int} expiration timestamp in milliseconds
- * @returns time remaining in milliseconds
- */
-const useCountdown = (expiration) => {
-  const [countdown, setCountdown] = useState(expiration - new Date().getTime());
-
-  useEffect(() => {
-    const interval = setInterval(() => {
-      setCountdown(expiration - new Date().getTime());
-    }, 1000);
-
-    return () => {
-      clearInterval(interval);
-    };
-  }, [expiration]);
-
-  return countdown;
-};
-
-export default useCountdown;
diff --git a/src/constants/channels.js b/src/constants/channels.js
deleted file mode 100644
index 2454c65b3..000000000
--- a/src/constants/channels.js
+++ /dev/null
@@ -1,12 +0,0 @@
-const prefix = '@folio/stripes/core';
-
-/**
- * BroadcastChannels
- * @see https://developer.mozilla.org/en-US/docs/Web/API/Broadcast_Channel_API\\
- */
-const CHANNELS = {
-  /** authentication events */
-  AUTHN: `${prefix}::authn`,
-};
-
-export default CHANNELS;
diff --git a/src/constants/events.js b/src/constants/events.js
deleted file mode 100644
index 7ddd16358..000000000
--- a/src/constants/events.js
+++ /dev/null
@@ -1,18 +0,0 @@
-import CHANNELS from './channels';
-
-const EVENTS = {
-  AUTHN: {
-    // broadcast: logout
-    LOGOUT: `${CHANNELS.AUTHN}::LOGOUT`,
-    // dispatch: rtr failure
-    RTR_ERROR: `${CHANNELS.AUTHN}::RTR_ERROR`,
-    // broadcast: rtr success
-    RTR_SUCCESS: `${CHANNELS.AUTHN}::RTR_SUCCESS`,
-    // dispatch: session will expire
-    IDLE_SESSION_WARNING: `${CHANNELS.AUTHN}::IDLE_SESSION_WARNING`,
-    // dispatch: session has expired
-    IDLE_SESSION_TIMEOUT: `${CHANNELS.AUTHN}::IDLE_SESSION_TIMEOUT`,
-  },
-};
-
-export default EVENTS;
diff --git a/src/constants/index.js b/src/constants/index.js
index 3181c7793..a59c465d9 100644
--- a/src/constants/index.js
+++ b/src/constants/index.js
@@ -5,6 +5,3 @@ export { default as ssoErrorCodes } from './ssoErrorCodes';
 export { default as defaultErrors } from './defaultErrors';
 export { default as packageName } from './packageName';
 export { default as delimiters } from './delimiters';
-
-export { default as CHANNELS } from './channels';
-export { default as EVENTS } from './events';
diff --git a/src/discoverServices.js b/src/discoverServices.js
index 04a888423..1a221631a 100644
--- a/src/discoverServices.js
+++ b/src/discoverServices.js
@@ -114,20 +114,17 @@ function fetchApplicationDetails(store) {
             return Promise.all(list);
           }
 
-          // eslint-disable-next-line no-console
           console.error(`>>> NO APPLICATIONS AVAILABLE FOR ${okapi.tenant}`, json);
           store.dispatch({ type: 'DISCOVERY_FAILURE', code: response.status });
           throw response;
         });
       } else {
-        // eslint-disable-next-line no-console
         console.error(`>>> COULD NOT RETRIEVE APPLICATIONS FOR ${okapi.tenant}`, response);
         store.dispatch({ type: 'DISCOVERY_FAILURE', code: response.status });
         throw response;
       }
     })
     .catch(reason => {
-      // eslint-disable-next-line no-console
       console.error(`@@ COULD NOT RETRIEVE APPLICATIONS FOR ${okapi.tenant}`, reason);
       store.dispatch({ type: 'DISCOVERY_FAILURE', message: reason });
     });
diff --git a/src/loginServices.js b/src/loginServices.js
index 0c7e59246..16d0772c5 100644
--- a/src/loginServices.js
+++ b/src/loginServices.js
@@ -97,7 +97,7 @@ export const getTokenExpiry = async () => {
 };
 
 /**
- * setTokenSess
+ * getTokenSess
  * simple wrapper around access to values stored in localforage
  * to insulate RTR functions from that API. Supplement the existing
  * session with updated token expiration data.
@@ -111,6 +111,7 @@ export const setTokenExpiry = async (te) => {
   return localforage.setItem(SESSION_NAME, val);
 };
 
+
 // export config values for storing user locale
 export const userLocaleConfig = {
   'configName': 'localeSettings',
@@ -135,7 +136,7 @@ function getHeaders(tenant, token) {
  *
  * @returns {boolean}
  */
-export function canReadConfig(store) {
+function canReadConfig(store) {
   const perms = store.getState().okapi.currentPerms;
   return perms?.['configuration.entries.collection.get'];
 }
@@ -423,7 +424,6 @@ export function spreadUserWithPerms(userWithPerms) {
   return { user, perms };
 }
 
-
 /**
  * logout
  * logout is a multi-part process, but this function is idempotent.
@@ -521,6 +521,8 @@ export async function logout(okapiUrl, store) {
  * @returns {Promise}
  */
 export function createOkapiSession(store, tenant, token, data) {
+  // @@ new StripesSession(store, data);
+
   // clear any auth-n errors
   store.dispatch(setAuthError(null));
 
@@ -532,6 +534,15 @@ export function createOkapiSession(store, tenant, token, data) {
 
   store.dispatch(setCurrentPerms(perms));
 
+  // if we can't parse tokenExpiration data, e.g. because data comes from `.../_self`
+  // which doesn't provide it, then set an invalid AT value and a near-future (+10 minutes) RT value.
+  // the invalid AT will prompt an RTR cycle which will either give us new AT/RT values
+  // (if the RT was valid) or throw an RTR_ERROR (if the RT was not valid).
+  const tokenExpiration = {
+    atExpires: data.tokenExpiration?.accessTokenExpiration ? new Date(data.tokenExpiration.accessTokenExpiration).getTime() : -1,
+    rtExpires: data.tokenExpiration?.refreshTokenExpiration ? new Date(data.tokenExpiration.refreshTokenExpiration).getTime() : Date.now() + (10 * 60 * 1000),
+  };
+
   const sessionTenant = data.tenant || tenant;
   const okapiSess = {
     token,
@@ -583,6 +594,41 @@ export function createOkapiSession(store, tenant, token, data) {
     });
 }
 
+/**
+ * handleRtrError
+ * Clear out the redux store and logout.
+ *
+ * @param {*} event
+ * @param {*} store
+ * @returns void
+ */
+export const handleRtrError = (event, store) => {
+  logger.log('rtr', 'rtr error; logging out', event.detail);
+  store.dispatch(setIsAuthenticated(false));
+  store.dispatch(clearCurrentUser());
+  store.dispatch(resetStore());
+  localforage.removeItem(SESSION_NAME)
+    .then(localforage.removeItem('loginResponse'));
+};
+
+/**
+ * addRtrEventListeners
+ * RTR_ERROR_EVENT: RTR error, logout
+ * RTR_ROTATION_EVENT: configure a timer for auto-logout
+ *
+ * @param {*} okapiConfig
+ * @param {*} store
+ */
+export function addRtrEventListeners(okapiConfig, store) {
+  document.addEventListener(RTR_ERROR_EVENT, (e) => {
+    handleRtrError(e, store);
+  });
+
+  // document.addEventListener(RTR_ROTATION_EVENT, (e) => {
+  //   handleRtrRotation(e, store);
+  // });
+}
+
 /**
  * getSSOEnabled
  * return a promise that fetches from /saml/check and dispatches checkSSO.
@@ -763,7 +809,7 @@ export function validateUser(okapiUrl, store, tenant, session) {
       });
     }
   }).catch((error) => {
-    console.error('validateUser', { error }); // eslint-disable-line no-console
+    console.error(error); // eslint-disable-line no-console
     store.dispatch(setServerDown());
     return error;
   });
diff --git a/src/loginServices.test.js b/src/loginServices.test.js
index 35fc8ae2e..81d370a2e 100644
--- a/src/loginServices.test.js
+++ b/src/loginServices.test.js
@@ -1,10 +1,8 @@
 import localforage from 'localforage';
+import { config } from 'stripes-config';
 
 import {
-  canReadConfig,
   createOkapiSession,
-  eventManager,
-  getHeaders,
   getOkapiSession,
   getTokenExpiry,
   handleLoginError,
@@ -86,36 +84,6 @@ const mockFetchCleanUp = () => {
   delete global.fetch;
 };
 
-describe('canReadConfig', () => {
-  const p = 'configuration.entries.collection.get';
-  it('returns true when permission is present', () => {
-    const store = {
-      getState: () => ({
-        okapi: {
-          currentPerms: {
-            [p]: true,
-          }
-        }
-      }),
-    };
-
-    expect(canReadConfig(store)).toBeTruthy();
-  });
-
-  it('returns false when permission is absent', () => {
-    const store = {
-      getState: () => ({
-        okapi: {
-          currentPerms: {
-          }
-        }
-      }),
-    };
-
-    expect(canReadConfig(store)).toBeFalsy();
-  });
-});
-
 describe('createOkapiSession', () => {
   it('clears authentication errors', async () => {
     const store = {
@@ -154,43 +122,6 @@ describe('createOkapiSession', () => {
   });
 });
 
-describe('eventManager', () => {
-  describe('listen', () => {
-    it('listens for an event', () => {
-      const f = jest.fn();
-      const em = eventManager({ channel: 'foo' });
-      em.listen('monkey', f);
-      em.emit('monkey');
-      expect(f).toHaveBeenCalled();
-    });
-
-    it('listens for a list of events', () => {
-      const f = jest.fn();
-      const em = eventManager({ channel: 'foo' });
-      const franz = ['Liszt', 'Hungarian', 'Raphsody'];
-      em.listen(franz, f);
-      em.emit(franz, 'asdf');
-      expect(f).toHaveBeenCalledTimes(franz.length);
-    });
-  });
-});
-
-describe('getHeaders', () => {
-  it('finds expected headers', () => {
-    const h = getHeaders('tenant', 'token');
-    expect(h['X-Okapi-Tenant']).toBe('tenant');
-    expect(h['Content-Type']).toBe('application/json');
-    expect(h['X-Okapi-Token']).toBe('token');
-  });
-
-  it('omits token when null', () => {
-    const h = getHeaders('tenant');
-    expect(h['X-Okapi-Tenant']).toBe('tenant');
-    expect(h['X-Okapi-Token']).toBeUndefined();
-  });
-});
-
-
 describe('handleLoginError', () => {
   it('dispatches setOkapiReady', async () => {
     const dispatch = jest.fn();
diff --git a/test/jest/__mock__/stripesComponents.mock.js b/test/jest/__mock__/stripesComponents.mock.js
index 13c53ced4..444365dbd 100644
--- a/test/jest/__mock__/stripesComponents.mock.js
+++ b/test/jest/__mock__/stripesComponents.mock.js
@@ -76,9 +76,22 @@ jest.mock('@folio/stripes-components', () => ({
   )),
   Loading: () => <div>Loading</div>,
   MessageBanner: jest.fn(({ show, children }) => { return show ? <>{children}</> : <></>; }),
-  Modal: jest.fn(({ children, label, dismissible: _dismissible, footer, ...rest }) => {
+
+  // oy, dismissible. we need to pull it out of props so it doesn't
+  // get applied to the div as an attribute, which must have a string-value,
+  // which will shame you in the console:
+  //
+  //     Warning: Received `true` for a non-boolean attribute `dismissible`.
+  //     If you want to write it to the DOM, pass a string instead: dismissible="true" or dismissible={value.toString()}.
+  //         in div (created by mockConstructor)
+  //
+  // is there a better way to throw it away? If we don't destructure and
+  // instead access props.label and props.children, then we get a test
+  // failure that the modal isn't visible. oy, dismissible.
+  Modal: jest.fn(({ children, label, dismissible, footer, ...rest }) => {
     return (
       <div
+        data-test={dismissible ? '' : ''}
         {...rest}
       >
         <h1>{label}</h1>

From d473e15108ded3c68614219350a76c9312a24f4a Mon Sep 17 00:00:00 2001
From: Ryan Berger <rberger@ebsco.com>
Date: Wed, 6 Mar 2024 15:50:53 -0500
Subject: [PATCH 27/63] STCOR-821 Add `idName` and `limit` as passable props to
 `useChunkedCQLFetch` (#1438)

* STCOR-821 Add `idName` and `limit` as passable parameters to `useChunkedCQLFetch`

* Update CHANGELOG
---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5d7953818..4abc8a5c2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -70,6 +70,7 @@
 * Export `getEventHandler` to be able to create events in other modules. Refs STCOR-770.
 * Simplify logout workflow to bypass keycloak confirmation page. Refs STCOR-803.
 * After login, only check SSO endpoints when `login-saml` interface is present. Refs STCOR-816.
+* Add `idName` and `limit` as passable props to `useChunkedCQLFetch`. Refs STCOR-821.
 
 ## [10.0.0](https://github.com/folio-org/stripes-core/tree/v10.0.0) (2023-10-11)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v9.0.0...v10.0.0)

From 9776a6aa9888909e6763b33eca3c4826c7b59c27 Mon Sep 17 00:00:00 2001
From: aidynoJ <121284650+aidynoJ@users.noreply.github.com>
Date: Mon, 18 Mar 2024 18:31:20 +0600
Subject: [PATCH 28/63] STCOR-789: Restore original URL on login (#1442)

Refs STCOR-789.
---
 .gitignore                              |  1 +
 src/RootWithIntl.test.js                | 11 +++---
 src/components/AuthnLogin/AuthnLogin.js | 49 +++++++++++++++++++++++++
 src/components/AuthnLogin/index.js      |  1 +
 src/components/OIDCRedirect.js          | 13 +++++++
 src/components/OIDCRedirect.test.js     | 40 ++++++++++++++++++++
 6 files changed, 110 insertions(+), 5 deletions(-)
 create mode 100644 src/components/AuthnLogin/AuthnLogin.js
 create mode 100644 src/components/AuthnLogin/index.js
 create mode 100644 src/components/OIDCRedirect.test.js

diff --git a/.gitignore b/.gitignore
index 8248607ea..a1249c35e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,3 +13,4 @@ artifacts
 dist
 junit.xml
 .vscode/launch.json
+.idea
diff --git a/src/RootWithIntl.test.js b/src/RootWithIntl.test.js
index 2e002c20a..b3bb2636e 100644
--- a/src/RootWithIntl.test.js
+++ b/src/RootWithIntl.test.js
@@ -9,10 +9,11 @@ import { Login } from './components';
 import PreLoginLanding from './components/PreLoginLanding';
 
 import {
-  renderLoginComponent,
   renderLogoutComponent
 } from './RootWithIntl';
 
+import AuthnLogin from './components/AuthnLogin';
+
 jest.mock('react-router-dom', () => ({
   Redirect: () => '<internalredirect>',
   withRouter: (Component) => Component,
@@ -22,10 +23,10 @@ jest.mock('./components/Login', () => () => '<login>');
 jest.mock('./components/PreLoginLanding', () => () => '<preloginlanding>');
 
 describe('RootWithIntl', () => {
-  describe('renderLoginComponent', () => {
+  describe('AuthnLogin', () => {
     it('handles legacy login', () => {
       const stripes = { okapi: {}, config: {} };
-      render(renderLoginComponent(stripes));
+      render(<AuthnLogin stripes={stripes} />);
 
       expect(screen.getByText(/<login>/)).toBeInTheDocument();
     });
@@ -36,7 +37,7 @@ describe('RootWithIntl', () => {
           okapi: { authnUrl: 'https://barbie.com' },
           config: { isSingleTenant: true }
         };
-        render(renderLoginComponent(stripes));
+        render(<AuthnLogin stripes={stripes} />);
 
         expect(screen.getByText(/<redirect>/)).toBeInTheDocument();
       });
@@ -46,7 +47,7 @@ describe('RootWithIntl', () => {
           okapi: { authnUrl: 'https://oppie.com' },
           config: { },
         };
-        render(renderLoginComponent(stripes));
+        render(<AuthnLogin stripes={stripes} />);
 
         expect(screen.getByText(/<preloginlanding>/)).toBeInTheDocument();
       });
diff --git a/src/components/AuthnLogin/AuthnLogin.js b/src/components/AuthnLogin/AuthnLogin.js
new file mode 100644
index 000000000..136ea8136
--- /dev/null
+++ b/src/components/AuthnLogin/AuthnLogin.js
@@ -0,0 +1,49 @@
+import React, { useEffect } from 'react';
+import PropTypes from 'prop-types';
+import Redirect from '../Redirect';
+import PreLoginLanding from '../PreLoginLanding';
+import Login from '../Login';
+
+import { setOkapiTenant } from '../../okapiActions';
+import { setUnauthorizedPathToSession } from '../../loginServices';
+
+const AuthnLogin = ({ stripes }) => {
+  const { config, okapi } = stripes;
+
+  useEffect(() => {
+    if (okapi.authnUrl) {
+    /** Store unauthorized pathname to session storage. Refs STCOR-789
+    * @see OIDCRedirect
+    */
+      setUnauthorizedPathToSession(window.location.pathname);
+    }
+    // we only want to run this effect once, on load.
+    // okapi.authnUrl are defined in stripes.config.js
+  }, []); // eslint-disable-line react-hooks/exhaustive-deps
+
+  if (okapi.authnUrl) {
+    if (config.isSingleTenant) {
+      const redirectUri = `${window.location.protocol}//${window.location.host}/oidc-landing`;
+      const authnUri = `${okapi.authnUrl}/realms/${okapi.tenant}/protocol/openid-connect/auth?client_id=${okapi.clientId}&response_type=code&redirect_uri=${redirectUri}&scope=openid`;
+      return <Redirect to={authnUri} />;
+    }
+
+    const handleSelectTenant = (tenant, clientId) => {
+      localStorage.setItem('tenant', JSON.stringify({ tenantName: tenant, clientId }));
+      stripes.store.dispatch(setOkapiTenant({ tenant, clientId }));
+    };
+
+    return <PreLoginLanding onSelectTenant={handleSelectTenant} />;
+  }
+
+  return <Login
+    autoLogin={config.autoLogin}
+    stripes={stripes}
+  />;
+};
+
+AuthnLogin.propTypes = {
+  stripes: PropTypes.object
+};
+
+export default AuthnLogin;
diff --git a/src/components/AuthnLogin/index.js b/src/components/AuthnLogin/index.js
new file mode 100644
index 000000000..cf8b8b128
--- /dev/null
+++ b/src/components/AuthnLogin/index.js
@@ -0,0 +1 @@
+export { default } from './AuthnLogin';
diff --git a/src/components/OIDCRedirect.js b/src/components/OIDCRedirect.js
index 3e6585de2..c224b3dad 100644
--- a/src/components/OIDCRedirect.js
+++ b/src/components/OIDCRedirect.js
@@ -1,17 +1,25 @@
 import { withRouter, Redirect, useLocation } from 'react-router';
 import queryString from 'query-string';
+import { useStripes } from '../StripesContext';
+import { getUnauthorizedPathFromSession } from '../loginServices';
 
 /**
  * OIDCRedirect authenticated route handler for /oidc-landing.
  *
+ * Read unauthorized_path from session storage if keycloak authn provided
+ * if `fwd` provided into redirect url, it causes strange behavior - infinite login requests
+ * decided to use session storage for that case. Refs STCOR-789
+ *
  * Reads `fwd` from URL params and redirects.
  *
  * @see RootWithIntl
+ * @see AuthnLogin
  *
  * @returns {Redirect}
  */
 const OIDCRedirect = () => {
   const location = useLocation();
+  const stripes = useStripes();
 
   const getParams = () => {
     const search = location.search;
@@ -20,6 +28,11 @@ const OIDCRedirect = () => {
   };
 
   const getUrl = () => {
+    if (stripes.okapi.authnUrl) {
+      const unauthorizedPath = getUnauthorizedPathFromSession();
+      if (unauthorizedPath) return unauthorizedPath;
+    }
+
     const params = getParams();
     return params?.fwd ?? '';
   };
diff --git a/src/components/OIDCRedirect.test.js b/src/components/OIDCRedirect.test.js
new file mode 100644
index 000000000..3b9c83c3a
--- /dev/null
+++ b/src/components/OIDCRedirect.test.js
@@ -0,0 +1,40 @@
+import React from 'react';
+import { render, screen } from '@folio/jest-config-stripes/testing-library/react';
+import OIDCRedirect from './OIDCRedirect';
+import { useStripes } from '../StripesContext';
+
+jest.mock('react-router', () => ({
+  ...jest.requireActual('react-router'),
+  Redirect: () => <div>internalredirect</div>,
+  withRouter: Component => Component,
+  useLocation: () => ({
+    search: '?fwd=/dashboard',
+  }),
+}));
+
+jest.mock('../StripesContext');
+
+describe('OIDCRedirect', () => {
+  beforeAll(() => {
+    sessionStorage.setItem(
+      'unauthorized_path',
+      '/example'
+    );
+  });
+
+  afterAll(() => sessionStorage.removeItem('unauthorized_path'));
+
+  it('redirects to value from session storage under unauthorized_path key', () => {
+    useStripes.mockReturnValue({ okapi:{ authnUrl: 'http://example.com/authn' } });
+    render(<OIDCRedirect />);
+
+    expect(screen.getByText(/internalredirect/)).toBeInTheDocument();
+  });
+
+  it('redirects fwd if no authn provided to stripes okapi config', () => {
+    useStripes.mockReturnValue({ okapi: { } });
+    render(<OIDCRedirect />);
+
+    expect(screen.getByText(/internalredirect/)).toBeInTheDocument();
+  });
+});

From 198d379035fd5fffc2ea54eb2889a64b1bb6207d Mon Sep 17 00:00:00 2001
From: Ryan Berger <rberger@ebsco.com>
Date: Fri, 22 Mar 2024 10:51:03 -0400
Subject: [PATCH 29/63] STCOR-820 For the /reset-password route, allow token to
 be specified in the path or query arguments (#1445)

* STCOR-820 Add support for optionaly passing token by URL param

* Remove console.log

* Update CHANGELOG.md
---
 CHANGELOG.md                                  |  1 +
 .../CreateResetPasswordControl.js             | 17 +++--
 .../CreateResetPasswordControl.test.js        | 62 +++++++++++++++++++
 3 files changed, 70 insertions(+), 10 deletions(-)
 create mode 100644 src/components/CreateResetPassword/CreateResetPasswordControl.test.js

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4abc8a5c2..61f93d898 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -71,6 +71,7 @@
 * Simplify logout workflow to bypass keycloak confirmation page. Refs STCOR-803.
 * After login, only check SSO endpoints when `login-saml` interface is present. Refs STCOR-816.
 * Add `idName` and `limit` as passable props to `useChunkedCQLFetch`. Refs STCOR-821.
+* For the `/reset-password` route, allow token to be specified in the path or query arguments. Refs STCOR-820.
 
 ## [10.0.0](https://github.com/folio-org/stripes-core/tree/v10.0.0) (2023-10-11)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v9.0.0...v10.0.0)
diff --git a/src/components/CreateResetPassword/CreateResetPasswordControl.js b/src/components/CreateResetPassword/CreateResetPasswordControl.js
index d30a05ea4..e912a0fdf 100644
--- a/src/components/CreateResetPassword/CreateResetPasswordControl.js
+++ b/src/components/CreateResetPassword/CreateResetPasswordControl.js
@@ -8,6 +8,7 @@ import { stripesShape } from '../../Stripes';
 import { setAuthError } from '../../okapiActions';
 import { defaultErrors } from '../../constants';
 import OrganizationLogo from '../OrganizationLogo';
+import { getLocationQuery } from '../../locationService';
 
 import CreateResetPassword from './CreateResetPassword';
 import PasswordHasNotChanged from './components/PasswordHasNotChanged';
@@ -18,13 +19,14 @@ class CreateResetPasswordControl extends Component {
   static propTypes = {
     authFailure: PropTypes.arrayOf(PropTypes.object),
     location: PropTypes.shape({
+      query: PropTypes.string,
       search: PropTypes.string.isRequired,
     }),
     match: PropTypes.shape({
       params: PropTypes.shape({
-        token: PropTypes.string.isRequired,
-      }).isRequired,
-    }).isRequired,
+        token: PropTypes.string,
+      }),
+    }),
     stripes: stripesShape.isRequired,
     handleBadResponse: PropTypes.func.isRequired,
     clearAuthErrors: PropTypes.func.isRequired,
@@ -107,6 +109,7 @@ class CreateResetPasswordControl extends Component {
       },
     } = stripes;
 
+    const resetToken = token ?? getLocationQuery(location)?.resetToken;
     const interfacePath = stripes.hasInterface('users-keycloak') ? 'users-keycloak' : 'bl-users';
     const path = `${url}/${interfacePath}/password-reset/${isValidToken ? 'reset' : 'validate'}`;
 
@@ -114,7 +117,7 @@ class CreateResetPasswordControl extends Component {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',
-        'x-okapi-token': token,
+        'x-okapi-token': resetToken,
         'x-okapi-tenant': getTenant(stripes, location),
       },
       ...(body && { body: JSON.stringify(body) }),
@@ -145,11 +148,6 @@ class CreateResetPasswordControl extends Component {
   render() {
     const {
       authFailure,
-      match: {
-        params: {
-          token,
-        },
-      },
       clearAuthErrors,
     } = this.props;
 
@@ -178,7 +176,6 @@ class CreateResetPasswordControl extends Component {
 
     return (
       <CreateResetPassword
-        token={token}
         errors={authFailure}
         stripes={this.props.stripes}
         onSubmit={this.handleSubmit}
diff --git a/src/components/CreateResetPassword/CreateResetPasswordControl.test.js b/src/components/CreateResetPassword/CreateResetPasswordControl.test.js
new file mode 100644
index 000000000..3d2102ab0
--- /dev/null
+++ b/src/components/CreateResetPassword/CreateResetPasswordControl.test.js
@@ -0,0 +1,62 @@
+import { render } from '@testing-library/react';
+import { Router } from 'react-router-dom';
+import { createMemoryHistory } from 'history';
+import { Provider } from 'react-redux';
+
+import { getLocationQuery } from '../../locationService';
+import CreateResetPasswordControl from './CreateResetPasswordControl';
+
+jest.mock('../OrganizationLogo');
+
+jest.mock('../../locationService', () => ({
+  getLocationQuery: jest.fn()
+}));
+
+describe('CreateResetPasswordControl', () => {
+  const mockFetch = jest.fn(() => Promise.resolve({
+    json: () => Promise.resolve({ test: 100 }),
+  }));
+
+  const stripes = {
+    clone: jest.fn(),
+    config: {},
+    okapi: {
+      url: 'http://test'
+    },
+    hasInterface: jest.fn().mockReturnValue(true),
+    store: {
+      getState: () => ({
+        okapi: {
+          token: '123',
+        },
+      }),
+      dispatch: () => {},
+      subscribe: () => {},
+      replaceReducer: () => {},
+    }
+  };
+
+  beforeEach(() => {
+    global.fetch = mockFetch;
+  });
+
+  afterEach(() => {
+    jest.resetAllMocks();
+  });
+
+  it('uses reset token in URL param', async () => {
+    getLocationQuery.mockReturnValue({ resetToken: '123' });
+
+    const history = createMemoryHistory();
+
+    render(
+      <Provider store={stripes.store}>
+        <Router history={history}>
+          <CreateResetPasswordControl stripes={stripes} />
+        </Router>
+      </Provider>
+    );
+
+    expect(mockFetch.mock.lastCall[1].headers['x-okapi-token'] === '123').toBeTruthy();
+  });
+});

From f0a1fdc65e4ff8c2795d912ad08ed42f1250e056 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Thu, 28 Mar 2024 00:16:23 -0400
Subject: [PATCH 30/63] rebase cleanup: missed a few things along the way

---
 src/components/SSOLanding.test.js | 65 -------------------------------
 1 file changed, 65 deletions(-)
 delete mode 100644 src/components/SSOLanding.test.js

diff --git a/src/components/SSOLanding.test.js b/src/components/SSOLanding.test.js
deleted file mode 100644
index 9d9dd452e..000000000
--- a/src/components/SSOLanding.test.js
+++ /dev/null
@@ -1,65 +0,0 @@
-import { render, screen } from '@folio/jest-config-stripes/testing-library/react';
-import { useLocation } from 'react-router-dom';
-import { useCookies } from 'react-cookie';
-import { requestUserWithPerms } from '../loginServices';
-
-import SSOLanding from './SSOLanding';
-
-jest.mock('lodash', () => ({
-  debounce: jest.fn(fn => fn)
-}));
-
-jest.mock('../loginServices', () => ({
-  requestUserWithPerms: jest.fn(() => {})
-}));
-
-jest.mock('react-router-dom', () => ({
-  useLocation: jest.fn()
-}));
-
-jest.mock('stripes-config', () => ({
-  okapi: {
-    url: 'okapiUrl',
-    tenant: 'okapiTenant'
-  }
-}),
-{ virtual: true });
-
-jest.mock('react-cookie', () => ({
-  useCookies: jest.fn()
-}));
-
-jest.mock('react-redux', () => ({
-  useStore: jest.fn()
-}));
-
-describe('SSOLanding', () => {
-  beforeEach(() => {
-    useLocation.mockImplementation(() => ({ search: '' }));
-    useCookies.mockImplementation(() => [{}]);
-  });
-
-  afterEach(() => {
-    jest.resetAllMocks();
-  });
-
-  it('handles token within query parameters', () => {
-    useLocation.mockImplementation(() => ({ search: 'ssoToken=c0ffee' }));
-    render(<SSOLanding />);
-    expect(requestUserWithPerms.mock.calls).toHaveLength(1);
-    expect(screen.getByText(/Logged in with token.*param\.$/)).toBeInTheDocument();
-  });
-
-  it('handles token within a cookie', () => {
-    useCookies.mockImplementation(() => ([{ ssoToken: 'c0ffee-c0ffee' }]));
-    render(<SSOLanding />);
-    expect(requestUserWithPerms.mock.calls).toHaveLength(1);
-    expect(screen.getByText(/Logged in with token.*cookie\.$/)).toBeInTheDocument();
-  });
-
-  it('displays error with no token.', () => {
-    render(<SSOLanding />);
-    expect(requestUserWithPerms.mock.calls).toHaveLength(0);
-    expect(screen.getByText('No cookie or query parameter')).toBeInTheDocument();
-  });
-});

From e005c51e1a059286908832182b20fd8127645f6b Mon Sep 17 00:00:00 2001
From: Ryan Berger <rberger@ebsco.com>
Date: Fri, 5 Apr 2024 08:46:07 -0400
Subject: [PATCH 31/63] STCOR-820 Use isEureka config value (#1450)

---
 .../CreateResetPassword/CreateResetPasswordControl.js        | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/components/CreateResetPassword/CreateResetPasswordControl.js b/src/components/CreateResetPassword/CreateResetPasswordControl.js
index e912a0fdf..42ff38a55 100644
--- a/src/components/CreateResetPassword/CreateResetPasswordControl.js
+++ b/src/components/CreateResetPassword/CreateResetPasswordControl.js
@@ -109,8 +109,11 @@ class CreateResetPasswordControl extends Component {
       },
     } = stripes;
 
+    // Token value from match.params.token comes from React-Router parsing the value from the URL path /:token?
+    // This part of the path is optional (hence the ?) and can instead be placed in the URL param `resetToken`
+    // to allow for keys longer than the URL length restriction of 2048 characters.
     const resetToken = token ?? getLocationQuery(location)?.resetToken;
-    const interfacePath = stripes.hasInterface('users-keycloak') ? 'users-keycloak' : 'bl-users';
+    const interfacePath = stripes.config.isEureka ? 'users-keycloak' : 'bl-users';
     const path = `${url}/${interfacePath}/password-reset/${isValidToken ? 'reset' : 'validate'}`;
 
     fetch(path, {

From defb2d99efd674e7a64873a89b1d1966d93014d7 Mon Sep 17 00:00:00 2001
From: aidynoJ <121284650+aidynoJ@users.noreply.github.com>
Date: Tue, 9 Apr 2024 18:15:38 +0500
Subject: [PATCH 32/63] STCOR-789-follow-up: Include /authn/token on the list
 of always-permissible API (#1452)

* STCOR-789: add /authn/token to always-permissible list. Refs STCOR-789

Include `/authn/token` on the list of always-permissible API in order to
allow OTP-for-cookie exchange on return from authentication. Without
this allowance in place, stripes will get stuck in a loop bouncing
between the authn-server (which believes, correctly, that the user has
authenticated) and stripes (which believes, wrongly, that the user has
not authenticated because its "valid AT?" check fails). The AT won't be
valid until after we get to exchange the OTP for an AT by visiting
`/authn/token`.

---------

Co-authored-by: Ryan Berger <rberger@ebsco.com>
Co-authored-by: Zak Burke <zburke@ebsco.com>
---
 src/loginServices.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/loginServices.js b/src/loginServices.js
index 16d0772c5..703526bf1 100644
--- a/src/loginServices.js
+++ b/src/loginServices.js
@@ -877,7 +877,7 @@ export function requestLogin(okapiUrl, store, tenant, data) {
       method: 'POST',
       mode: 'cors',
     })
-    .then(resp => processOkapiSession(store, tenant, resp));
+      .then(resp => processOkapiSession(store, tenant, resp));
   }
 }
 

From 681abf1da1e533f7a741e7f54e83e39bf5bbf77b Mon Sep 17 00:00:00 2001
From: John Coburn <jcoburn@ebsco.com>
Date: Wed, 3 Apr 2024 13:28:16 -0500
Subject: [PATCH 33/63] STCOR-712 Refactor tagname selectors used in
 Auth-related forms. (#1449)

* switch to classname-only selectors for login screen.

* remove element selectors from reset, create password and forgot username UI's

* log changes

* correct nesting in CreateResetPassword.css
---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 61f93d898..9e024c410 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 ## 10.2.0 IN PROGRESS
 
+* Remove tag-based selectors from Login, ResetPassword, Forgot UserName/Password form CSS. Refs STCOR-712.
+* Utilize the `tenant` procured through the SSO login process. Refs STCOR-769.
+* Use keycloak URLs in place of users-bl for tenant-switch. Refs US1153537.
+
 ## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.0...v10.1.1)
 

From 75772fda13ba8b62c5ce269e7bda3d6edeadeca2 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Thu, 11 Apr 2024 08:56:47 -0400
Subject: [PATCH 34/63] STCOR-830 user-tenant-permissions hooks/functions
 (#1453)

Provide user-tenant-permissions functionality, both centralizing this
functionality and insulating other applications from needing to depend
on the permissions interface.

* `useUserTenantPermissions` provides permissions for the currently
  authenticated user in a single tenant
* `getUserTenantsPermissions` provides permissions for the currently
  authenticated user across an array of tenants

Refs STCOR-830
---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9e024c410..bf3a9055d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
 * Remove tag-based selectors from Login, ResetPassword, Forgot UserName/Password form CSS. Refs STCOR-712.
 * Utilize the `tenant` procured through the SSO login process. Refs STCOR-769.
 * Use keycloak URLs in place of users-bl for tenant-switch. Refs US1153537.
+* Provide `useUserTenantPermissions` hook. Refs STCOR-830.
 
 ## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.0...v10.1.1)

From 393aea3a9d3f7ee621f283c711148142166214a7 Mon Sep 17 00:00:00 2001
From: Yury Saukou <yury_saukou@epam.com>
Date: Thu, 14 Mar 2024 12:35:20 +0400
Subject: [PATCH 35/63] STCOR-769 Utilize the 'tenant' procured through the SSO
 login process (#1415)

To support Single Sign-On (SSO) authorization in consortium mode,
it's necessary to explicitly pass the tenant in the request header
to load data.

(cherry picked from commit d8db8b79589f7522a4ba0bc756350708139606f9)
---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bf3a9055d..9d6209d34 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,9 @@
 ## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.0...v10.1.1)
 
+## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
+[Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.0...v10.1.1)
+
 * Utilize the `tenant` procured through the SSO login process. Refs STCOR-769.
 * Remove tag-based selectors from Login, ResetPassword, Forgot UserName/Password form CSS. Refs STCOR-712.
 * Provide `useUserTenantPermissions` hook. Refs STCOR-830.

From b8a39acad7d77f41b218fb9d098708495aa299a4 Mon Sep 17 00:00:00 2001
From: Ryan Berger <rberger@ebsco.com>
Date: Tue, 7 May 2024 10:06:11 -0400
Subject: [PATCH 36/63] STCOR-845 Redirect correctly after changing password
 (#1462)

* Navigate to base URL if using Eureka since backend doesn't recognize /login
---
 CHANGELOG.md                                           |  1 +
 .../CreateResetPassword/CreateResetPasswordControl.js  |  2 +-
 .../PasswordSuccessfullyChanged.js                     | 10 ++++++++--
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9d6209d34..fb6eb193e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,7 @@
 * Utilize the `tenant` procured through the SSO login process. Refs STCOR-769.
 * Use keycloak URLs in place of users-bl for tenant-switch. Refs US1153537.
 * Provide `useUserTenantPermissions` hook. Refs STCOR-830.
+* Fix 404 error page when logging in after changing password in Eureka. Refs STCOR-845.
 
 ## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.0...v10.1.1)
diff --git a/src/components/CreateResetPassword/CreateResetPasswordControl.js b/src/components/CreateResetPassword/CreateResetPasswordControl.js
index 42ff38a55..aa28cee3d 100644
--- a/src/components/CreateResetPassword/CreateResetPasswordControl.js
+++ b/src/components/CreateResetPassword/CreateResetPasswordControl.js
@@ -162,7 +162,7 @@ class CreateResetPasswordControl extends Component {
     } = this.state;
 
     if (isSuccessfulPasswordChange) {
-      return <PasswordSuccessfullyChanged />;
+      return <PasswordSuccessfullyChanged stripes={this.props.stripes} />;
     }
 
     if (isLoading) {
diff --git a/src/components/CreateResetPassword/components/PasswordSuccessfullyChanged/PasswordSuccessfullyChanged.js b/src/components/CreateResetPassword/components/PasswordSuccessfullyChanged/PasswordSuccessfullyChanged.js
index 101b69bed..0d6469e6c 100644
--- a/src/components/CreateResetPassword/components/PasswordSuccessfullyChanged/PasswordSuccessfullyChanged.js
+++ b/src/components/CreateResetPassword/components/PasswordSuccessfullyChanged/PasswordSuccessfullyChanged.js
@@ -12,12 +12,17 @@ import OrganizationLogo from '../../../OrganizationLogo';
 
 import styles from './PasswordSuccessfullyChanged.css';
 
-const PasswordSuccessfullyChanged = ({ history }) => {
+const PasswordSuccessfullyChanged = ({ history, stripes }) => {
   const labelNamespace = 'stripes-core.label';
   const buttonNamespace = 'stripes-core.button';
 
   const handleRedirectClick = () => {
-    history.push('/login');
+    // If using Eureka, go to base URL. Otherwise, if using Okapi then go to /login
+    if (stripes.config.isEureka) {
+      history.push('/');
+    } else {
+      history.push('/login');
+    }
   };
 
   return (
@@ -64,6 +69,7 @@ PasswordSuccessfullyChanged.propTypes = {
   history: PropTypes.shape({
     push: PropTypes.func.isRequired,
   }).isRequired,
+  stripes: PropTypes.object,
 };
 
 export default withRouter(PasswordSuccessfullyChanged);

From a9b860dfe591f7e7b236640fc1ceb6d25401b30c Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Fri, 17 May 2024 16:56:47 -0400
Subject: [PATCH 37/63] rebase-cleanup: the STCOR-776 rebase was a doozy

We attempted to rebase onto master just after STCOR-776 merged (#1463).
It didn't go smoothly but the results got pushed anyway, which made
clean up tricky too. I think the changes here resolve the conflicts.

One outstanding issue I am aware of is that the `/logout-timeout`
redirect does not work correctly. When the session terminates,
`<AuthnLogin>` redirects to keycloak no matter what. It's like the
routing switch statement is falling through instead of stopping with
`<LogoutTimeout>`. That's no good, but it's less no good than the
current tip-of-branch, which doesn't redirect ever, making it impossible
to authenticate.
---
 CHANGELOG.md                                  | 20 +++----
 src/RootWithIntl.js                           |  9 +--
 src/RootWithIntl.test.js                      | 20 +++----
 src/components/MainNav/MainNav.js             |  8 ---
 src/components/Root/Root.js                   |  2 +-
 src/components/Root/token-util.js             |  1 +
 src/components/SessionEventContainer/index.js |  1 +
 src/discoverServices.js                       |  3 +
 src/loginServices.js                          | 55 ++++++-------------
 src/loginServices.test.js                     |  1 -
 yarn.lock                                     | 16 ------
 11 files changed, 41 insertions(+), 95 deletions(-)
 create mode 100644 src/components/SessionEventContainer/index.js

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fb6eb193e..a500f4903 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,24 +2,11 @@
 
 ## 10.2.0 IN PROGRESS
 
-* Remove tag-based selectors from Login, ResetPassword, Forgot UserName/Password form CSS. Refs STCOR-712.
-* Utilize the `tenant` procured through the SSO login process. Refs STCOR-769.
-* Use keycloak URLs in place of users-bl for tenant-switch. Refs US1153537.
-* Provide `useUserTenantPermissions` hook. Refs STCOR-830.
-* Fix 404 error page when logging in after changing password in Eureka. Refs STCOR-845.
-
-## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
-[Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.0...v10.1.1)
-
-## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
-[Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.0...v10.1.1)
-
 * Utilize the `tenant` procured through the SSO login process. Refs STCOR-769.
 * Remove tag-based selectors from Login, ResetPassword, Forgot UserName/Password form CSS. Refs STCOR-712.
 * Provide `useUserTenantPermissions` hook. Refs STCOR-830.
 * Load DayJS locale data as part of `loginServices`. STCOR-771.
 * Turn on `<StrictMode>`; ignore it with `stripes.config.js` `disableStrictMode: true`. Refs STCOR-841.
-* Use keycloak URLs in place of users-bl for tenant-switch. Refs US1153537.
 * Make branding optional. Refs STCOR-847.
 * Idle-session timeout and "Keep working?" modal. Refs STCOR-776.
 * Implement password validation for Login Page. Refs STCOR-741.
@@ -27,6 +14,13 @@
 * Update session data with values from `_self` request on reload. Refs STCOR-846.
 * Avoid deprecated `getChildContext`. Refs STCOR-842.
 * Read locale from stripes-config before defaulting to `en-US`. Refs STCOR-851.
+* Use keycloak URLs in place of users-bl for tenant-switch. Refs US1153537.
+* Fix 404 error page when logging in after changing password in Eureka. Refs STCOR-845.
+
+## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
+[Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.0...v10.1.1)
+
+* Utilize the `tenant` procured through the SSO login process. Refs STCOR-769.
 
 ## [10.1.0](https://github.com/folio-org/stripes-core/tree/v10.1.0) (2024-03-12)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.0.0...v10.1.0)
diff --git a/src/RootWithIntl.js b/src/RootWithIntl.js
index dab5034a8..5f2318d26 100644
--- a/src/RootWithIntl.js
+++ b/src/RootWithIntl.js
@@ -27,7 +27,6 @@ import {
   Settings,
   HandlerManager,
   TitleManager,
-  Login,
   Logout,
   LogoutTimeout,
   OverlayContainer,
@@ -37,11 +36,11 @@ import {
   ForgotUserNameCtrl,
   AppCtxMenuProvider,
   SessionEventContainer,
-  SessionEventContainer,
 } from './components';
 import StaleBundleWarning from './components/StaleBundleWarning';
 import { StripesContext } from './StripesContext';
 import { CalloutContext } from './CalloutContext';
+import AuthnLogin from './components/AuthnLogin';
 
 const RootWithIntl = ({ stripes, token = '', isAuthenticated = false, disableAuth, history = {} }) => {
   const connect = connectFor('@folio/core', stripes.epics, stripes.logger);
@@ -164,11 +163,7 @@ const RootWithIntl = ({ stripes, token = '', isAuthenticated = false, disableAut
                       />
                       <TitledRoute
                         name="login"
-                        component={
-                          <Login
-                            autoLogin={connectedStripes.config.autoLogin}
-                            stripes={connectedStripes}
-                          />}
+                        component={<AuthnLogin stripes={connectedStripes} />}
                       />
                     </Switch>
                   }
diff --git a/src/RootWithIntl.test.js b/src/RootWithIntl.test.js
index b3bb2636e..11f6634e0 100644
--- a/src/RootWithIntl.test.js
+++ b/src/RootWithIntl.test.js
@@ -8,9 +8,9 @@ import Redirect from './components/Redirect';
 import { Login } from './components';
 import PreLoginLanding from './components/PreLoginLanding';
 
-import {
-  renderLogoutComponent
-} from './RootWithIntl';
+// import {
+//   renderLogoutComponent
+// } from './RootWithIntl';
 
 import AuthnLogin from './components/AuthnLogin';
 
@@ -54,12 +54,12 @@ describe('RootWithIntl', () => {
     });
   });
 
-  describe('renderLogoutComponent', () => {
-    it('handles legacy logout', () => {
-      const stripes = { okapi: {}, config: {} };
-      render(renderLogoutComponent(stripes));
+  // describe('renderLogoutComponent', () => {
+  //   it('handles legacy logout', () => {
+  //     const stripes = { okapi: {}, config: {} };
+  //     render(renderLogoutComponent(stripes));
 
-      expect(screen.getByText(/<internalredirect>/)).toBeInTheDocument();
-    });
-  });
+  //     expect(screen.getByText(/<internalredirect>/)).toBeInTheDocument();
+  //   });
+  // });
 });
diff --git a/src/components/MainNav/MainNav.js b/src/components/MainNav/MainNav.js
index 2a26383d4..1ced15b62 100644
--- a/src/components/MainNav/MainNav.js
+++ b/src/components/MainNav/MainNav.js
@@ -116,14 +116,6 @@ class MainNav extends Component {
     });
   }
 
-  // Return the user to the login screen, but after logging in they will return to their previous activity.
-  returnToLogin() {
-    const { okapi } = this.store.getState();
-
-    return getLocale(okapi.url, this.store, okapi.tenant)
-      .then(sessionLogout(okapi.url, this.store));
-  }
-
   // return the user to the login screen, but after logging in they will be brought to the default screen.
   logout() {
     const { okapi } = this.store.getState();
diff --git a/src/components/Root/Root.js b/src/components/Root/Root.js
index 90705f6a3..13e7e47de 100644
--- a/src/components/Root/Root.js
+++ b/src/components/Root/Root.js
@@ -17,7 +17,7 @@ import enhanceReducer from '../../enhanceReducer';
 import createApolloClient from '../../createApolloClient';
 import createReactQueryClient from '../../createReactQueryClient';
 import { setSinglePlugin, setBindings, setIsAuthenticated, setOkapiToken, setTimezone, setCurrency, updateCurrentUser } from '../../okapiActions';
-import { loadTranslations, checkOkapiSession, addRtrEventListeners } from '../../loginServices';
+import { loadTranslations, checkOkapiSession } from '../../loginServices';
 import { getQueryResourceKey, getCurrentModule } from '../../locationService';
 import Stripes from '../../Stripes';
 import RootWithIntl from '../../RootWithIntl';
diff --git a/src/components/Root/token-util.js b/src/components/Root/token-util.js
index b622101a6..c1a147024 100644
--- a/src/components/Root/token-util.js
+++ b/src/components/Root/token-util.js
@@ -72,6 +72,7 @@ export const resourceMapper = (resource, fx) => {
 export const isAuthenticationRequest = (resource, oUrl) => {
   const isPermissibleResource = (string) => {
     const permissible = [
+      '/authn/token',
       '/bl-users/login-with-expiry',
       '/bl-users/_self',
     ];
diff --git a/src/components/SessionEventContainer/index.js b/src/components/SessionEventContainer/index.js
new file mode 100644
index 000000000..46995e871
--- /dev/null
+++ b/src/components/SessionEventContainer/index.js
@@ -0,0 +1 @@
+export { default } from './SessionEventContainer';
diff --git a/src/discoverServices.js b/src/discoverServices.js
index 1a221631a..04a888423 100644
--- a/src/discoverServices.js
+++ b/src/discoverServices.js
@@ -114,17 +114,20 @@ function fetchApplicationDetails(store) {
             return Promise.all(list);
           }
 
+          // eslint-disable-next-line no-console
           console.error(`>>> NO APPLICATIONS AVAILABLE FOR ${okapi.tenant}`, json);
           store.dispatch({ type: 'DISCOVERY_FAILURE', code: response.status });
           throw response;
         });
       } else {
+        // eslint-disable-next-line no-console
         console.error(`>>> COULD NOT RETRIEVE APPLICATIONS FOR ${okapi.tenant}`, response);
         store.dispatch({ type: 'DISCOVERY_FAILURE', code: response.status });
         throw response;
       }
     })
     .catch(reason => {
+      // eslint-disable-next-line no-console
       console.error(`@@ COULD NOT RETRIEVE APPLICATIONS FOR ${okapi.tenant}`, reason);
       store.dispatch({ type: 'DISCOVERY_FAILURE', message: reason });
     });
diff --git a/src/loginServices.js b/src/loginServices.js
index 703526bf1..4a7192d66 100644
--- a/src/loginServices.js
+++ b/src/loginServices.js
@@ -111,6 +111,18 @@ export const setTokenExpiry = async (te) => {
   return localforage.setItem(SESSION_NAME, val);
 };
 
+/**
+ * removeUnauthorizedPathFromSession, setUnauthorizedPathToSession, getUnauthorizedPathFromSession
+ * remove/set/get unauthorized_path to/from session storage.
+ * Used to restore path on returning from login if user accessed a bookmarked
+ * URL while unauthenticated and was redirected to login.
+ *
+ * @see components/OIDCRedirect
+ */
+const UNAUTHORIZED_PATH = 'unauthorized_path';
+export const removeUnauthorizedPathFromSession = () => sessionStorage.removeItem(UNAUTHORIZED_PATH);
+export const setUnauthorizedPathToSession = (pathname) => sessionStorage.setItem(UNAUTHORIZED_PATH, pathname);
+export const getUnauthorizedPathFromSession = () => sessionStorage.getItem(UNAUTHORIZED_PATH);
 
 // export config values for storing user locale
 export const userLocaleConfig = {
@@ -468,6 +480,7 @@ export async function logout(okapiUrl, store) {
     })
     :
     Promise.resolve();
+
   return logoutPromise
     // clear private-storage
     .then(() => {
@@ -521,8 +534,6 @@ export async function logout(okapiUrl, store) {
  * @returns {Promise}
  */
 export function createOkapiSession(store, tenant, token, data) {
-  // @@ new StripesSession(store, data);
-
   // clear any auth-n errors
   store.dispatch(setAuthError(null));
 
@@ -550,6 +561,7 @@ export function createOkapiSession(store, tenant, token, data) {
     user,
     perms,
     tenant: sessionTenant,
+    tokenExpiration,
   };
 
   // localStorage events emit across tabs so we can use it like a
@@ -594,41 +606,6 @@ export function createOkapiSession(store, tenant, token, data) {
     });
 }
 
-/**
- * handleRtrError
- * Clear out the redux store and logout.
- *
- * @param {*} event
- * @param {*} store
- * @returns void
- */
-export const handleRtrError = (event, store) => {
-  logger.log('rtr', 'rtr error; logging out', event.detail);
-  store.dispatch(setIsAuthenticated(false));
-  store.dispatch(clearCurrentUser());
-  store.dispatch(resetStore());
-  localforage.removeItem(SESSION_NAME)
-    .then(localforage.removeItem('loginResponse'));
-};
-
-/**
- * addRtrEventListeners
- * RTR_ERROR_EVENT: RTR error, logout
- * RTR_ROTATION_EVENT: configure a timer for auto-logout
- *
- * @param {*} okapiConfig
- * @param {*} store
- */
-export function addRtrEventListeners(okapiConfig, store) {
-  document.addEventListener(RTR_ERROR_EVENT, (e) => {
-    handleRtrError(e, store);
-  });
-
-  // document.addEventListener(RTR_ROTATION_EVENT, (e) => {
-  //   handleRtrRotation(e, store);
-  // });
-}
-
 /**
  * getSSOEnabled
  * return a promise that fetches from /saml/check and dispatches checkSSO.
@@ -976,9 +953,9 @@ export function updateUser(store, data) {
  *
  * @returns {Promise}
  */
-export async function updateTenant(okapi, tenant) {
+export async function updateTenant(okapiConfig, tenant) {
   const okapiSess = await getOkapiSession();
-  const userWithPermsResponse = await fetchUserWithPerms(okapi.url, tenant, okapi.token);
+  const userWithPermsResponse = await fetchUserWithPerms(okapiConfig.url, tenant, okapiConfig.token);
   const userWithPerms = await userWithPermsResponse.json();
   await localforage.setItem(SESSION_NAME, { ...okapiSess, tenant, ...spreadUserWithPerms(userWithPerms) });
 }
diff --git a/src/loginServices.test.js b/src/loginServices.test.js
index 81d370a2e..6454d17a3 100644
--- a/src/loginServices.test.js
+++ b/src/loginServices.test.js
@@ -1,5 +1,4 @@
 import localforage from 'localforage';
-import { config } from 'stripes-config';
 
 import {
   createOkapiSession,
diff --git a/yarn.lock b/yarn.lock
index c0e30184d..3aec5a092 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -10906,22 +10906,6 @@ possible-typed-array-names@^1.0.0:
   resolved "https://registry.yarnpkg.com/possible-typed-array-names/-/possible-typed-array-names-1.0.0.tgz#89bb63c6fada2c3e90adc4a647beeeb39cc7bf8f"
   integrity sha512-d7Uw+eZoloe0EHDIYoe+bQ5WXnGMOpmiZFTuMWCwpjzzkL2nTjcKiAk4hh8TjnGye2TwWOk3UXucZ+3rbmBa8Q==
 
-postcss-calc@^9.0.1:
-  version "9.0.1"
-  resolved "https://registry.yarnpkg.com/postcss-calc/-/postcss-calc-9.0.1.tgz#a744fd592438a93d6de0f1434c572670361eb6c6"
-  integrity sha512-TipgjGyzP5QzEhsOZUaIkeO5mKeMFpebWzRogWG/ysonUlnHcq5aJe0jOjpfzUU8PeSaBQnrE8ehR0QA5vs8PQ==
-  dependencies:
-    postcss-selector-parser "^6.0.11"
-    postcss-value-parser "^4.2.0"
-
-postcss-color-function@folio-org/postcss-color-function:
-  version "4.1.0"
-  resolved "https://codeload.github.com/folio-org/postcss-color-function/tar.gz/c128aad740ae740fb571c4b6493f467dd51efe85"
-  dependencies:
-    css-color-function "~1.3.3"
-    postcss-message-helpers "^2.0.0"
-    postcss-value-parser "^4.1.0"
-
 postcss-custom-media@^9.0.1:
   version "9.1.5"
   resolved "https://registry.yarnpkg.com/postcss-custom-media/-/postcss-custom-media-9.1.5.tgz#20c5822dd15155d768f8dd84e07a6ffd5d01b054"

From eeaa34acfec17d95e955e615e09d153a444a06b6 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Mon, 20 May 2024 07:20:47 -0400
Subject: [PATCH 38/63] rebase-cleanup: restore logout

The `/authn/logout` request requires the `X-Okapi-Tenant` header to
succeed.
---
 src/loginServices.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/loginServices.js b/src/loginServices.js
index 4a7192d66..57d7bc006 100644
--- a/src/loginServices.js
+++ b/src/loginServices.js
@@ -476,7 +476,8 @@ export async function logout(okapiUrl, store) {
     fetch(`${okapiUrl}/authn/logout`, {
       method: 'POST',
       mode: 'cors',
-      credentials: 'include'
+      credentials: 'include',
+      headers: getHeaders(store.getState()?.okapi?.tenant),
     })
     :
     Promise.resolve();

From 5bc64cebd6fa57347570aaca3301545ed21a6e8b Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Thu, 23 May 2024 16:31:41 -0400
Subject: [PATCH 39/63] rebase-cleanup: restore logout AND ITS TESTS (#1479)

The previous commit re-enabled logout by correctly passing the
`x-okapi-tenant` header in the `/authn/logout` request. It turns out
that if you want read the tenant from the store in a test, you have to
mock the store in your test. WHO KNEW???
---
 src/loginServices.test.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/loginServices.test.js b/src/loginServices.test.js
index 6454d17a3..6827bf9ae 100644
--- a/src/loginServices.test.js
+++ b/src/loginServices.test.js
@@ -502,6 +502,7 @@ describe('logout', () => {
       global.fetch = jest.fn().mockImplementation(() => Promise.resolve());
       const store = {
         dispatch: jest.fn(),
+        getState: jest.fn(),
       };
       window.sessionStorage.clear();
 
@@ -523,6 +524,7 @@ describe('logout', () => {
       localStorage.setItem(SESSION_NAME, 'true');
       const store = {
         dispatch: jest.fn(),
+        getState: jest.fn(),
       };
       window.sessionStorage.clear();
 

From 92e6926d81e9ac155d34c3cadd3eabdbe159dc12 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Thu, 23 May 2024 17:07:20 -0400
Subject: [PATCH 40/63] STCOR-853 do not include credential in /authn/token
 request (#1480)

The request to `/authn/token` pulls an OTP from the query string and
exchanges it for AT/RT cookies. If, somehow, the browser already has
cookies and sends them along on this request, it causes a negative
feedback look because the OTP and the cookies are out of sync.
The old AT/RT cookies will cause the endpoint to return 4xx, which will
result in a redirect back to keycloak, which will find its (still
perfectly valid) authentication cookies, which will cause it redirect
back to stripes with a new OTP ... and the cycle repeats.

Thus, when we are exchanging an OTP, we don't want to send any cookies.
We want stripes to send the OTP and have new cookies from the response
overwrite anything that was previously stored.

Refs STCOR-853
---
 CHANGELOG.md                       |  1 +
 src/components/OIDCLanding.js      |  2 +-
 src/components/OIDCLanding.test.js | 85 ++++++++++++++++++++++++++++++
 3 files changed, 87 insertions(+), 1 deletion(-)
 create mode 100644 src/components/OIDCLanding.test.js

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a500f4903..e6b3686b8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@
 * Read locale from stripes-config before defaulting to `en-US`. Refs STCOR-851.
 * Use keycloak URLs in place of users-bl for tenant-switch. Refs US1153537.
 * Fix 404 error page when logging in after changing password in Eureka. Refs STCOR-845.
+* Omit credentials in requests to `/authn/token` to prevent redirect tailspin. Refs STCOR-853.
 
 ## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.0...v10.1.1)
diff --git a/src/components/OIDCLanding.js b/src/components/OIDCLanding.js
index 5887c67e0..7d351d249 100644
--- a/src/components/OIDCLanding.js
+++ b/src/components/OIDCLanding.js
@@ -59,7 +59,7 @@ const OIDCLanding = () => {
     if (otp) {
       setPotp(otp);
       fetch(`${okapi.url}/authn/token?code=${otp}&redirect-uri=${window.location.protocol}//${window.location.host}/oidc-landing`, {
-        credentials: 'include',
+        credentials: 'omit',
         headers: { 'X-Okapi-tenant': okapi.tenant, 'Content-Type': 'application/json' },
         mode: 'cors',
       })
diff --git a/src/components/OIDCLanding.test.js b/src/components/OIDCLanding.test.js
new file mode 100644
index 000000000..9a075176f
--- /dev/null
+++ b/src/components/OIDCLanding.test.js
@@ -0,0 +1,85 @@
+import { render, screen, waitFor } from '@folio/jest-config-stripes/testing-library/react';
+
+import { requestUserWithPerms, setTokenExpiry } from '../loginServices';
+import OIDCLanding from './OIDCLanding';
+
+jest.mock('react-router-dom', () => ({
+  useLocation: () => ({
+    search: 'session_state=dead-beef&code=c0ffee'
+  }),
+  Redirect: () => <>Redirect</>,
+}));
+
+jest.mock('react-redux', () => ({
+  useStore: () => { },
+}));
+
+jest.mock('../StripesContext', () => ({
+  useStripes: () => ({
+    okapi: { url: 'https://whaterver' },
+  }),
+}));
+
+// jest.mock('../loginServices');
+
+
+const mockSetTokenExpiry = jest.fn();
+const mockRequestUserWithPerms = jest.fn();
+const mockFoo = jest.fn();
+jest.mock('../loginServices', () => ({
+  setTokenExpiry: () => mockSetTokenExpiry(),
+  requestUserWithPerms: () => mockRequestUserWithPerms(),
+  foo: () => mockFoo(),
+}));
+
+
+// fetch success: resolve promise with ok == true and $data in json()
+const mockFetchSuccess = (data) => {
+  global.fetch = jest.fn().mockImplementation(() => (
+    Promise.resolve({
+      ok: true,
+      json: () => Promise.resolve(data),
+      headers: new Map(),
+    })
+  ));
+};
+
+// fetch failure: resolve promise with ok == false and $error in json()
+const mockFetchError = (error) => {
+  global.fetch = jest.fn().mockImplementation(() => (
+    Promise.resolve({
+      ok: false,
+      json: () => Promise.resolve(error),
+      headers: new Map(),
+    })
+  ));
+};
+
+// restore default fetch impl
+const mockFetchCleanUp = () => {
+  global.fetch.mockClear();
+  delete global.fetch;
+};
+
+describe('OIDCLanding', () => {
+  it('calls requestUserWithPerms, setTokenExpiry on success', async () => {
+    mockFetchSuccess({
+      accessTokenExpiration: '2024-05-23T09:47:17.000-04:00',
+      refreshTokenExpiration: '2024-05-23T10:07:17.000-04:00',
+    });
+
+    await render(<OIDCLanding />);
+    screen.getByText('Loading');
+    await waitFor(() => expect(mockSetTokenExpiry).toHaveBeenCalledTimes(1));
+    await waitFor(() => expect(mockRequestUserWithPerms).toHaveBeenCalledTimes(1));
+    mockFetchCleanUp();
+  });
+
+  it('displays an error on failure', async () => {
+    mockFetchError('barf');
+
+    await render(<OIDCLanding />);
+    await screen.findByText('errors.saml.missingToken');
+    mockFetchCleanUp();
+  });
+});

From 91ae4f95f2a434b50e5bf9895ef90de4e93e4575 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Thu, 30 May 2024 17:05:03 -0400
Subject: [PATCH 41/63] Revert "STCOR-853 do not include credential in
 /authn/token request (#1480)" (#1486)

This reverts commit d6e7af84b5db2baaa60e253816496cd8b79daf0a.

We don't want to _send_ old cookies, but we do want to _receive_ new
cookies. `omit` ignores both. From
https://developer.mozilla.org/en-US/docs/Web/API/fetch#credentials:

> `omit`: Tells browsers to exclude credentials from the request, and
> ignore any credentials sent back in the response (e.g., any Set-Cookie
> header).

We may still have a cookie exchange problem, but if we do, `credentials:
"omit"` won't solve it.
---
 CHANGELOG.md                       |  1 -
 src/components/OIDCLanding.js      |  2 +-
 src/components/OIDCLanding.test.js | 85 ------------------------------
 3 files changed, 1 insertion(+), 87 deletions(-)
 delete mode 100644 src/components/OIDCLanding.test.js

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e6b3686b8..a500f4903 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,7 +16,6 @@
 * Read locale from stripes-config before defaulting to `en-US`. Refs STCOR-851.
 * Use keycloak URLs in place of users-bl for tenant-switch. Refs US1153537.
 * Fix 404 error page when logging in after changing password in Eureka. Refs STCOR-845.
-* Omit credentials in requests to `/authn/token` to prevent redirect tailspin. Refs STCOR-853.
 
 ## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.0...v10.1.1)
diff --git a/src/components/OIDCLanding.js b/src/components/OIDCLanding.js
index 7d351d249..5887c67e0 100644
--- a/src/components/OIDCLanding.js
+++ b/src/components/OIDCLanding.js
@@ -59,7 +59,7 @@ const OIDCLanding = () => {
     if (otp) {
       setPotp(otp);
       fetch(`${okapi.url}/authn/token?code=${otp}&redirect-uri=${window.location.protocol}//${window.location.host}/oidc-landing`, {
-        credentials: 'omit',
+        credentials: 'include',
         headers: { 'X-Okapi-tenant': okapi.tenant, 'Content-Type': 'application/json' },
         mode: 'cors',
       })
diff --git a/src/components/OIDCLanding.test.js b/src/components/OIDCLanding.test.js
deleted file mode 100644
index 9a075176f..000000000
--- a/src/components/OIDCLanding.test.js
+++ /dev/null
@@ -1,85 +0,0 @@
-import { render, screen, waitFor } from '@folio/jest-config-stripes/testing-library/react';
-
-import { requestUserWithPerms, setTokenExpiry } from '../loginServices';
-import OIDCLanding from './OIDCLanding';
-
-jest.mock('react-router-dom', () => ({
-  useLocation: () => ({
-    search: 'session_state=dead-beef&code=c0ffee'
-  }),
-  Redirect: () => <>Redirect</>,
-}));
-
-jest.mock('react-redux', () => ({
-  useStore: () => { },
-}));
-
-jest.mock('../StripesContext', () => ({
-  useStripes: () => ({
-    okapi: { url: 'https://whaterver' },
-  }),
-}));
-
-// jest.mock('../loginServices');
-
-
-const mockSetTokenExpiry = jest.fn();
-const mockRequestUserWithPerms = jest.fn();
-const mockFoo = jest.fn();
-jest.mock('../loginServices', () => ({
-  setTokenExpiry: () => mockSetTokenExpiry(),
-  requestUserWithPerms: () => mockRequestUserWithPerms(),
-  foo: () => mockFoo(),
-}));
-
-
-// fetch success: resolve promise with ok == true and $data in json()
-const mockFetchSuccess = (data) => {
-  global.fetch = jest.fn().mockImplementation(() => (
-    Promise.resolve({
-      ok: true,
-      json: () => Promise.resolve(data),
-      headers: new Map(),
-    })
-  ));
-};
-
-// fetch failure: resolve promise with ok == false and $error in json()
-const mockFetchError = (error) => {
-  global.fetch = jest.fn().mockImplementation(() => (
-    Promise.resolve({
-      ok: false,
-      json: () => Promise.resolve(error),
-      headers: new Map(),
-    })
-  ));
-};
-
-// restore default fetch impl
-const mockFetchCleanUp = () => {
-  global.fetch.mockClear();
-  delete global.fetch;
-};
-
-describe('OIDCLanding', () => {
-  it('calls requestUserWithPerms, setTokenExpiry on success', async () => {
-    mockFetchSuccess({
-      accessTokenExpiration: '2024-05-23T09:47:17.000-04:00',
-      refreshTokenExpiration: '2024-05-23T10:07:17.000-04:00',
-    });
-
-    await render(<OIDCLanding />);
-    screen.getByText('Loading');
-    await waitFor(() => expect(mockSetTokenExpiry).toHaveBeenCalledTimes(1));
-    await waitFor(() => expect(mockRequestUserWithPerms).toHaveBeenCalledTimes(1));
-    mockFetchCleanUp();
-  });
-
-  it('displays an error on failure', async () => {
-    mockFetchError('barf');
-
-    await render(<OIDCLanding />);
-    await screen.findByText('errors.saml.missingToken');
-    mockFetchCleanUp();
-  });
-});

From e738a2fce16d3b69dc286ba41ce62f8e320cd757 Mon Sep 17 00:00:00 2001
From: Ryan Berger <rberger@ebsco.com>
Date: Mon, 10 Jun 2024 08:16:13 -0400
Subject: [PATCH 42/63] [STCOR-787] Always retrieve clientId and tenant values
 from config.tenantOptions in stripes.config.js (#1487)

* Retrieve clientId and tenant values from config.tenantOptions before login

* Fix tenant gathering

* Remove isSingleTenant param which is redundant

* If user object not returned from local storage, then default user from /_self response

* Update CHANGELOG.md

* Revert PreLoginLanding which uses okapi values

* Remove space

* Rework flow to immediately set config to okapi for compatibility.

* Lint fix

* Fix unit test
---
 CHANGELOG.md                            |  1 +
 src/RootWithIntl.test.js                | 30 ++++++++-
 src/Stripes.js                          |  1 +
 src/components/AuthnLogin/AuthnLogin.js | 27 +++++---
 src/components/OIDCLanding.js           |  1 -
 src/components/OIDCLanding.test.js      | 85 +++++++++++++++++++++++++
 src/components/OIDCRedirect.test.js     |  2 +-
 7 files changed, 134 insertions(+), 13 deletions(-)
 create mode 100644 src/components/OIDCLanding.test.js

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a500f4903..96170f618 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@
 * Read locale from stripes-config before defaulting to `en-US`. Refs STCOR-851.
 * Use keycloak URLs in place of users-bl for tenant-switch. Refs US1153537.
 * Fix 404 error page when logging in after changing password in Eureka. Refs STCOR-845.
+* Always retrieve `clientId` and `tenant` values from `config.tenantOptions` in stripes.config.js. Retires `okapi.tenant`, `okapi.clientId`, and `config.isSingleTenant`. Refs STCOR-787.
 
 ## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.0...v10.1.1)
diff --git a/src/RootWithIntl.test.js b/src/RootWithIntl.test.js
index 11f6634e0..4da7f32b9 100644
--- a/src/RootWithIntl.test.js
+++ b/src/RootWithIntl.test.js
@@ -22,10 +22,21 @@ jest.mock('./components/Redirect', () => () => '<redirect>');
 jest.mock('./components/Login', () => () => '<login>');
 jest.mock('./components/PreLoginLanding', () => () => '<preloginlanding>');
 
+const store = {
+  getState: () => ({
+    okapi: {
+      token: '123',
+    },
+  }),
+  dispatch: () => {},
+  subscribe: () => {},
+  replaceReducer: () => {},
+};
+
 describe('RootWithIntl', () => {
   describe('AuthnLogin', () => {
     it('handles legacy login', () => {
-      const stripes = { okapi: {}, config: {} };
+      const stripes = { okapi: {}, config: {}, store };
       render(<AuthnLogin stripes={stripes} />);
 
       expect(screen.getByText(/<login>/)).toBeInTheDocument();
@@ -35,7 +46,13 @@ describe('RootWithIntl', () => {
       it('handles single-tenant', () => {
         const stripes = {
           okapi: { authnUrl: 'https://barbie.com' },
-          config: { isSingleTenant: true }
+          config: {
+            isSingleTenant: true,
+            tenantOptions: {
+              diku: { name: 'diku', clientId: 'diku-application' }
+            }
+          },
+          store
         };
         render(<AuthnLogin stripes={stripes} />);
 
@@ -45,7 +62,14 @@ describe('RootWithIntl', () => {
       it('handles multi-tenant', () => {
         const stripes = {
           okapi: { authnUrl: 'https://oppie.com' },
-          config: { },
+          config: {
+            isSingleTenant: false,
+            tenantOptions: {
+              diku: { name: 'diku', clientId: 'diku-application' },
+              diku2: { name: 'diku2', clientId: 'diku2-application' }
+            }
+          },
+          store
         };
         render(<AuthnLogin stripes={stripes} />);
 
diff --git a/src/Stripes.js b/src/Stripes.js
index 3d7413354..5f91fe238 100644
--- a/src/Stripes.js
+++ b/src/Stripes.js
@@ -23,6 +23,7 @@ export const stripesShape = PropTypes.shape({
     logTimestamp: PropTypes.bool,
     showHomeLink: PropTypes.bool,
     showPerms: PropTypes.bool,
+    tenantOptions: PropTypes.object,
   }).isRequired,
   connect: PropTypes.func.isRequired,
   currency: PropTypes.string,
diff --git a/src/components/AuthnLogin/AuthnLogin.js b/src/components/AuthnLogin/AuthnLogin.js
index 136ea8136..4ae5a020d 100644
--- a/src/components/AuthnLogin/AuthnLogin.js
+++ b/src/components/AuthnLogin/AuthnLogin.js
@@ -9,6 +9,14 @@ import { setUnauthorizedPathToSession } from '../../loginServices';
 
 const AuthnLogin = ({ stripes }) => {
   const { config, okapi } = stripes;
+  // If config.tenantOptions is not defined, default to classic okapi.tenant and okapi.clientId
+  const { tenantOptions = [{ name: okapi.tenant, clientId: okapi.clientId }] } = config;
+  const tenants = Object.values(tenantOptions);
+
+  const setTenant = (tenant, clientId) => {
+    localStorage.setItem('tenant', JSON.stringify({ tenantName: tenant, clientId }));
+    stripes.store.dispatch(setOkapiTenant({ tenant, clientId }));
+  };
 
   useEffect(() => {
     if (okapi.authnUrl) {
@@ -17,23 +25,26 @@ const AuthnLogin = ({ stripes }) => {
     */
       setUnauthorizedPathToSession(window.location.pathname);
     }
+
+    // If only 1 tenant is defined in config (in either okapi or config.tenantOptions) set to okapi to be accessed there
+    // in the rest of the application for compatibity across existing modules.
+    if (tenants.length === 1) {
+      const loginTenant = tenants[0];
+      setTenant(loginTenant.name, loginTenant.clientId);
+    }
     // we only want to run this effect once, on load.
-    // okapi.authnUrl are defined in stripes.config.js
+    // okapi.authnUrl tenant values are defined in stripes.config.js
   }, []); // eslint-disable-line react-hooks/exhaustive-deps
 
   if (okapi.authnUrl) {
-    if (config.isSingleTenant) {
+    // If only 1 tenant is defined in config, skip the tenant selection screen.
+    if (tenants.length === 1) {
       const redirectUri = `${window.location.protocol}//${window.location.host}/oidc-landing`;
       const authnUri = `${okapi.authnUrl}/realms/${okapi.tenant}/protocol/openid-connect/auth?client_id=${okapi.clientId}&response_type=code&redirect_uri=${redirectUri}&scope=openid`;
       return <Redirect to={authnUri} />;
     }
 
-    const handleSelectTenant = (tenant, clientId) => {
-      localStorage.setItem('tenant', JSON.stringify({ tenantName: tenant, clientId }));
-      stripes.store.dispatch(setOkapiTenant({ tenant, clientId }));
-    };
-
-    return <PreLoginLanding onSelectTenant={handleSelectTenant} />;
+    return <PreLoginLanding onSelectTenant={setTenant} />;
   }
 
   return <Login
diff --git a/src/components/OIDCLanding.js b/src/components/OIDCLanding.js
index 5887c67e0..9c164979f 100644
--- a/src/components/OIDCLanding.js
+++ b/src/components/OIDCLanding.js
@@ -26,7 +26,6 @@ const OIDCLanding = () => {
   const store = useStore();
   // const samlError = useRef();
   const { okapi } = useStripes();
-
   const [potp, setPotp] = useState();
   const [samlError, setSamlError] = useState();
 
diff --git a/src/components/OIDCLanding.test.js b/src/components/OIDCLanding.test.js
new file mode 100644
index 000000000..f7e199c50
--- /dev/null
+++ b/src/components/OIDCLanding.test.js
@@ -0,0 +1,85 @@
+import { render, screen, waitFor } from '@folio/jest-config-stripes/testing-library/react';
+
+import OIDCLanding from './OIDCLanding';
+
+jest.mock('react-router-dom', () => ({
+  useLocation: () => ({
+    search: 'session_state=dead-beef&code=c0ffee'
+  }),
+  Redirect: () => <>Redirect</>,
+}));
+
+jest.mock('react-redux', () => ({
+  useStore: () => { },
+}));
+
+jest.mock('../StripesContext', () => ({
+  useStripes: () => ({
+    okapi: { url: 'https://whaterver' },
+    config: { tenantOptions: { diku: { name: 'diku', clientId: 'diku-application' } } },
+  }),
+}));
+
+// jest.mock('../loginServices');
+
+
+const mockSetTokenExpiry = jest.fn();
+const mockRequestUserWithPerms = jest.fn();
+const mockFoo = jest.fn();
+jest.mock('../loginServices', () => ({
+  setTokenExpiry: () => mockSetTokenExpiry(),
+  requestUserWithPerms: () => mockRequestUserWithPerms(),
+  foo: () => mockFoo(),
+}));
+
+
+// fetch success: resolve promise with ok == true and $data in json()
+const mockFetchSuccess = (data) => {
+  global.fetch = jest.fn().mockImplementation(() => (
+    Promise.resolve({
+      ok: true,
+      json: () => Promise.resolve(data),
+      headers: new Map(),
+    })
+  ));
+};
+
+// fetch failure: resolve promise with ok == false and $error in json()
+const mockFetchError = (error) => {
+  global.fetch = jest.fn().mockImplementation(() => (
+    Promise.resolve({
+      ok: false,
+      json: () => Promise.resolve(error),
+      headers: new Map(),
+    })
+  ));
+};
+
+// restore default fetch impl
+const mockFetchCleanUp = () => {
+  global.fetch.mockClear();
+  delete global.fetch;
+};
+
+describe('OIDCLanding', () => {
+  it('calls requestUserWithPerms, setTokenExpiry on success', async () => {
+    mockFetchSuccess({
+      accessTokenExpiration: '2024-05-23T09:47:17.000-04:00',
+      refreshTokenExpiration: '2024-05-23T10:07:17.000-04:00',
+    });
+
+    await render(<OIDCLanding />);
+    screen.getByText('Loading');
+    await waitFor(() => expect(mockSetTokenExpiry).toHaveBeenCalledTimes(1));
+    await waitFor(() => expect(mockRequestUserWithPerms).toHaveBeenCalledTimes(1));
+    mockFetchCleanUp();
+  });
+
+  it('displays an error on failure', async () => {
+    mockFetchError('barf');
+
+    await render(<OIDCLanding />);
+    await screen.findByText('errors.saml.missingToken');
+    mockFetchCleanUp();
+  });
+});
diff --git a/src/components/OIDCRedirect.test.js b/src/components/OIDCRedirect.test.js
index 3b9c83c3a..48c8a0c4d 100644
--- a/src/components/OIDCRedirect.test.js
+++ b/src/components/OIDCRedirect.test.js
@@ -25,7 +25,7 @@ describe('OIDCRedirect', () => {
   afterAll(() => sessionStorage.removeItem('unauthorized_path'));
 
   it('redirects to value from session storage under unauthorized_path key', () => {
-    useStripes.mockReturnValue({ okapi:{ authnUrl: 'http://example.com/authn' } });
+    useStripes.mockReturnValue({ okapi: { authnUrl: 'http://example.com/authn' } });
     render(<OIDCRedirect />);
 
     expect(screen.getByText(/internalredirect/)).toBeInTheDocument();

From cc773c64c6dcf7ac71924d9167da2dba934848be Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Mon, 10 Jun 2024 09:22:50 -0400
Subject: [PATCH 43/63] STCOR-859 list UI apps under apps/modules/interfaces
 column (#1489)

Follow-up to the original PR (#1385, STCOR-773). There were at
least two gotchas there:
1. The attribute key in the response changed from `ui-modules` to
   `uiModules`
2. Since frontend and backend applications are stored under separate
   keys, the discovery reducer needed to grab values from both keys.

Refs STCOR-859
---
 CHANGELOG.md                                  |  1 +
 .../About/AboutApplicationVersions.js         |  1 +
 src/components/About/AboutModules.js          |  8 +++-
 src/discoverServices.js                       | 31 +++++++++-----
 src/discoverServices.test.js                  | 42 +++++++++++++++++++
 5 files changed, 70 insertions(+), 13 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 96170f618..fc1c2f155 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,7 @@
 * Use keycloak URLs in place of users-bl for tenant-switch. Refs US1153537.
 * Fix 404 error page when logging in after changing password in Eureka. Refs STCOR-845.
 * Always retrieve `clientId` and `tenant` values from `config.tenantOptions` in stripes.config.js. Retires `okapi.tenant`, `okapi.clientId`, and `config.isSingleTenant`. Refs STCOR-787.
+* List UI apps in "Applications/modules/interfaces" column. STCOR-773
 
 ## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.0...v10.1.1)
diff --git a/src/components/About/AboutApplicationVersions.js b/src/components/About/AboutApplicationVersions.js
index 7de809407..26b2e7ca9 100644
--- a/src/components/About/AboutApplicationVersions.js
+++ b/src/components/About/AboutApplicationVersions.js
@@ -21,6 +21,7 @@ const AboutApplicationVersions = ({ message, applications }) => {
       </Headline>
       <Headline>{message}</Headline>
       {Object.values(applications)
+        .sort((a, b) => a.name.localeCompare(b.name))
         .map((app) => {
           return (
             <ul key={app.name}>
diff --git a/src/components/About/AboutModules.js b/src/components/About/AboutModules.js
index 5fc9ca7d5..66f3c87b1 100644
--- a/src/components/About/AboutModules.js
+++ b/src/components/About/AboutModules.js
@@ -7,9 +7,11 @@ import {
 import css from './About.css';
 
 
-const AboutInterfaces = ({ list }) => {
+const AboutInterfaces = ({ list = [] }) => {
+  list.sort((a, b) => a.name.localeCompare(b.name));
   return (
     <List
+      listStyle="bullets"
       listClass={css.paddingLeftOfListItems}
       items={list}
       itemFormatter={(item) => <li key={item.name}>{item.name}</li>}
@@ -21,7 +23,9 @@ AboutInterfaces.propTypes = {
   list: PropTypes.arrayOf(PropTypes.object),
 };
 
-const AboutModules = ({ list }) => {
+const AboutModules = ({ list = [] }) => {
+  list.sort((a, b) => a.name.localeCompare(b.name));
+
   return (
     <List
       listStyle="bullets"
diff --git a/src/discoverServices.js b/src/discoverServices.js
index 04a888423..98e6a4c43 100644
--- a/src/discoverServices.js
+++ b/src/discoverServices.js
@@ -46,8 +46,8 @@ function parseApplicationDescriptor(store, descriptor) {
     list.push(...descriptor.moduleDescriptors?.map((i) => dispatchDescriptor(i)));
   }
 
-  if (descriptor['ui-modules']) {
-    list.push(...descriptor['ui-modules']?.map((i) => dispatchDescriptor(i)));
+  if (descriptor.uiModules) {
+    list.push(...descriptor.uiModules?.map((i) => dispatchDescriptor(i)));
   }
 
   list.push(dispatchApplication(descriptor));
@@ -76,7 +76,7 @@ function parseApplicationDescriptor(store, descriptor) {
           { "id": "mod-users-18.2.0", "name": "mod-users", "version": "18.2.0" },
           ...
         ],
-        "ui-modules": [
+        "uiModules": [
           { "name": "folio_stripes-core", "version": "8.1.2" },
           ...
         ],
@@ -246,14 +246,23 @@ export function discoveryReducer(state = {}, action) {
           ...state.applications,
           [action.data.id]: {
             name: action.data.id,
-            modules: action.data.moduleDescriptors.map((d) => {
-              return {
-                name: d.id,
-                interfaces: d.provides?.map((i) => {
-                  return { name: i.id + ' ' + i.version };
-                }) || [],
-              };
-            }),
+            modules: [
+              ...action.data.moduleDescriptors.map((d) => {
+                return {
+                  name: d.id,
+                  interfaces: d.provides?.map((i) => {
+                    return { name: i.id + ' ' + i.version };
+                  }) || [],
+                };
+              }),
+              ...action.data.uiModules.map((d) => {
+                return {
+                  name: d.id,
+                  interfaces: [],
+                };
+              })
+
+            ],
           },
         },
       };
diff --git a/src/discoverServices.test.js b/src/discoverServices.test.js
index c6cd08fbf..3edbf5ebd 100644
--- a/src/discoverServices.test.js
+++ b/src/discoverServices.test.js
@@ -98,6 +98,48 @@ describe('discoverServices', () => {
 });
 
 describe('discoveryReducer', () => {
+  it('handles DISCOVERY_APPLICATIONS', () => {
+    let state = {};
+    const moduleDescriptors = [
+      { id: 'mod-a', provides: [{ id: 'if-a', version: '1.0' }] },
+      { id: 'mod-b' },
+    ];
+    const uiModules = [
+      { id: 'folio_c' },
+      { id: 'folio_d' },
+    ];
+    const action = {
+      type: 'DISCOVERY_APPLICATIONS',
+      data: {
+        id: 'a',
+        moduleDescriptors,
+        uiModules,
+      },
+    };
+
+    const mapped = {
+      applications: {
+        [action.data.id]: {
+          name: action.data.id,
+          modules: [
+            ...moduleDescriptors.map((d) => (
+              {
+                name: d.id,
+                interfaces: d.provides?.map((i) => {
+                  return { name: i.id + ' ' + i.version };
+                }) || []
+              })),
+            ...uiModules.map((d) => ({ name: d.id, interfaces: [] })),
+          ],
+        },
+      },
+    };
+
+    state = discoveryReducer(state, action);
+
+    expect(state).toMatchObject(mapped);
+  });
+
   it('handles DISCOVERY_OKAPI', () => {
     let state = {
       okapi: '0.0.0'

From 2e162f618287cd59f4c4937fbd04ac107aeb15e5 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Tue, 11 Jun 2024 13:30:55 -0400
Subject: [PATCH 44/63] STCOR-776 RTR adjustments for keycloak (#1490)

There are many small differences in how keycloak and okapi respond to
authentication related requests.
* permissions are structured differently in Okapi between `login` and
  `_self` requests and depending on whether `expandPermissions=true` is
  present on the request; keycloak always responds with a flattened
  list.
* token expiration data is nested in the login-response in Okapi but is
  a root-level element in the `/authn/token` response from keycloak.

STCOR-776, STCOR-846
---
 src/components/Root/FFetch.js | 13 +++++++++----
 src/loginServices.js          | 31 +++++++++++++++++++++++--------
 2 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/src/components/Root/FFetch.js b/src/components/Root/FFetch.js
index ef84814b8..21c5b4c73 100644
--- a/src/components/Root/FFetch.js
+++ b/src/components/Root/FFetch.js
@@ -119,12 +119,12 @@ export class FFetch {
 
     // When starting a new session, the response from /bl-users/login-with-expiry
     // will contain AT expiration info, but when restarting an existing session,
-    // the response from /bl-users/_self will NOT, although that information will
+    // the response from /bl-users/_self will NOT, although that information should
     // have been cached in local-storage.
     //
     // This means there are many places we have to check to figure out when the
     // AT is likely to expire, and thus when we want to rotate. First inspect
-    // the response, otherwise the session. Default to 10 seconds.
+    // the response, then the session, then default to 10 seconds.
     if (res?.accessTokenExpiration) {
       this.logger.log('rtr', 'rotation scheduled with login response data');
       const rotationPromise = Promise.resolve((new Date(res.accessTokenExpiration).getTime() - Date.now()) * RTR_AT_TTL_FRACTION);
@@ -132,7 +132,7 @@ export class FFetch {
       scheduleRotation(rotationPromise);
     } else {
       const rotationPromise = getTokenExpiry().then((expiry) => {
-        if (expiry.atExpires) {
+        if (expiry?.atExpires) {
           this.logger.log('rtr', 'rotation scheduled with cached session data');
           return (new Date(expiry.atExpires).getTime() - Date.now()) * RTR_AT_TTL_FRACTION;
         }
@@ -189,7 +189,12 @@ export class FFetch {
             if (clone.ok) {
               this.logger.log('rtr', 'authn success!');
               clone.json().then(json => {
-                this.rotateCallback(json.tokenExpiration);
+                // we want accessTokenExpiration. do we need to destructure?
+                // in community-folio, a /login-with-expiry response is shaped like
+                //   { ..., tokenExpiration: { accessTokenExpiration, refreshTokenExpiration } }
+                // in eureka-folio, a /authn/token response is shaped like
+                //   { accessTokenExpiration, refreshTokenExpiration }
+                this.rotateCallback(json.tokenExpiration ?? json);
               });
             }
 
diff --git a/src/loginServices.js b/src/loginServices.js
index 57d7bc006..220eb2865 100644
--- a/src/loginServices.js
+++ b/src/loginServices.js
@@ -421,16 +421,31 @@ export function spreadUserWithPerms(userWithPerms) {
     ...userWithPerms?.user?.personal,
   };
 
-  // remap userWithPerms.permissions.permissions from an array shaped like
-  //   [{ "permissionName": "foo", ... }]
-  // to an object shaped like
-  //   { foo: true, ...}
-  const perms = {};
+  // remap data's array of permission-names to set with
+  // permission-names for keys and `true` for values.
+  //
+  // userWithPerms is shaped differently depending on the API call
+  // that generated it.
+  // in community-folio, /login sends data like [{ "permissionName": "foo" }]
+  //   and includes both directly and indirectly assigned permissions
+  // in community-folio, /_self sends data like ["foo", "bar", "bat"]
+  //   but only includes directly assigned permissions
+  // in community-folio, /_self?expandPermissions=true sends data like [{ "permissionName": "foo" }]
+  //   and includes both directly and indirectly assigned permissions
+  // in eureka-folio, /_self sends data like ["foo", "bar", "bat"]
+  //   and includes both directly and indirectly assigned permissions
+  //
+  // we'll parse it differently depending on what it looks like.
+  let perms = {};
   const list = userWithPerms?.permissions?.permissions;
   if (list && Array.isArray(list) && list.length > 0) {
-    list.forEach(p => {
-      perms[p.permissionName] = true;
-    });
+    // shaped like this ["foo", "bar", "bat"] or
+    // shaped like that [{ "permissionName": "foo" }]?
+    if (typeof list[0] === 'string') {
+      perms = Object.assign({}, ...list.map(p => ({ [p]: true })));
+    } else {
+      perms = Object.assign({}, ...list.map(p => ({ [p.permissionName]: true })));
+    }
   }
 
   return { user, perms };

From eed1ba5c25e6591eb298a98d4d91beea2c4d29f3 Mon Sep 17 00:00:00 2001
From: Ryan Berger <rberger@ebsco.com>
Date: Mon, 24 Jun 2024 09:11:14 -0400
Subject: [PATCH 45/63] STCOR-787 Fix tenant and clientId references (#1492)

* Ensure okapi is being read from store after pulling from tenantOptions in AuthLogin
---
 src/components/AuthnLogin/AuthnLogin.js         |  3 ++-
 src/components/Root/FFetch.js                   | 11 ++++++-----
 src/components/Root/token-util.js               |  4 ++--
 src/components/Root/token-util.test.js          | 15 ++++++++++-----
 src/components/SSOLanding/useSSOSession.js      |  6 +++---
 src/components/SSOLanding/useSSOSession.test.js |  9 ++++++++-
 src/discoverServices.js                         |  8 ++++----
 7 files changed, 35 insertions(+), 21 deletions(-)

diff --git a/src/components/AuthnLogin/AuthnLogin.js b/src/components/AuthnLogin/AuthnLogin.js
index 4ae5a020d..0b005de14 100644
--- a/src/components/AuthnLogin/AuthnLogin.js
+++ b/src/components/AuthnLogin/AuthnLogin.js
@@ -39,8 +39,9 @@ const AuthnLogin = ({ stripes }) => {
   if (okapi.authnUrl) {
     // If only 1 tenant is defined in config, skip the tenant selection screen.
     if (tenants.length === 1) {
+      const loginTenant = tenants[0];
       const redirectUri = `${window.location.protocol}//${window.location.host}/oidc-landing`;
-      const authnUri = `${okapi.authnUrl}/realms/${okapi.tenant}/protocol/openid-connect/auth?client_id=${okapi.clientId}&response_type=code&redirect_uri=${redirectUri}&scope=openid`;
+      const authnUri = `${okapi.authnUrl}/realms/${loginTenant.name}/protocol/openid-connect/auth?client_id=${loginTenant.clientId}&response_type=code&redirect_uri=${redirectUri}&scope=openid`;
       return <Redirect to={authnUri} />;
     }
 
diff --git a/src/components/Root/FFetch.js b/src/components/Root/FFetch.js
index 21c5b4c73..90eade94e 100644
--- a/src/components/Root/FFetch.js
+++ b/src/components/Root/FFetch.js
@@ -42,7 +42,7 @@
  */
 
 import ms from 'ms';
-import { okapi } from 'stripes-config';
+import { okapi as okapiConfig } from 'stripes-config';
 import {
   setRtrTimeout
 } from '../../okapiActions';
@@ -112,7 +112,8 @@ export class FFetch {
       rotationP.then((rotationInterval) => {
         this.logger.log('rtr', `rotation fired from rotateCallback; next callback in ${ms(rotationInterval)}`);
         this.store.dispatch(setRtrTimeout(setTimeout(() => {
-          rtr(this.nativeFetch, this.logger, this.rotateCallback);
+          const { okapi } = this.store.getState();
+          rtr(this.nativeFetch, this.logger, this.rotateCallback, okapi);
         }, rotationInterval)));
       });
     };
@@ -173,12 +174,12 @@ export class FFetch {
    */
   ffetch = async (resource, options = {}) => {
     // FOLIO API requests are subject to RTR
-    if (isFolioApiRequest(resource, okapi.url)) {
+    if (isFolioApiRequest(resource, okapiConfig.url)) {
       this.logger.log('rtrv', 'will fetch', resource);
 
       // on authentication, grab the response to kick of the rotation cycle,
       // then return the response
-      if (isAuthenticationRequest(resource, okapi.url)) {
+      if (isAuthenticationRequest(resource, okapiConfig.url)) {
         this.logger.log('rtr', 'authn request');
         return this.nativeFetch.apply(global, [resource, options && { ...options, ...OKAPI_FETCH_OPTIONS }])
           .then(res => {
@@ -207,7 +208,7 @@ export class FFetch {
       // tries to logout, the logout request will fail. And that's fine, just
       // fine. We will let them fail, capturing the response and swallowing it
       // to avoid getting stuck in an error loop.
-      if (isLogoutRequest(resource, okapi.url)) {
+      if (isLogoutRequest(resource, okapiConfig.url)) {
         this.logger.log('rtr', 'logout request');
 
         return this.nativeFetch.apply(global, [resource, options && { ...options, ...OKAPI_FETCH_OPTIONS }])
diff --git a/src/components/Root/token-util.js b/src/components/Root/token-util.js
index c1a147024..32ede2604 100644
--- a/src/components/Root/token-util.js
+++ b/src/components/Root/token-util.js
@@ -1,5 +1,4 @@
 import { isEmpty } from 'lodash';
-import { okapi } from 'stripes-config';
 
 import { getTokenExpiry, setTokenExpiry } from '../../loginServices';
 import { RTRError, UnexpectedResourceError } from './Errors';
@@ -192,9 +191,10 @@ export const isRotating = () => {
  * @param {function} fetchfx native fetch function
  * @param {@folio/stripes/logger} logger
  * @param {function} callback
+ * @param {object} okapi
  * @returns void
  */
-export const rtr = (fetchfx, logger, callback) => {
+export const rtr = (fetchfx, logger, callback, okapi) => {
   logger.log('rtr', '** RTR ...');
 
   // rotation is already in progress, maybe in this window,
diff --git a/src/components/Root/token-util.test.js b/src/components/Root/token-util.test.js
index 4463ec97a..0ed8cc7fc 100644
--- a/src/components/Root/token-util.test.js
+++ b/src/components/Root/token-util.test.js
@@ -13,6 +13,11 @@ import {
 } from './token-util';
 import { RTR_SUCCESS_EVENT } from './constants';
 
+const okapi = {
+  tenant: 'diku',
+  url: 'http://test'
+};
+
 describe('isFolioApiRequest', () => {
   it('accepts requests whose origin matches okapi\'s', () => {
     const oUrl = 'https://millicent-sounds-kinda-like-malificent.edu';
@@ -126,7 +131,7 @@ describe('rtr', () => {
     let ex = null;
     // const callback = () => { console.log('HOLA!!!')}; // jest.fn();
     try {
-      await rtr(fetchfx, logger, callback);
+      await rtr(fetchfx, logger, callback, okapi);
       expect(callback).toHaveBeenCalled();
     } catch (e) {
       ex = e;
@@ -168,7 +173,7 @@ describe('rtr', () => {
 
       let ex = null;
       try {
-        await rtr(nativeFetch, logger, jest.fn());
+        await rtr(nativeFetch, logger, jest.fn(), okapi);
       } catch (e) {
         ex = e;
       }
@@ -202,7 +207,7 @@ describe('rtr', () => {
 
       let ex = null;
       try {
-        await rtr(nativeFetch, logger, jest.fn());
+        await rtr(nativeFetch, logger, jest.fn(), okapi);
       } catch (e) {
         ex = e;
       }
@@ -232,7 +237,7 @@ describe('rtr', () => {
 
     let ex = null;
     try {
-      await rtr(nativeFetch, logger, jest.fn());
+      await rtr(nativeFetch, logger, jest.fn(), okapi);
     } catch (e) {
       ex = e;
     }
@@ -262,7 +267,7 @@ describe('rtr', () => {
 
     let ex = null;
     try {
-      await rtr(nativeFetch, logger, jest.fn());
+      await rtr(nativeFetch, logger, jest.fn(), okapi);
     } catch (e) {
       ex = e;
     }
diff --git a/src/components/SSOLanding/useSSOSession.js b/src/components/SSOLanding/useSSOSession.js
index 8242f111f..8e71b01c4 100644
--- a/src/components/SSOLanding/useSSOSession.js
+++ b/src/components/SSOLanding/useSSOSession.js
@@ -23,12 +23,12 @@ const getToken = (cookies, params) => {
   return cookies?.ssoToken || params?.ssoToken;
 };
 
-const getTenant = (params, token) => {
+const getTenant = (params, token, store) => {
   const tenant = config.useSecureTokens
     ? params?.tenantId
     : parseJWT(token)?.tenant;
 
-  return tenant || okapi.tenant;
+  return tenant || store.getState()?.okapi?.tenant;
 };
 
 const useSSOSession = () => {
@@ -42,7 +42,7 @@ const useSSOSession = () => {
   const params = getParams(location);
 
   const token = getToken(cookies, params);
-  const tenant = getTenant(params, token);
+  const tenant = getTenant(params, token, store);
 
   useEffect(() => {
     requestUserWithPerms(okapi.url, store, tenant, token)
diff --git a/src/components/SSOLanding/useSSOSession.test.js b/src/components/SSOLanding/useSSOSession.test.js
index 2a0e4cd0c..06eac936e 100644
--- a/src/components/SSOLanding/useSSOSession.test.js
+++ b/src/components/SSOLanding/useSSOSession.test.js
@@ -51,7 +51,14 @@ describe('SSOLanding', () => {
     useLocation.mockReturnValue({ search: '' });
     useCookies.mockReturnValue([]);
 
-    useStore.mockReturnValue({ getState: jest.fn() });
+    useStore.mockReturnValue({
+      getState: jest.fn().mockReturnValue({
+        okapi: {
+          url: 'okapiUrl',
+          tenant: 'okapiTenant'
+        }
+      })
+    });
 
     requestUserWithPerms.mockReturnValue(Promise.resolve());
   });
diff --git a/src/discoverServices.js b/src/discoverServices.js
index 98e6a4c43..6ea2a63b9 100644
--- a/src/discoverServices.js
+++ b/src/discoverServices.js
@@ -96,7 +96,7 @@ function parseApplicationDescriptor(store, descriptor) {
 const APP_MAX_COUNT = 500;
 
 function fetchApplicationDetails(store) {
-  const okapi = store.getState().okapi;
+  const { okapi } = store.getState();
 
   return fetch(`${okapi.url}/entitlements/${okapi.tenant}/applications?limit=${APP_MAX_COUNT}`, {
     credentials: 'include',
@@ -146,7 +146,7 @@ function fetchApplicationDetails(store) {
  */
 
 function fetchGatewayVersion(store) {
-  const okapi = store.getState().okapi;
+  const { okapi } = store.getState();
 
   return fetch(`${okapi.url}/version`, {
     credentials: 'include',
@@ -167,7 +167,7 @@ function fetchGatewayVersion(store) {
 }
 
 function fetchOkapiVersion(store) {
-  const okapi = store.getState().okapi;
+  const { okapi } = store.getState();
 
   return fetch(`${okapi.url}/_/version`, {
     credentials: 'include',
@@ -188,7 +188,7 @@ function fetchOkapiVersion(store) {
 }
 
 function fetchModules(store) {
-  const okapi = store.getState().okapi;
+  const { okapi } = store.getState();
 
   return fetch(`${okapi.url}/_/proxy/tenants/${okapi.tenant}/modules?full=true`, {
     credentials: 'include',

From 6201292a2d851082a794122ddec607489e71a966 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Tue, 25 Jun 2024 16:55:39 -0400
Subject: [PATCH 46/63] STCOR-864 correctly evaluate typeof stripes.okapi
 (#1498)

Stripes should render `<ModuleContainer>` either when discovery is
complete or when okapi isn't present at all, i.e. when
`stripes.config.js` doesn't even contain an `okapi` entry. What's most
amazing about this bug is not the bug, which is a relatively simple
typo, but that it didn't bite us for more than six years.

BTOG init never conducted discovery, but _did_ pass an okapi object
during application setup, which is another way of saying that our
application didn't have anything that relied on the presence of this
bug, but our test suite did. :|

Ignore the "new" AuthnLogin test file; those tests were previously
stashed in `RootWithIntl.test.js` for some reason and have just been
relocated.

Refs STCOR-864
---
 CHANGELOG.md                                 |   1 +
 src/RootWithIntl.js                          |   2 +-
 src/RootWithIntl.test.js                     | 126 ++++++++++---------
 src/components/AuthnLogin/AuthnLogin.test.js |  76 +++++++++++
 test/bigtest/helpers/setup-application.js    |   3 +
 test/jest/__mock__/stripesComponents.mock.js |   1 +
 6 files changed, 148 insertions(+), 61 deletions(-)
 create mode 100644 src/components/AuthnLogin/AuthnLogin.test.js

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fc1c2f155..9a348814c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@
 * Fix 404 error page when logging in after changing password in Eureka. Refs STCOR-845.
 * Always retrieve `clientId` and `tenant` values from `config.tenantOptions` in stripes.config.js. Retires `okapi.tenant`, `okapi.clientId`, and `config.isSingleTenant`. Refs STCOR-787.
 * List UI apps in "Applications/modules/interfaces" column. STCOR-773
+* Correctly evaluate `stripes.okapi` before rendering `<RootWithIntl>`. Refs STCOR-864.
 
 ## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.0...v10.1.1)
diff --git a/src/RootWithIntl.js b/src/RootWithIntl.js
index 5f2318d26..b51265cc9 100644
--- a/src/RootWithIntl.js
+++ b/src/RootWithIntl.js
@@ -72,7 +72,7 @@ const RootWithIntl = ({ stripes, token = '', isAuthenticated = false, disableAut
                             event={events.LOGIN}
                             stripes={connectedStripes}
                           />
-                          { (connectedStripes.okapi !== 'object' || connectedStripes.discovery.isFinished) && (
+                          { (typeof connectedStripes.okapi !== 'object' || connectedStripes.discovery.isFinished) && (
                             <ModuleContainer id="content">
                               <OverlayContainer />
                               {connectedStripes.config.useSecureTokens && <SessionEventContainer history={history} />}
diff --git a/src/RootWithIntl.test.js b/src/RootWithIntl.test.js
index 4da7f32b9..6aa1babad 100644
--- a/src/RootWithIntl.test.js
+++ b/src/RootWithIntl.test.js
@@ -2,25 +2,34 @@
 /* eslint-disable no-unused-vars */
 
 import { render, screen } from '@folio/jest-config-stripes/testing-library/react';
+import { Router as DefaultRouter } from 'react-router-dom';
+import { createMemoryHistory } from 'history';
 
-import { Redirect as InternalRedirect } from 'react-router-dom';
-import Redirect from './components/Redirect';
-import { Login } from './components';
-import PreLoginLanding from './components/PreLoginLanding';
+import AuthnLogin from './components/AuthnLogin';
+import MainNav from './components/MainNav';
+import MainContainer from './components/MainContainer';
+import ModuleContainer from './components/ModuleContainer';
+import RootWithIntl from './RootWithIntl';
+import Stripes from './Stripes';
 
-// import {
-//   renderLogoutComponent
-// } from './RootWithIntl';
+jest.mock('./components/AuthnLogin', () => () => '<AuthnLogin>');
+jest.mock('./components/MainNav', () => () => '<MainNav>');
+jest.mock('./components/ModuleContainer', () => () => '<ModuleContainer>');
+jest.mock('./components/MainContainer', () => ({ children }) => children);
 
-import AuthnLogin from './components/AuthnLogin';
+const defaultHistory = createMemoryHistory();
 
-jest.mock('react-router-dom', () => ({
-  Redirect: () => '<internalredirect>',
-  withRouter: (Component) => Component,
-}));
-jest.mock('./components/Redirect', () => () => '<redirect>');
-jest.mock('./components/Login', () => () => '<login>');
-jest.mock('./components/PreLoginLanding', () => () => '<preloginlanding>');
+const Harness = ({
+  Router = DefaultRouter,
+  children,
+  history = defaultHistory,
+}) => {
+  return (
+    <Router history={history}>
+      {children}
+    </Router>
+  );
+};
 
 const store = {
   getState: () => ({
@@ -34,56 +43,53 @@ const store = {
 };
 
 describe('RootWithIntl', () => {
-  describe('AuthnLogin', () => {
-    it('handles legacy login', () => {
-      const stripes = { okapi: {}, config: {}, store };
-      render(<AuthnLogin stripes={stripes} />);
+  it('renders login without one of (isAuthenticated, token, disableAuth)', async () => {
+    const stripes = new Stripes({ epics: {}, logger: {}, bindings: {}, config: {}, store, discovery: { isFinished: false } });
+    await render(<Harness><RootWithIntl stripes={stripes} history={defaultHistory} isAuthenticated={false} /></Harness>);
+
+    expect(screen.getByText(/<AuthnLogin>/)).toBeInTheDocument();
+    expect(screen.queryByText(/<MainNav>/)).toBeNull();
+  });
+
+  describe('renders MainNav', () => {
+    it('given isAuthenticated', async () => {
+      const stripes = new Stripes({ epics: {}, logger: {}, bindings: {}, config: {}, store, discovery: { isFinished: false } });
+      await render(<Harness><RootWithIntl stripes={stripes} history={defaultHistory} isAuthenticated /></Harness>);
 
-      expect(screen.getByText(/<login>/)).toBeInTheDocument();
+      expect(screen.queryByText(/<AuthnLogin>/)).toBeNull();
+      expect(screen.queryByText(/<MainNav>/)).toBeInTheDocument();
     });
 
-    describe('handles third-party login', () => {
-      it('handles single-tenant', () => {
-        const stripes = {
-          okapi: { authnUrl: 'https://barbie.com' },
-          config: {
-            isSingleTenant: true,
-            tenantOptions: {
-              diku: { name: 'diku', clientId: 'diku-application' }
-            }
-          },
-          store
-        };
-        render(<AuthnLogin stripes={stripes} />);
-
-        expect(screen.getByText(/<redirect>/)).toBeInTheDocument();
-      });
-
-      it('handles multi-tenant', () => {
-        const stripes = {
-          okapi: { authnUrl: 'https://oppie.com' },
-          config: {
-            isSingleTenant: false,
-            tenantOptions: {
-              diku: { name: 'diku', clientId: 'diku-application' },
-              diku2: { name: 'diku2', clientId: 'diku2-application' }
-            }
-          },
-          store
-        };
-        render(<AuthnLogin stripes={stripes} />);
-
-        expect(screen.getByText(/<preloginlanding>/)).toBeInTheDocument();
-      });
+    it('given token', async () => {
+      const stripes = new Stripes({ epics: {}, logger: {}, bindings: {}, config: {}, store, discovery: { isFinished: false } });
+      await render(<Harness><RootWithIntl stripes={stripes} history={defaultHistory} token /></Harness>);
+
+      expect(screen.queryByText(/<AuthnLogin>/)).toBeNull();
+      expect(screen.queryByText(/<MainNav>/)).toBeInTheDocument();
+    });
+
+    it('given disableAuth', async () => {
+      const stripes = new Stripes({ epics: {}, logger: {}, bindings: {}, config: {}, store, discovery: { isFinished: false } });
+      await render(<Harness><RootWithIntl stripes={stripes} history={defaultHistory} disableAuth /></Harness>);
+
+      expect(screen.queryByText(/<AuthnLogin>/)).toBeNull();
+      expect(screen.queryByText(/<MainNav>/)).toBeInTheDocument();
     });
   });
 
-  // describe('renderLogoutComponent', () => {
-  //   it('handles legacy logout', () => {
-  //     const stripes = { okapi: {}, config: {} };
-  //     render(renderLogoutComponent(stripes));
+  describe('renders ModuleContainer', () => {
+    it('if config.okapi is not an object', async () => {
+      const stripes = new Stripes({ epics: {}, logger: {}, bindings: {}, config: {}, store, discovery: { isFinished: true } });
+      await render(<Harness><RootWithIntl stripes={stripes} history={defaultHistory} isAuthenticated /></Harness>);
+
+      expect(screen.getByText(/<ModuleContainer>/)).toBeInTheDocument();
+    });
 
-  //     expect(screen.getByText(/<internalredirect>/)).toBeInTheDocument();
-  //   });
-  // });
+    it('if discovery is finished', async () => {
+      const stripes = new Stripes({ epics: {}, logger: {}, bindings: {}, config: {}, store, okapi: {}, discovery: { isFinished: true } });
+      await render(<Harness><RootWithIntl stripes={stripes} history={defaultHistory} isAuthenticated /></Harness>);
+
+      expect(screen.getByText(/<ModuleContainer>/)).toBeInTheDocument();
+    });
+  });
 });
diff --git a/src/components/AuthnLogin/AuthnLogin.test.js b/src/components/AuthnLogin/AuthnLogin.test.js
new file mode 100644
index 000000000..e8aa7ffdb
--- /dev/null
+++ b/src/components/AuthnLogin/AuthnLogin.test.js
@@ -0,0 +1,76 @@
+/* shhhh, eslint, it's ok. we need "unused" imports for mocks */
+/* eslint-disable no-unused-vars */
+
+import { render, screen } from '@folio/jest-config-stripes/testing-library/react';
+
+import { Redirect as InternalRedirect } from 'react-router-dom';
+import Redirect from '../Redirect';
+import Login from '../Login';
+import PreLoginLanding from '../PreLoginLanding';
+
+import AuthnLogin from './AuthnLogin';
+
+jest.mock('react-router-dom', () => ({
+  Redirect: () => '<internalredirect>',
+  withRouter: (Component) => Component,
+}));
+jest.mock('../Redirect', () => () => '<redirect>');
+jest.mock('../Login', () => () => '<login>');
+jest.mock('../PreLoginLanding', () => () => '<preloginlanding>');
+
+const store = {
+  getState: () => ({
+    okapi: {
+      token: '123',
+    },
+  }),
+  dispatch: () => {},
+  subscribe: () => {},
+  replaceReducer: () => {},
+};
+
+describe('RootWithIntl', () => {
+  describe('AuthnLogin', () => {
+    it('handles legacy login', () => {
+      const stripes = { okapi: {}, config: {}, store };
+      render(<AuthnLogin stripes={stripes} />);
+
+      expect(screen.getByText(/<login>/)).toBeInTheDocument();
+    });
+
+    describe('handles third-party login', () => {
+      it('handles single-tenant', () => {
+        const stripes = {
+          okapi: { authnUrl: 'https://barbie.com' },
+          config: {
+            isSingleTenant: true,
+            tenantOptions: {
+              diku: { name: 'diku', clientId: 'diku-application' }
+            }
+          },
+          store
+        };
+        render(<AuthnLogin stripes={stripes} />);
+
+        expect(screen.getByText(/<redirect>/)).toBeInTheDocument();
+      });
+
+      it('handles multi-tenant', () => {
+        const stripes = {
+          okapi: { authnUrl: 'https://oppie.com' },
+          config: {
+            isSingleTenant: false,
+            tenantOptions: {
+              diku: { name: 'diku', clientId: 'diku-application' },
+              diku2: { name: 'diku2', clientId: 'diku2-application' }
+            }
+          },
+          store
+        };
+        render(<AuthnLogin stripes={stripes} />);
+
+        expect(screen.getByText(/<preloginlanding>/)).toBeInTheDocument();
+      });
+    });
+  });
+});
diff --git a/test/bigtest/helpers/setup-application.js b/test/bigtest/helpers/setup-application.js
index c54aa590c..7346300d8 100644
--- a/test/bigtest/helpers/setup-application.js
+++ b/test/bigtest/helpers/setup-application.js
@@ -54,6 +54,9 @@ export default function setupApplication({
         currentPerms: permissions,
         isAuthenticated: true,
       };
+      initialState.discovery = {
+        isFinished: true,
+      };
     } else {
       initialState.okapi = {
         ssoEnabled: true,
diff --git a/test/jest/__mock__/stripesComponents.mock.js b/test/jest/__mock__/stripesComponents.mock.js
index 444365dbd..ba14f98ff 100644
--- a/test/jest/__mock__/stripesComponents.mock.js
+++ b/test/jest/__mock__/stripesComponents.mock.js
@@ -49,6 +49,7 @@ jest.mock('@folio/stripes-components', () => ({
     <span>{children}</span>
   )),
   Headline: jest.fn(({ children }) => <div>{ children }</div>),
+  HotKeys: jest.fn(({ children }) => <>{ children }</>),
   Icon: jest.fn((props) => (props && props.children ? props.children : <span />)),
   IconButton: jest.fn(({
     buttonProps,

From 8daa26711c1435f9853a53f2603d285e011c3398 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Mon, 8 Jul 2024 08:22:23 -0400
Subject: [PATCH 47/63] STCOR-865 call logout() exclusively from logout-*
 routes (#1500)

Two things happen when idle-session-timeout kicks in:
1. the redux store is updated to clear out the session
2. the URL is updated to `/logout-timeout`

It sounds simple, but it gets messy when `<RootWithIntl>` re-renders
when the store updates because that's where routes are defined.
Previously, with event-handlers separately calling `logout()` to update
the store and `history.push()` to update the URL, you could end up in an
unexpected situation such as being logged-out before the URL updated to
`/logout-timeout`, causing the default route-match handler to kick in
and redirect to the login screen.

The changes here consolidate calls to `logout()` into the components
bound to `/logout` (`<Logout>`) and `/logout-timeout`
(`<LogoutTimeout>`). Event handlers that previously did things like
```
return logout(...)         // update redux and other storage
  .then(history.push(...)) // update URL
```

are now limited to updating the URL. This means directly accessing the
routes `/logout` and `/logout-timeout` always terminates a session, and
the logic around logout is both simpler and better contained within
components whose purpose, by dint of their names, is blindingly clear.

The minor changes in `<MainNav>` are just clean-up work, removing cruft
that is no longer in use.

Refs STCOR-865
---
 src/components/LogoutTimeout/LogoutTimeout.js | 33 +++++++++++++++----
 .../LogoutTimeout/LogoutTimeout.test.js       | 11 +++++--
 src/components/MainNav/MainNav.js             | 15 +--------
 .../SessionEventContainer.js                  | 22 +++----------
 .../SessionEventContainer.test.js             | 20 ++++-------
 test/jest/__mock__/stripesComponents.mock.js  |  1 +
 6 files changed, 48 insertions(+), 54 deletions(-)

diff --git a/src/components/LogoutTimeout/LogoutTimeout.js b/src/components/LogoutTimeout/LogoutTimeout.js
index 2eda11421..e0af76f17 100644
--- a/src/components/LogoutTimeout/LogoutTimeout.js
+++ b/src/components/LogoutTimeout/LogoutTimeout.js
@@ -1,36 +1,55 @@
+import { useEffect, useState } from 'react';
 import { FormattedMessage } from 'react-intl';
 import { branding } from 'stripes-config';
-import { Redirect } from 'react-router';
 
 import {
   Button,
   Col,
   Headline,
+  LoadingView,
   Row,
 } from '@folio/stripes-components';
 
 import OrganizationLogo from '../OrganizationLogo';
 import { useStripes } from '../../StripesContext';
+import { logout } from '../../loginServices';
 
 import styles from './LogoutTimeout.css';
 
 /**
  * LogoutTimeout
- * For unauthenticated users, show a "sorry, your session timed out" message
- * with a link to login page. For authenticated users, redirect to / since
- * showing such a message would be a misleading lie.
+ * Show a "sorry, your session timed out message"; if the session is still
+ * active, call logout() to end it.
  *
  * Having a static route to this page allows the logout handler to choose
  * between redirecting straight to the login page (if the user chose to
- * logout) or to this page (if the session timeout out).
+ * logout) or to this page (if the session timed out).
  *
  * This corresponds to the '/logout-timeout' route.
  */
 const LogoutTimeout = () => {
   const stripes = useStripes();
+  const [didLogout, setDidLogout] = useState(false);
 
-  if (stripes.okapi.isAuthenticated) {
-    return <Redirect to="/" />;
+  useEffect(
+    () => {
+      if (stripes.okapi.isAuthenticated) {
+        // returns a promise, which we ignore
+        logout(stripes.okapi.url, stripes.store)
+          .then(setDidLogout(true));
+      } else {
+        setDidLogout(true);
+      }
+    },
+    // no dependencies because we only want to start the logout process once.
+    // we don't care about changes to stripes; certainly it'll be updated as
+    // part of the logout process
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+    []
+  );
+
+  if (!didLogout) {
+    return <LoadingView />;
   }
 
   return (
diff --git a/src/components/LogoutTimeout/LogoutTimeout.test.js b/src/components/LogoutTimeout/LogoutTimeout.test.js
index 55c9c9b5b..6efff5e0c 100644
--- a/src/components/LogoutTimeout/LogoutTimeout.test.js
+++ b/src/components/LogoutTimeout/LogoutTimeout.test.js
@@ -2,6 +2,8 @@ import { render, screen } from '@folio/jest-config-stripes/testing-library/react
 
 import LogoutTimeout from './LogoutTimeout';
 import { useStripes } from '../../StripesContext';
+import { logout } from '../../loginServices';
+
 
 
 jest.mock('../OrganizationLogo');
@@ -10,6 +12,10 @@ jest.mock('react-router', () => ({
   Redirect: () => <div>Redirect</div>,
 }));
 
+jest.mock('../../loginServices', () => ({
+  logout: jest.fn(() => Promise.resolve()),
+}));
+
 describe('LogoutTimeout', () => {
   it('if not authenticated, renders a timeout message', async () => {
     const mockUseStripes = useStripes;
@@ -19,11 +25,12 @@ describe('LogoutTimeout', () => {
     screen.getByText('stripes-core.rtr.idleSession.sessionExpiredSoSad');
   });
 
-  it('if authenticated, renders a redirect', async () => {
+  it('if authenticated, calls logout then renders a timeout message', async () => {
     const mockUseStripes = useStripes;
     mockUseStripes.mockReturnValue({ okapi: { isAuthenticated: true } });
 
     render(<LogoutTimeout />);
-    screen.getByText('Redirect');
+    expect(logout).toHaveBeenCalled();
+    screen.getByText('stripes-core.rtr.idleSession.sessionExpiredSoSad');
   });
 });
diff --git a/src/components/MainNav/MainNav.js b/src/components/MainNav/MainNav.js
index 1ced15b62..25b473ea3 100644
--- a/src/components/MainNav/MainNav.js
+++ b/src/components/MainNav/MainNav.js
@@ -11,7 +11,6 @@ import { Icon } from '@folio/stripes-components';
 
 import { withModules } from '../Modules';
 import { LastVisitedContext } from '../LastVisited';
-import { getLocale, logout as sessionLogout } from '../../loginServices';
 import {
   updateQueryResource,
   getLocationQuery,
@@ -65,7 +64,6 @@ class MainNav extends Component {
       userMenuOpen: false,
     };
     this.store = props.stripes.store;
-    this.logout = this.logout.bind(this);
     this.getAppList = this.getAppList.bind(this);
   }
 
@@ -116,14 +114,6 @@ class MainNav extends Component {
     });
   }
 
-  // return the user to the login screen, but after logging in they will be brought to the default screen.
-  logout() {
-    const { okapi } = this.store.getState();
-
-    return getLocale(okapi.url, this.store, okapi.tenant)
-      .then(sessionLogout(okapi.url, this.store, this.props.history));
-  }
-
   getAppList(lastVisited) {
     const { stripes, location: { pathname }, modules, intl: { formatMessage } } = this.props;
 
@@ -213,10 +203,7 @@ class MainNav extends Component {
                   target="_blank"
                 />
                 <NavDivider md="hide" />
-                <ProfileDropdown
-                  onLogout={this.logout}
-                  stripes={stripes}
-                />
+                <ProfileDropdown stripes={stripes} />
               </nav>
             </header>
           );
diff --git a/src/components/SessionEventContainer/SessionEventContainer.js b/src/components/SessionEventContainer/SessionEventContainer.js
index ff1707764..21ca8f4e1 100644
--- a/src/components/SessionEventContainer/SessionEventContainer.js
+++ b/src/components/SessionEventContainer/SessionEventContainer.js
@@ -3,7 +3,7 @@ import PropTypes from 'prop-types';
 import createInactivityTimer from 'inactivity-timer';
 import ms from 'ms';
 
-import { logout, SESSION_NAME } from '../../loginServices';
+import { SESSION_NAME } from '../../loginServices';
 import KeepWorkingModal from './KeepWorkingModal';
 import { useStripes } from '../../StripesContext';
 import {
@@ -21,19 +21,13 @@ import { toggleRtrModal } from '../../okapiActions';
 // RTR error in this window: logout
 export const thisWindowRtrError = (_e, stripes, history) => {
   console.warn('rtr error; logging out'); // eslint-disable-line no-console
-  return logout(stripes.okapi.url, stripes.store)
-    .then(() => {
-      history.push('/logout-timeout');
-    });
+  history.push('/logout-timeout');
 };
 
 // idle session timeout in this window: logout
 export const thisWindowRtrTimeout = (_e, stripes, history) => {
   stripes.logger.log('rtr', 'idle session timeout; logging out');
-  return logout(stripes.okapi.url, stripes.store)
-    .then(() => {
-      history.push('/logout-timeout');
-    });
+  history.push('/logout-timeout');
 };
 
 // localstorage change in another window: logout?
@@ -43,16 +37,10 @@ export const thisWindowRtrTimeout = (_e, stripes, history) => {
 export const otherWindowStorage = (e, stripes, history) => {
   if (e.key === RTR_TIMEOUT_EVENT) {
     stripes.logger.log('rtr', 'idle session timeout; logging out');
-    return logout(stripes.okapi.url, stripes.store)
-      .then(() => {
-        history.push('/logout-timeout');
-      });
+    history.push('/logout-timeout');
   } else if (!localStorage.getItem(SESSION_NAME)) {
     stripes.logger.log('rtr', 'external localstorage change; logging out');
-    return logout(stripes.okapi.url, stripes.store)
-      .then(() => {
-        history.push('/');
-      });
+    history.push('/logout');
   }
   return Promise.resolve();
 };
diff --git a/src/components/SessionEventContainer/SessionEventContainer.test.js b/src/components/SessionEventContainer/SessionEventContainer.test.js
index 09b68f19a..24d9fd04c 100644
--- a/src/components/SessionEventContainer/SessionEventContainer.test.js
+++ b/src/components/SessionEventContainer/SessionEventContainer.test.js
@@ -9,7 +9,7 @@ import SessionEventContainer, {
   thisWindowRtrError,
   thisWindowRtrTimeout,
 } from './SessionEventContainer';
-import { logout, SESSION_NAME } from '../../loginServices';
+import { SESSION_NAME } from '../../loginServices';
 import { RTR_TIMEOUT_EVENT } from '../Root/constants';
 
 import { toggleRtrModal } from '../../okapiActions';
@@ -69,11 +69,8 @@ describe('SessionEventContainer', () => {
 describe('SessionEventContainer event listeners', () => {
   it('thisWindowRtrError', async () => {
     const history = { push: jest.fn() };
-    const logoutMock = logout;
-    logoutMock.mockReturnValue(Promise.resolve());
 
-    await thisWindowRtrError(null, { okapi: { url: 'http' } }, history);
-    expect(logout).toHaveBeenCalled();
+    thisWindowRtrError(null, { okapi: { url: 'http' } }, history);
     expect(history.push).toHaveBeenCalledWith('/logout-timeout');
   });
 
@@ -89,11 +86,8 @@ describe('SessionEventContainer event listeners', () => {
     };
 
     const history = { push: jest.fn() };
-    const logoutMock = logout;
-    await logoutMock.mockReturnValue(Promise.resolve());
 
-    await thisWindowRtrTimeout(null, s, history);
-    expect(logout).toHaveBeenCalled();
+    thisWindowRtrTimeout(null, s, history);
     expect(history.push).toHaveBeenCalledWith('/logout-timeout');
   });
 
@@ -115,8 +109,7 @@ describe('SessionEventContainer event listeners', () => {
       };
       const history = { push: jest.fn() };
 
-      await otherWindowStorage(e, s, history);
-      expect(logout).toHaveBeenCalledWith(s.okapi.url, s.store);
+      otherWindowStorage(e, s, history);
       expect(history.push).toHaveBeenCalledWith('/logout-timeout');
     });
 
@@ -133,9 +126,8 @@ describe('SessionEventContainer event listeners', () => {
       };
       const history = { push: jest.fn() };
 
-      await otherWindowStorage(e, s, history);
-      expect(logout).toHaveBeenCalledWith(s.okapi.url, s.store);
-      expect(history.push).toHaveBeenCalledWith('/');
+      otherWindowStorage(e, s, history);
+      expect(history.push).toHaveBeenCalledWith('/logout');
     });
   });
 
diff --git a/test/jest/__mock__/stripesComponents.mock.js b/test/jest/__mock__/stripesComponents.mock.js
index ba14f98ff..49bac0f60 100644
--- a/test/jest/__mock__/stripesComponents.mock.js
+++ b/test/jest/__mock__/stripesComponents.mock.js
@@ -76,6 +76,7 @@ jest.mock('@folio/stripes-components', () => ({
     </ul>
   )),
   Loading: () => <div>Loading</div>,
+  LoadingView: () => <div>LoadingView</div>,
   MessageBanner: jest.fn(({ show, children }) => { return show ? <>{children}</> : <></>; }),
 
   // oy, dismissible. we need to pull it out of props so it doesn't

From bec39d570c7990d42ca17b87195caafb2d739043 Mon Sep 17 00:00:00 2001
From: aidynoJ <121284650+aidynoJ@users.noreply.github.com>
Date: Mon, 15 Jul 2024 16:32:25 +0500
Subject: [PATCH 48/63] STCOR-834: refactor useUserTenantPermissions to use
 _self endpoint permissions instead of okapi permissions if roles interface is
 presented (#1491)

Refs STCOR-834.
---
 src/hooks/useUserSelfTenantPermissions.js     |  51 ++++++++
 .../useUserSelfTenantPermissions.test.js      |  71 +++++++++++
 src/hooks/useUserTenantPermissionNames.js     |  59 +++++++++
 .../useUserTenantPermissionNames.test.js      |  72 +++++++++++
 src/hooks/useUserTenantPermissions.js         |  61 +++------
 src/hooks/useUserTenantPermissions.test.js    | 117 +++++++++---------
 6 files changed, 333 insertions(+), 98 deletions(-)
 create mode 100644 src/hooks/useUserSelfTenantPermissions.js
 create mode 100644 src/hooks/useUserSelfTenantPermissions.test.js
 create mode 100644 src/hooks/useUserTenantPermissionNames.js
 create mode 100644 src/hooks/useUserTenantPermissionNames.test.js

diff --git a/src/hooks/useUserSelfTenantPermissions.js b/src/hooks/useUserSelfTenantPermissions.js
new file mode 100644
index 000000000..7ffde2e84
--- /dev/null
+++ b/src/hooks/useUserSelfTenantPermissions.js
@@ -0,0 +1,51 @@
+import { useQuery } from 'react-query';
+
+import { useStripes } from '../StripesContext';
+import { useNamespace } from '../components';
+import useOkapiKy from '../useOkapiKy';
+
+const INITIAL_DATA = [];
+
+const useUserSelfTenantPermissions = (
+  { tenantId },
+  options = {},
+) => {
+  const stripes = useStripes();
+  const ky = useOkapiKy();
+  const api = ky.extend({
+    hooks: {
+      beforeRequest: [(req) => req.headers.set('X-Okapi-Tenant', tenantId)]
+    }
+  });
+  const [namespace] = useNamespace({ key: 'user-self-permissions' });
+
+  const user = stripes.user.user;
+
+  const {
+    isFetching,
+    isLoading,
+    data,
+  } = useQuery(
+    [namespace, user?.id, tenantId],
+    ({ signal }) => {
+      return api.get(
+        'users-keycloak/_self',
+        { signal },
+      ).json();
+    },
+    {
+      enabled: Boolean(user?.id && tenantId) && stripes.hasInterface('users-keycloak'),
+      keepPreviousData: true,
+      ...options,
+    },
+  );
+
+  return ({
+    isFetching,
+    isLoading,
+    userPermissions: data?.permissions.permissions || INITIAL_DATA,
+    totalRecords: data?.permissions.permissions.length || 0,
+  });
+};
+
+export default useUserSelfTenantPermissions;
diff --git a/src/hooks/useUserSelfTenantPermissions.test.js b/src/hooks/useUserSelfTenantPermissions.test.js
new file mode 100644
index 000000000..e8604bab7
--- /dev/null
+++ b/src/hooks/useUserSelfTenantPermissions.test.js
@@ -0,0 +1,71 @@
+import { renderHook, waitFor } from '@folio/jest-config-stripes/testing-library/react';
+import {
+  QueryClient,
+  QueryClientProvider,
+} from 'react-query';
+
+import permissions from 'fixtures/permissions';
+import useUserSelfTenantPermissions from './useUserSelfTenantPermissions';
+import useOkapiKy from '../useOkapiKy';
+
+jest.mock('../useOkapiKy');
+jest.mock('../components', () => ({
+  useNamespace: () => ([]),
+}));
+jest.mock('../StripesContext', () => ({
+  useStripes: () => ({
+    user: {
+      user: {
+        id: 'userId'
+      }
+    },
+    hasInterface: () => true
+  }),
+}));
+
+const queryClient = new QueryClient();
+
+// eslint-disable-next-line react/prop-types
+const wrapper = ({ children }) => (
+  <QueryClientProvider client={queryClient}>
+    {children}
+  </QueryClientProvider>
+);
+
+const response = {
+  permissions: { permissions },
+};
+
+describe('useUserSelfTenantPermissions', () => {
+  const getMock = jest.fn(() => ({
+    json: () => Promise.resolve(response),
+  }));
+  const setHeaderMock = jest.fn();
+  const kyMock = {
+    extend: jest.fn(({ hooks: { beforeRequest } }) => {
+      beforeRequest.forEach(handler => handler({ headers: { set: setHeaderMock } }));
+
+      return {
+        get: getMock,
+      };
+    }),
+  };
+
+  beforeEach(() => {
+    getMock.mockClear();
+    useOkapiKy.mockClear().mockReturnValue(kyMock);
+  });
+
+  it('should fetch user permissions for specified tenant', async () => {
+    const options = {
+      userId: 'userId',
+      tenantId: 'tenantId',
+    };
+    const { result } = renderHook(() => useUserSelfTenantPermissions(options), { wrapper });
+
+    await waitFor(() => !result.current.isLoading);
+
+    expect(setHeaderMock).toHaveBeenCalledWith('X-Okapi-Tenant', options.tenantId);
+    expect(getMock).toHaveBeenCalledWith('users-keycloak/_self', expect.objectContaining({}));
+  });
+});
diff --git a/src/hooks/useUserTenantPermissionNames.js b/src/hooks/useUserTenantPermissionNames.js
new file mode 100644
index 000000000..dc7c2057a
--- /dev/null
+++ b/src/hooks/useUserTenantPermissionNames.js
@@ -0,0 +1,59 @@
+import { useQuery } from 'react-query';
+
+import { useStripes } from '../StripesContext';
+import { useNamespace } from '../components';
+import useOkapiKy from '../useOkapiKy';
+
+const INITIAL_DATA = [];
+
+const useUserTenantPermissionNames = (
+  { tenantId },
+  options = {},
+) => {
+  const stripes = useStripes();
+  const ky = useOkapiKy();
+  const api = ky.extend({
+    hooks: {
+      beforeRequest: [(req) => req.headers.set('X-Okapi-Tenant', tenantId)]
+    }
+  });
+  const [namespace] = useNamespace({ key: 'user-affiliation-permissions' });
+
+  const user = stripes.user.user;
+
+  const searchParams = {
+    full: 'true',
+    indexField: 'userId',
+  };
+
+  const {
+    isFetching,
+    isLoading,
+    data = {},
+  } = useQuery(
+    [namespace, user?.id, tenantId],
+    ({ signal }) => {
+      return api.get(
+        `perms/users/${user.id}/permissions`,
+        {
+          searchParams,
+          signal,
+        },
+      ).json();
+    },
+    {
+      enabled: Boolean(user?.id && tenantId) && !stripes.hasInterface('roles'),
+      keepPreviousData: true,
+      ...options,
+    },
+  );
+
+  return ({
+    isFetching,
+    isLoading,
+    userPermissions: data.permissionNames || INITIAL_DATA,
+    totalRecords: data.totalRecords,
+  });
+};
+
+export default useUserTenantPermissionNames;
diff --git a/src/hooks/useUserTenantPermissionNames.test.js b/src/hooks/useUserTenantPermissionNames.test.js
new file mode 100644
index 000000000..cc15aecda
--- /dev/null
+++ b/src/hooks/useUserTenantPermissionNames.test.js
@@ -0,0 +1,72 @@
+import { renderHook, waitFor } from '@folio/jest-config-stripes/testing-library/react';
+import {
+  QueryClient,
+  QueryClientProvider,
+} from 'react-query';
+
+import permissions from 'fixtures/permissions';
+import useUserTenantPermissionNames from './useUserTenantPermissionNames';
+import useOkapiKy from '../useOkapiKy';
+
+jest.mock('../useOkapiKy');
+jest.mock('../components', () => ({
+  useNamespace: () => ([]),
+}));
+jest.mock('../StripesContext', () => ({
+  useStripes: () => ({
+    user: {
+      user: {
+        id: 'userId'
+      }
+    },
+    hasInterface: () => false
+  }),
+}));
+
+const queryClient = new QueryClient();
+
+// eslint-disable-next-line react/prop-types
+const wrapper = ({ children }) => (
+  <QueryClientProvider client={queryClient}>
+    {children}
+  </QueryClientProvider>
+);
+
+const response = {
+  permissionNames: permissions,
+  totalRecords: permissions.length,
+};
+
+describe('useUserTenantPermissionNames', () => {
+  const getMock = jest.fn(() => ({
+    json: () => Promise.resolve(response),
+  }));
+  const setHeaderMock = jest.fn();
+  const kyMock = {
+    extend: jest.fn(({ hooks: { beforeRequest } }) => {
+      beforeRequest.forEach(handler => handler({ headers: { set: setHeaderMock } }));
+
+      return {
+        get: getMock,
+      };
+    }),
+  };
+
+  beforeEach(() => {
+    getMock.mockClear();
+    useOkapiKy.mockClear().mockReturnValue(kyMock);
+  });
+
+  it('should fetch user permissions for specified tenant', async () => {
+    const options = {
+      userId: 'userId',
+      tenantId: 'tenantId',
+    };
+    const { result } = renderHook(() => useUserTenantPermissionNames(options), { wrapper });
+
+    await waitFor(() => !result.current.isLoading);
+
+    expect(setHeaderMock).toHaveBeenCalledWith('X-Okapi-Tenant', options.tenantId);
+    expect(getMock).toHaveBeenCalledWith(`perms/users/${options.userId}/permissions`, expect.objectContaining({}));
+  });
+});
diff --git a/src/hooks/useUserTenantPermissions.js b/src/hooks/useUserTenantPermissions.js
index 80030eea1..4173160c3 100644
--- a/src/hooks/useUserTenantPermissions.js
+++ b/src/hooks/useUserTenantPermissions.js
@@ -1,58 +1,37 @@
-import { useQuery } from 'react-query';
-
 import { useStripes } from '../StripesContext';
-import { useNamespace } from '../components';
-import useOkapiKy from '../useOkapiKy';
-
-const INITIAL_DATA = [];
+import useUserSelfTenantPermissions from './useUserSelfTenantPermissions';
+import useUserTenantPermissionNames from './useUserTenantPermissionNames';
 
 const useUserTenantPermissions = (
   { tenantId },
   options = {},
 ) => {
   const stripes = useStripes();
-  const ky = useOkapiKy();
-  const api = ky.extend({
-    hooks: {
-      beforeRequest: [(req) => req.headers.set('X-Okapi-Tenant', tenantId)]
-    }
-  });
-  const [namespace] = useNamespace({ key: 'user-affiliation-permissions' });
-
-  const user = stripes.user.user;
 
-  const searchParams = {
-    full: 'true',
-    indexField: 'userId',
-  };
+  const {
+    isFetching: isPermissionsFetching,
+    isLoading: isPermissionsLoading,
+    userPermissions: permissionsData = {},
+    totalRecords: permissionsTotalRecords
+  } = useUserTenantPermissionNames({ tenantId }, options);
 
   const {
-    isFetching,
-    isLoading,
-    data = {},
-  } = useQuery(
-    [namespace, user?.id, tenantId],
-    ({ signal }) => {
-      return api.get(
-        `perms/users/${user.id}/permissions`,
-        {
-          searchParams,
-          signal,
-        },
-      ).json();
-    },
-    {
-      enabled: Boolean(user?.id && tenantId),
-      keepPreviousData: true,
-      ...options,
-    },
-  );
+    isFetching: isSelfPermissionsFetching,
+    isLoading: isSelfPermissionsLoading,
+    userPermissions:selfPermissionsData = {},
+    totalRecords: selfPermissionsTotalRecords
+  } = useUserSelfTenantPermissions({ tenantId }, options);
+
+  const isFetching = stripes.hasInterface('roles') ? isSelfPermissionsFetching : isPermissionsFetching;
+  const isLoading = stripes.hasInterface('roles') ? isSelfPermissionsLoading : isPermissionsLoading;
+  const userPermissions = stripes.hasInterface('roles') ? selfPermissionsData : permissionsData;
+  const totalRecords = stripes.hasInterface('roles') ? selfPermissionsTotalRecords : permissionsTotalRecords;
 
   return ({
     isFetching,
     isLoading,
-    userPermissions: data.permissionNames || INITIAL_DATA,
-    totalRecords: data.totalRecords,
+    userPermissions,
+    totalRecords
   });
 };
 
diff --git a/src/hooks/useUserTenantPermissions.test.js b/src/hooks/useUserTenantPermissions.test.js
index e64b9c440..c3f4aa9bd 100644
--- a/src/hooks/useUserTenantPermissions.test.js
+++ b/src/hooks/useUserTenantPermissions.test.js
@@ -1,71 +1,74 @@
-import { renderHook, waitFor } from '@folio/jest-config-stripes/testing-library/react';
-import {
-  QueryClient,
-  QueryClientProvider,
-} from 'react-query';
-
-import permissions from 'fixtures/permissions';
+import { renderHook } from '@folio/jest-config-stripes/testing-library/react';
+import { useStripes } from '../StripesContext';
+import useUserSelfTenantPermissions from './useUserSelfTenantPermissions';
+import useUserTenantPermissionNames from './useUserTenantPermissionNames';
 import useUserTenantPermissions from './useUserTenantPermissions';
-import useOkapiKy from '../useOkapiKy';
 
-jest.mock('../useOkapiKy');
-jest.mock('../components', () => ({
-  useNamespace: () => ([]),
-}));
-jest.mock('../StripesContext', () => ({
-  useStripes: () => ({
-    user: {
-      user: {
-        id: 'userId'
-      }
-    }
-  }),
-}));
+jest.mock('../StripesContext');
+jest.mock('./useUserSelfTenantPermissions');
+jest.mock('./useUserTenantPermissionNames');
 
-const queryClient = new QueryClient();
+describe('useUserTenantPermissions', () => {
+  const tenantId = 'tenant-id';
+  const options = {};
 
-// eslint-disable-next-line react/prop-types
-const wrapper = ({ children }) => (
-  <QueryClientProvider client={queryClient}>
-    {children}
-  </QueryClientProvider>
-);
+  beforeEach(() => {
+    useStripes.mockReturnValue({
+      hasInterface: jest.fn()
+    });
+  });
 
-const response = {
-  permissionNames: permissions,
-  totalRecords: permissions.length,
-};
+  it('should return _self permissions data when "roles" interface is present', () => {
+    useStripes().hasInterface.mockReturnValue(true);
 
-describe('useUserTenantPermissions', () => {
-  const getMock = jest.fn(() => ({
-    json: () => Promise.resolve(response),
-  }));
-  const setHeaderMock = jest.fn();
-  const kyMock = {
-    extend: jest.fn(({ hooks: { beforeRequest } }) => {
-      beforeRequest.forEach(handler => handler({ headers: { set: setHeaderMock } }));
+    useUserSelfTenantPermissions.mockReturnValue({
+      isFetching: true,
+      isLoading: true,
+      userPermissions: ['self'],
+      totalRecords: 1
+    });
 
-      return {
-        get: getMock,
-      };
-    }),
-  };
+    useUserTenantPermissionNames.mockReturnValue({
+      isFetching: false,
+      isLoading: false,
+      userPermissions: ['permission name'],
+      totalRecords: 1
+    });
 
-  beforeEach(() => {
-    getMock.mockClear();
-    useOkapiKy.mockClear().mockReturnValue(kyMock);
+    const { result } = renderHook(() => useUserTenantPermissions({ tenantId }, options));
+
+    expect(result.current).toStrictEqual({
+      isFetching: true,
+      isLoading: true,
+      userPermissions: ['self'],
+      totalRecords: 1
+    });
   });
 
-  it('should fetch user permissions for specified tenant', async () => {
-    const options = {
-      userId: 'userId',
-      tenantId: 'tenantId',
-    };
-    const { result } = renderHook(() => useUserTenantPermissions(options), { wrapper });
+  it('should return tenant permissions data when "roles" interface is NOT present', () => {
+    useStripes().hasInterface.mockReturnValue(false);
+
+    useUserSelfTenantPermissions.mockReturnValue({
+      isFetching: true,
+      isLoading: true,
+      userPermissions: ['self'],
+      totalRecords: 1
+    });
+
+    useUserTenantPermissionNames.mockReturnValue({
+      isFetching: false,
+      isLoading: false,
+      userPermissions: ['permission name'],
+      totalRecords: 1
+    });
 
-    await waitFor(() => !result.current.isLoading);
+    const { result } = renderHook(() => useUserTenantPermissions({ tenantId }, options));
 
-    expect(setHeaderMock).toHaveBeenCalledWith('X-Okapi-Tenant', options.tenantId);
-    expect(getMock).toHaveBeenCalledWith(`perms/users/${options.userId}/permissions`, expect.objectContaining({}));
+    expect(result.current).toStrictEqual({
+      isFetching: false,
+      isLoading: false,
+      userPermissions: ['permission name'],
+      totalRecords: 1
+    });
   });
 });

From f93f21d68c8c4b30a5a748ab5b1bf6db16339417 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Mon, 15 Jul 2024 23:15:16 -0400
Subject: [PATCH 49/63] STCOR-866 include `/users-keycloak/_self` in auth-n
 requests (#1502)

The RTR cycle is kicked off when processing the response from an
authentication-related request. `/users-keycloak/_self` was missing
from the list, which meant that RTR would never kick off when a new tab
was opened for an existing session.

Refs STCOR-866
---
 CHANGELOG.md                      | 1 +
 src/components/Root/token-util.js | 1 +
 2 files changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9a348814c..28ce8ffdb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@
 * Always retrieve `clientId` and `tenant` values from `config.tenantOptions` in stripes.config.js. Retires `okapi.tenant`, `okapi.clientId`, and `config.isSingleTenant`. Refs STCOR-787.
 * List UI apps in "Applications/modules/interfaces" column. STCOR-773
 * Correctly evaluate `stripes.okapi` before rendering `<RootWithIntl>`. Refs STCOR-864.
+* `/users-keycloak/_self` is an authentication request. Refs STCOR-866.
 
 ## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.0...v10.1.1)
diff --git a/src/components/Root/token-util.js b/src/components/Root/token-util.js
index 32ede2604..0e70ba012 100644
--- a/src/components/Root/token-util.js
+++ b/src/components/Root/token-util.js
@@ -74,6 +74,7 @@ export const isAuthenticationRequest = (resource, oUrl) => {
       '/authn/token',
       '/bl-users/login-with-expiry',
       '/bl-users/_self',
+      '/users-keycloak/_self',
     ];
 
     return !!permissible.find(i => string.startsWith(`${oUrl}${i}`));

From f150e29dff4404319cf2ed7f6300da40dec9eebb Mon Sep 17 00:00:00 2001
From: Ryan Berger <rberger@ebsco.com>
Date: Mon, 22 Jul 2024 11:31:06 -0400
Subject: [PATCH 50/63] STCOR-867 Add permission display names lookup table to
 Redux (#1505)

* Add permission display names lookup table to Redux

* Sonar fixes
---
 src/discoverServices.js      | 17 +++++++++++++++--
 src/discoverServices.test.js | 20 ++++++++++++++++++++
 2 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/src/discoverServices.js b/src/discoverServices.js
index 6ea2a63b9..0da05c8a9 100644
--- a/src/discoverServices.js
+++ b/src/discoverServices.js
@@ -25,6 +25,7 @@ function parseApplicationDescriptor(store, descriptor) {
   const dispatchDescriptor = (d) => {
     return Promise.all([
       store.dispatch({ type: 'DISCOVERY_INTERFACES', data: d }),
+      store.dispatch({ type: 'DISCOVERY_PERMISSION_DISPLAY_NAMES', data: d }),
       store.dispatch({ type: 'DISCOVERY_PROVIDERS', data: d }),
     ]);
   };
@@ -42,12 +43,17 @@ function parseApplicationDescriptor(store, descriptor) {
       data: descriptor.moduleDescriptors,
     })
   );
+
   if (descriptor.moduleDescriptors) {
-    list.push(...descriptor.moduleDescriptors?.map((i) => dispatchDescriptor(i)));
+    list.push(...descriptor.moduleDescriptors.map((i) => dispatchDescriptor(i)));
+  }
+
+  if (descriptor.uiModuleDescriptors) {
+    list.push(...descriptor.uiModuleDescriptors.map((i) => dispatchDescriptor(i)));
   }
 
   if (descriptor.uiModules) {
-    list.push(...descriptor.uiModules?.map((i) => dispatchDescriptor(i)));
+    list.push(...descriptor.uiModules.map((i) => dispatchDescriptor(i)));
   }
 
   list.push(dispatchApplication(descriptor));
@@ -286,6 +292,13 @@ export function discoveryReducer(state = {}, action) {
         interfaces: Object.assign(state.interfaces || {}, interfaces),
       });
     }
+    case 'DISCOVERY_PERMISSION_DISPLAY_NAMES': {
+      const permissions = {};
+      for (const entry of action.data.permissionSets || []) {
+        permissions[entry.permissionName] = entry.displayName;
+      }
+      return { permissionDisplayNames: { ...state.permissionDisplayNames, ...permissions } };
+    }
     case 'DISCOVERY_PROVIDERS': {
       if (action.data.provides?.length > 0) {
         return Object.assign({}, state, {
diff --git a/src/discoverServices.test.js b/src/discoverServices.test.js
index 3edbf5ebd..f1c42486f 100644
--- a/src/discoverServices.test.js
+++ b/src/discoverServices.test.js
@@ -140,6 +140,26 @@ describe('discoveryReducer', () => {
     expect(state).toMatchObject(mapped);
   });
 
+  it('handles DISCOVERY_PERMISSION_DISPLAY_NAMES', () => {
+    let state = {
+      permissionDisplayNames: {}
+    };
+    const action = {
+      type: 'DISCOVERY_PERMISSION_DISPLAY_NAMES',
+      data: {
+        permissionSets: [
+          { 'permissionName': 'perm1', 'displayName': 'Admin Permission' },
+          { 'permissionName': 'perm2', 'displayName': 'Read-only Permission' }
+        ]
+      },
+    };
+
+    state = discoveryReducer(state, action);
+
+    expect(state.permissionDisplayNames.perm1).toBe(action.data.permissionSets[0].displayName);
+    expect(state.permissionDisplayNames.perm2).toBe(action.data.permissionSets[1].displayName);
+  });
+
   it('handles DISCOVERY_OKAPI', () => {
     let state = {
       okapi: '0.0.0'

From 8b5274e7a2070ec54a3fd30cfc9f375b024cd29e Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Mon, 22 Jul 2024 16:50:04 -0400
Subject: [PATCH 51/63] STCOR-862 terminate session when fixed-length session
 expires (#1503)

RTR may be implemented such that each refresh extends the session by a
fixed interval, or the session-length may be fixed causing the RT TTL to
gradually shrink until the session ends and the user is forced to
re-authenticate. This PR implements handling for the latter scenario,
showing a non-interactive "this session will expire" banner before the
session expires and then redirecting to `/logout` to clear out session
data.

By default the warning is visible for one minute. It may be changed at
build-time by setting the `stripes.config.js` value
`config.rtr.fixedLengthSessionWarningTTL` to any value parseable by
`ms()`, e.g. `30s`, `1m`, `1h`.

Cache the current path in session storage prior to a timeout-logout,
allowing the user to return directly to that page when
re-authenticating.

The "interesting" bits are mostly in `FFetch` where, in addition to
scheduling AT rotation, there are two new `setTimer()` calls to dispatch
the FLS-warning and FLS-timeout events. Handlers for these are events
are located with other RTR event handlers in  `SessionEventContainer`.

There are corresponding reducer functions in `okapiActions`. Both it and
`okapiReducer` were refactored to use constants instead of strings for
their action-types. The refactor is otherwise insignificant.

Refs STCOR-862
---
 CHANGELOG.md                                  |   1 +
 src/components/AuthnLogin/AuthnLogin.js       |  21 +++-
 src/components/Root/Events.js                 |   5 -
 src/components/Root/FFetch.js                 | 110 +++++++++++++-----
 src/components/Root/FFetch.test.js            |  96 +++++++++++++--
 src/components/Root/Root.js                   |  10 ++
 src/components/Root/constants.js              |  34 +++++-
 src/components/Root/token-util.js             |   7 ++
 .../FixedLengthSessionWarning.js              |  54 +++++++++
 .../FixedLengthSessionWarning.test.js         |  59 ++++++++++
 .../SessionEventContainer.js                  |  50 ++++++--
 .../SessionEventContainer.test.js             |   6 +-
 src/loginServices.js                          |   7 +-
 src/okapiActions.js                           |  68 +++++++----
 src/okapiReducer.js                           |  97 ++++++++++-----
 src/okapiReducer.test.js                      |  47 ++++++--
 translations/stripes-core/en.json             |   5 +-
 translations/stripes-core/en_US.json          |   4 +-
 18 files changed, 552 insertions(+), 129 deletions(-)
 delete mode 100644 src/components/Root/Events.js
 create mode 100644 src/components/SessionEventContainer/FixedLengthSessionWarning.js
 create mode 100644 src/components/SessionEventContainer/FixedLengthSessionWarning.test.js

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 28ce8ffdb..bb1ac3d59 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,6 +20,7 @@
 * List UI apps in "Applications/modules/interfaces" column. STCOR-773
 * Correctly evaluate `stripes.okapi` before rendering `<RootWithIntl>`. Refs STCOR-864.
 * `/users-keycloak/_self` is an authentication request. Refs STCOR-866.
+* Terminate the session when the fixed-length session expires. Refs STCOR-862.
 
 ## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.0...v10.1.1)
diff --git a/src/components/AuthnLogin/AuthnLogin.js b/src/components/AuthnLogin/AuthnLogin.js
index 0b005de14..093c3db68 100644
--- a/src/components/AuthnLogin/AuthnLogin.js
+++ b/src/components/AuthnLogin/AuthnLogin.js
@@ -19,10 +19,23 @@ const AuthnLogin = ({ stripes }) => {
   };
 
   useEffect(() => {
-    if (okapi.authnUrl) {
-    /** Store unauthorized pathname to session storage. Refs STCOR-789
-    * @see OIDCRedirect
-    */
+    /**
+     * Cache the current path so we can return to it after authenticating.
+     * In RootWithIntl, unauthenticated visits to protected paths will be
+     * handled by this component, i.e.
+     *   /some-interesting-path <AuthnLogin>
+     * but if the user was de-authenticated due to a session timeout, they
+     * will have a history something like
+     *   /some-interesting-path <SomeInterestingComponent>
+     *   /logout <Logout>
+     *   / <AuthnLogin>
+     * but we still want to return to /some-interesting-path, which will
+     * have been cached by the logout-timeout handler, and must not be
+     * overwritten here.
+     *
+     * @see OIDCRedirect
+     */
+    if (okapi.authnUrl && window.location.pathname !== '/') {
       setUnauthorizedPathToSession(window.location.pathname);
     }
 
diff --git a/src/components/Root/Events.js b/src/components/Root/Events.js
deleted file mode 100644
index bbf2bd122..000000000
--- a/src/components/Root/Events.js
+++ /dev/null
@@ -1,5 +0,0 @@
-/** dispatched during RTR when it is successful */
-export const RTR_SUCCESS_EVENT = '@folio/stripes/core::RTRSuccess';
-
-/** dispatched during RTR if RTR itself fails */
-export const RTR_ERROR_EVENT = '@folio/stripes/core::RTRError';
diff --git a/src/components/Root/FFetch.js b/src/components/Root/FFetch.js
index 90eade94e..a689523f8 100644
--- a/src/components/Root/FFetch.js
+++ b/src/components/Root/FFetch.js
@@ -44,7 +44,8 @@
 import ms from 'ms';
 import { okapi as okapiConfig } from 'stripes-config';
 import {
-  setRtrTimeout
+  setRtrTimeout,
+  setRtrFlsTimeout,
 } from '../../okapiActions';
 
 import { getTokenExpiry } from '../../loginServices';
@@ -62,6 +63,9 @@ import {
   RTR_AT_EXPIRY_IF_UNKNOWN,
   RTR_AT_TTL_FRACTION,
   RTR_ERROR_EVENT,
+  RTR_FLS_TIMEOUT_EVENT,
+  RTR_FLS_WARNING_EVENT,
+  RTR_RT_EXPIRY_IF_UNKNOWN,
 } from './constants';
 import FXHR from './FXHR';
 
@@ -71,9 +75,10 @@ const OKAPI_FETCH_OPTIONS = {
 };
 
 export class FFetch {
-  constructor({ logger, store }) {
+  constructor({ logger, store, rtrConfig }) {
     this.logger = logger;
     this.store = store;
+    this.rtrConfig = rtrConfig;
   }
 
   /**
@@ -92,6 +97,52 @@ export class FFetch {
     global.XMLHttpRequest = FXHR(this);
   };
 
+  /**
+   * scheduleRotation
+   * Given a promise that resolves with timestamps for the AT's and RT's
+   * expiration, configure relevant corresponding timers: 
+   * * before the AT expires, conduct RTR
+   * * when the RT is about to expire, send a "session will end" event
+   * * when the RT expires, send a "session ended" event"
+   *
+   * @param {Promise} rotationP
+   */
+  scheduleRotation = (rotationP) => {
+    rotationP.then((rotationInterval) => {
+      // AT refresh interval: a large fraction of the actual AT TTL
+      const atInterval = (rotationInterval.accessTokenExpiration - Date.now()) * RTR_AT_TTL_FRACTION;
+
+      // RT timeout interval (session will end) and warning interval (warning that session will end)
+      const rtTimeoutInterval = (rotationInterval.refreshTokenExpiration - Date.now());
+      const rtWarningInterval = (rotationInterval.refreshTokenExpiration - Date.now()) - ms(this.rtrConfig.fixedLengthSessionWarningTTL);
+
+      // schedule AT rotation IFF the AT will expire before the RT. this avoids
+      // refresh-thrashing near the end of the FLS with progressively shorter
+      // AT TTL windows.
+      if (rotationInterval.accessTokenExpiration < rotationInterval.refreshTokenExpiration) {
+        this.logger.log('rtr', `rotation scheduled from rotateCallback; next callback in ${ms(atInterval)}`);
+        this.store.dispatch(setRtrTimeout(setTimeout(() => {
+          const { okapi } = this.store.getState();
+          rtr(this.nativeFetch, this.logger, this.rotateCallback, okapi);
+        }, atInterval)));
+      } else {
+        this.logger.log('rtr', 'rotation canceled; AT and RT will expire simultaneously');
+      }
+
+      // schedule FLS end-of-session warning
+      this.logger.log('rtr-fls', `end-of-session warning at ${new Date(rotationInterval.refreshTokenExpiration - ms(this.rtrConfig.fixedLengthSessionWarningTTL))}`);
+      this.store.dispatch(setRtrFlsTimeout(setTimeout(() => {
+        window.dispatchEvent(new Event(RTR_FLS_WARNING_EVENT));
+      }, rtWarningInterval)));
+
+      // schedule FLS end-of-session logout
+      this.logger.log('rtr-fls', `session will end at ${new Date(rotationInterval.refreshTokenExpiration)}`);
+      setTimeout(() => {
+        window.dispatchEvent(new Event(RTR_FLS_TIMEOUT_EVENT));
+      }, rtTimeoutInterval);
+    });
+  };
+
   /**
    * rotateCallback
    * Set a timeout to rotate the AT before it expires. Stash the timer-id
@@ -106,44 +157,47 @@ export class FFetch {
    *   where the values are ISO-8601 datestamps like YYYY-MM-DDTHH:mm:ssZ
    */
   rotateCallback = (res) => {
-    this.logger.log('rtr', 'rotation callback setup');
-
-    const scheduleRotation = (rotationP) => {
-      rotationP.then((rotationInterval) => {
-        this.logger.log('rtr', `rotation fired from rotateCallback; next callback in ${ms(rotationInterval)}`);
-        this.store.dispatch(setRtrTimeout(setTimeout(() => {
-          const { okapi } = this.store.getState();
-          rtr(this.nativeFetch, this.logger, this.rotateCallback, okapi);
-        }, rotationInterval)));
-      });
-    };
+    this.logger.log('rtr', 'rotation callback setup', res);
 
     // When starting a new session, the response from /bl-users/login-with-expiry
-    // will contain AT expiration info, but when restarting an existing session,
+    // will contain token expiration info, but when restarting an existing session,
     // the response from /bl-users/_self will NOT, although that information should
-    // have been cached in local-storage.
-    //
-    // This means there are many places we have to check to figure out when the
-    // AT is likely to expire, and thus when we want to rotate. First inspect
-    // the response, then the session, then default to 10 seconds.
+    // have been cached in local-storage. Thus, we check the following places for
+    // token expiration data:
+    // 1. response
+    // 2. session storage
+    // 3. hard-coded default
     if (res?.accessTokenExpiration) {
       this.logger.log('rtr', 'rotation scheduled with login response data');
-      const rotationPromise = Promise.resolve((new Date(res.accessTokenExpiration).getTime() - Date.now()) * RTR_AT_TTL_FRACTION);
+      const rotationPromise = Promise.resolve({
+        accessTokenExpiration: new Date(res.accessTokenExpiration).getTime(),
+        refreshTokenExpiration: new Date(res.refreshTokenExpiration).getTime(),
+      });
 
-      scheduleRotation(rotationPromise);
+      this.scheduleRotation(rotationPromise);
     } else {
       const rotationPromise = getTokenExpiry().then((expiry) => {
-        if (expiry?.atExpires) {
-          this.logger.log('rtr', 'rotation scheduled with cached session data');
-          return (new Date(expiry.atExpires).getTime() - Date.now()) * RTR_AT_TTL_FRACTION;
+        if (expiry?.atExpires && expiry?.atExpires >= Date.now()) {
+          this.logger.log('rtr', 'rotation scheduled with cached session data', expiry);
+          return {
+            accessTokenExpiration: new Date(expiry.atExpires).getTime(),
+            refreshTokenExpiration: new Date(expiry.rtExpires).getTime(),
+          };
         }
 
-        // default: 10 seconds
+        // default: session data was corrupt but the resume-session request
+        // succeeded so we know the cookies were valid at the time. short-term
+        // expiry-values will kick off RTR in the very new future, allowing us
+        // to grab values from the response.
         this.logger.log('rtr', 'rotation scheduled with default value');
-        return ms(RTR_AT_EXPIRY_IF_UNKNOWN);
+
+        return {
+          accessTokenExpiration: Date.now() + ms(RTR_AT_EXPIRY_IF_UNKNOWN),
+          refreshTokenExpiration: Date.now() + ms(RTR_RT_EXPIRY_IF_UNKNOWN),
+        };
       });
 
-      scheduleRotation(rotationPromise);
+      this.scheduleRotation(rotationPromise);
     }
   }
 
@@ -180,7 +234,7 @@ export class FFetch {
       // on authentication, grab the response to kick of the rotation cycle,
       // then return the response
       if (isAuthenticationRequest(resource, okapiConfig.url)) {
-        this.logger.log('rtr', 'authn request');
+        this.logger.log('rtr', 'authn request', resource);
         return this.nativeFetch.apply(global, [resource, options && { ...options, ...OKAPI_FETCH_OPTIONS }])
           .then(res => {
             // a response can only be read once, so we clone it to grab the
diff --git a/src/components/Root/FFetch.test.js b/src/components/Root/FFetch.test.js
index 8ada9a7c4..048dce81b 100644
--- a/src/components/Root/FFetch.test.js
+++ b/src/components/Root/FFetch.test.js
@@ -10,6 +10,7 @@ import { RTRError, UnexpectedResourceError } from './Errors';
 import {
   RTR_AT_EXPIRY_IF_UNKNOWN,
   RTR_AT_TTL_FRACTION,
+  RTR_FLS_WARNING_TTL,
 } from './constants';
 
 jest.mock('../../loginServices', () => ({
@@ -159,6 +160,7 @@ describe('FFetch class', () => {
       // a static timestamp of when the AT will expire, in the future
       // this value will be pushed into the response returned from the fetch
       const accessTokenExpiration = whatTimeIsItMrFox + 5000;
+      const refreshTokenExpiration = whatTimeIsItMrFox + ms('20m');
 
       const st = jest.spyOn(window, 'setTimeout');
 
@@ -168,7 +170,7 @@ describe('FFetch class', () => {
       const cloneJson = jest.fn();
       const clone = () => ({
         ok: true,
-        json: () => Promise.resolve({ tokenExpiration: { accessTokenExpiration } })
+        json: () => Promise.resolve({ tokenExpiration: { accessTokenExpiration, refreshTokenExpiration } })
       });
 
       mockFetch.mockResolvedValueOnce({
@@ -181,7 +183,10 @@ describe('FFetch class', () => {
         logger: { log },
         store: {
           dispatch: jest.fn(),
-        }
+        },
+        rtrConfig: {
+          fixedLengthSessionWarningTTL: '1m',
+        },
       });
       testFfetch.replaceFetch();
       testFfetch.replaceXMLHttpRequest();
@@ -193,7 +198,15 @@ describe('FFetch class', () => {
       // gross, but on the other, since we're deliberately pushing rotation
       // into a separate thread, I'm note sure of a better way to handle this.
       await setTimeout(Promise.resolve(), 2000);
+
+      // AT rotation
       expect(st).toHaveBeenCalledWith(expect.any(Function), (accessTokenExpiration - whatTimeIsItMrFox) * RTR_AT_TTL_FRACTION);
+
+      // FLS warning
+      expect(st).toHaveBeenCalledWith(expect.any(Function), (refreshTokenExpiration - whatTimeIsItMrFox) - ms(RTR_FLS_WARNING_TTL));
+
+      // FLS timeout
+      expect(st).toHaveBeenCalledWith(expect.any(Function), (refreshTokenExpiration - whatTimeIsItMrFox));
     });
 
     it('handles RTR data in the session', async () => {
@@ -203,10 +216,11 @@ describe('FFetch class', () => {
       // a static timestamp of when the AT will expire, in the future
       // this value will be retrieved from local storage via getTokenExpiry
       const atExpires = whatTimeIsItMrFox + 5000;
+      const rtExpires = whatTimeIsItMrFox + 15000;
 
       const st = jest.spyOn(window, 'setTimeout');
 
-      getTokenExpiry.mockResolvedValue({ atExpires });
+      getTokenExpiry.mockResolvedValue({ atExpires, rtExpires });
       Date.now = () => whatTimeIsItMrFox;
 
       const cloneJson = jest.fn();
@@ -225,7 +239,10 @@ describe('FFetch class', () => {
         logger: { log },
         store: {
           dispatch: jest.fn(),
-        }
+        },
+        rtrConfig: {
+          fixedLengthSessionWarningTTL: '1m',
+        },
       });
       testFfetch.replaceFetch();
       testFfetch.replaceXMLHttpRequest();
@@ -260,7 +277,10 @@ describe('FFetch class', () => {
         logger: { log },
         store: {
           dispatch: jest.fn(),
-        }
+        },
+        rtrConfig: {
+          fixedLengthSessionWarningTTL: '1m',
+        },
       });
       testFfetch.replaceFetch();
       testFfetch.replaceXMLHttpRequest();
@@ -270,10 +290,10 @@ describe('FFetch class', () => {
       // promise in a separate thread fired off by setTimout, and we need to
       // give it the chance to complete. on the one hand, this feels super
       // gross, but on the other, since we're deliberately pushing rotation
-      // into a separate thread, I'm note sure of a better way to handle this.
+      // into a separate thread, I'm not sure of a better way to handle this.
       await setTimeout(Promise.resolve(), 2000);
 
-      expect(st).toHaveBeenCalledWith(expect.any(Function), ms(RTR_AT_EXPIRY_IF_UNKNOWN));
+      expect(st).toHaveBeenCalledWith(expect.any(Function), ms(RTR_AT_EXPIRY_IF_UNKNOWN) * RTR_AT_TTL_FRACTION);
     });
 
     it('handles unsuccessful responses', async () => {
@@ -305,6 +325,62 @@ describe('FFetch class', () => {
       expect(mockFetch.mock.calls).toHaveLength(1);
       expect(cloneJson).not.toHaveBeenCalled();
     });
+
+    it('avoids rotation when AT and RT expire together', async () => {
+      // a static timestamp representing "now"
+      const whatTimeIsItMrFox = 1718042609734;
+
+      // a static timestamp of when the AT will expire, in the future
+      // this value will be pushed into the response returned from the fetch
+      const accessTokenExpiration = whatTimeIsItMrFox + 5000;
+      const refreshTokenExpiration = accessTokenExpiration;
+
+      const st = jest.spyOn(window, 'setTimeout');
+
+      // dummy date data: assume session
+      Date.now = () => whatTimeIsItMrFox;
+
+      const cloneJson = jest.fn();
+      const clone = () => ({
+        ok: true,
+        json: () => Promise.resolve({ tokenExpiration: { accessTokenExpiration, refreshTokenExpiration } })
+      });
+
+      mockFetch.mockResolvedValueOnce({
+        ok: false,
+        clone,
+      });
+
+      mockFetch.mockResolvedValueOnce('okapi success');
+      const testFfetch = new FFetch({
+        logger: { log },
+        store: {
+          dispatch: jest.fn(),
+        },
+        rtrConfig: {
+          fixedLengthSessionWarningTTL: '1m',
+        },
+      });
+      testFfetch.replaceFetch();
+      testFfetch.replaceXMLHttpRequest();
+
+      const response = await global.fetch('okapiUrl/bl-users/_self', { testOption: 'test' });
+      // why this extra await/setTimeout? Because RTR happens in an un-awaited
+      // promise in a separate thread fired off by setTimout, and we need to
+      // give it the chance to complete. on the one hand, this feels super
+      // gross, but on the other, since we're deliberately pushing rotation
+      // into a separate thread, I'm note sure of a better way to handle this.
+      await setTimeout(Promise.resolve(), 2000);
+
+      // AT rotation
+      expect(st).not.toHaveBeenCalledWith(expect.any(Function), (accessTokenExpiration - whatTimeIsItMrFox) * RTR_AT_TTL_FRACTION);
+
+      // FLS warning
+      expect(st).toHaveBeenCalledWith(expect.any(Function), (refreshTokenExpiration - whatTimeIsItMrFox) - ms(RTR_FLS_WARNING_TTL));
+
+      // FLS timeout
+      expect(st).toHaveBeenCalledWith(expect.any(Function), (refreshTokenExpiration - whatTimeIsItMrFox));
+    });
   });
 
 
@@ -387,7 +463,7 @@ describe('FFetch class', () => {
         .mockResolvedValueOnce(new Response(
           JSON.stringify({ errors: ['missing token-getting ability'] }),
           {
-            status: 303,
+            status: 403,
             headers: {
               'content-type': 'application/json',
             }
@@ -417,7 +493,7 @@ describe('FFetch class', () => {
         .mockResolvedValueOnce(new Response(
           JSON.stringify({ errors: ['missing token-getting ability'] }),
           {
-            status: 303,
+            status: 403,
             headers: {
               'content-type': 'application/json',
             }
@@ -447,7 +523,7 @@ describe('FFetch class', () => {
         .mockResolvedValueOnce(new Response(
           JSON.stringify({ errors: ['missing token-getting ability'] }),
           {
-            status: 303,
+            status: 403,
             headers: {
               'content-type': 'application/json',
             }
diff --git a/src/components/Root/Root.js b/src/components/Root/Root.js
index 13e7e47de..d8dcc0172 100644
--- a/src/components/Root/Root.js
+++ b/src/components/Root/Root.js
@@ -67,9 +67,12 @@ class Root extends Component {
     // * configure fetch and xhr interceptors to conduct RTR
     // * see SessionEventContainer for RTR handling
     if (this.props.config.useSecureTokens) {
+      const rtrConfig = configureRtr(this.props.config.rtr);
+
       this.ffetch = new FFetch({
         logger: this.props.logger,
         store,
+        rtrConfig,
       });
       this.ffetch.replaceFetch();
       this.ffetch.replaceXMLHttpRequest();
@@ -116,6 +119,7 @@ class Root extends Component {
   render() {
     const { logger, store, epics, config, okapi, actionNames, token, isAuthenticated, disableAuth, currentUser, currentPerms, locale, defaultTranslations, timezone, currency, plugins, bindings, discovery, translations, history, serverDown } = this.props;
     if (serverDown) {
+      // note: this isn't i18n'ed because we haven't rendered an IntlProvider yet.
       return <div>Error: server is down.</div>;
     }
 
@@ -125,6 +129,12 @@ class Root extends Component {
     }
 
     // make sure RTR is configured
+    // gross: this overwrites whatever is currently stored at config.rtr
+    // gross: technically, this may be different than what is configured
+    //   in the constructor since the constructor only runs once but
+    //   render runs when props change. realistically, that'll never happen
+    //   since config values are read only once from a static file at build
+    //   time, but still, props are props so technically it's possible.
     config.rtr = configureRtr(this.props.config.rtr);
 
     const stripes = new Stripes({
diff --git a/src/components/Root/constants.js b/src/components/Root/constants.js
index 771467234..1ec4b5623 100644
--- a/src/components/Root/constants.js
+++ b/src/components/Root/constants.js
@@ -9,10 +9,34 @@ export const RTR_ERROR_EVENT = '@folio/stripes/core::RTRError';
  */
 export const RTR_TIMEOUT_EVENT = '@folio/stripes/core::RTRIdleSessionTimeout';
 
+/** dispatched when the fixed-length session is about to end */
+export const RTR_FLS_WARNING_EVENT = '@folio/stripes/core::RTRFLSWarning';
+
+/** dispatched when the fixed-length session ends */
+export const RTR_FLS_TIMEOUT_EVENT = '@folio/stripes/core::RTRFLSTimeout';
+
+/**
+ * how long is the FLS warning visible?
+ * When a fixed-length session expires, the session ends immediately and the
+ * user is forcibly logged out. This interval describes how much warning they
+ * get before the session ends.
+ *
+ * overridden in stripes.configs.js::config.rtr.fixedLengthSessionWarningTTL
+ * value must be a string parsable by ms()
+ */
+export const RTR_FLS_WARNING_TTL = '1m';
+
 /** BroadcastChannel for cross-window activity pings */
 export const RTR_ACTIVITY_CHANNEL = '@folio/stripes/core::RTRActivityChannel';
 
-/** how much of an AT's lifespan can elapse before it is considered expired */
+/**
+ * how much of a token's lifespan can elapse before it is considered expired?
+ * For the AT, we want a very safe margin because we don't ever want to fall
+ * off the end of the AT since it would be a very misleading failure given
+ * the RT is still good at that point. Since rotation happens in the background
+ * (i.e. it isn't a user-visible feature), rotating early has no user-visible
+ * impact.
+ */
 export const RTR_AT_TTL_FRACTION = 0.8;
 
 /**
@@ -56,8 +80,10 @@ export const RTR_IDLE_MODAL_TTL = '1m';
  *    token-expiration data in its response
  * 3. the session _should_ contain a value, but maybe the session
  *    was corrupt.
- * Given the resume-session API call succeeded, we know the AT must have been
- * valid at the time, so we punt and schedule rotation in the future by this
- * (relatively short) interval.
+ * Given the resume-session API call succeeded, we know the tokens were valid
+ * at the time so we punt and schedule rotation in the very near future because
+ * the rotation-response _will_ contain token-expiration values we can use to
+ * replace these.
  */
 export const RTR_AT_EXPIRY_IF_UNKNOWN = '10s';
+export const RTR_RT_EXPIRY_IF_UNKNOWN = '10m';
diff --git a/src/components/Root/token-util.js b/src/components/Root/token-util.js
index 0e70ba012..91abf3400 100644
--- a/src/components/Root/token-util.js
+++ b/src/components/Root/token-util.js
@@ -5,6 +5,7 @@ import { RTRError, UnexpectedResourceError } from './Errors';
 import {
   RTR_ACTIVITY_EVENTS,
   RTR_ERROR_EVENT,
+  RTR_FLS_WARNING_TTL,
   RTR_IDLE_MODAL_TTL,
   RTR_IDLE_SESSION_TTL,
   RTR_SUCCESS_EVENT,
@@ -326,5 +327,11 @@ export const configureRtr = (config = {}) => {
     conf.activityEvents = RTR_ACTIVITY_EVENTS;
   }
 
+  // how long is the "your session is gonna die!" warning shown
+  // before the session is, in fact, killed?
+  if (!conf.fixedLengthSessionWarningTTL) {
+    conf.fixedLengthSessionWarningTTL = RTR_FLS_WARNING_TTL;
+  }
+
   return conf;
 };
diff --git a/src/components/SessionEventContainer/FixedLengthSessionWarning.js b/src/components/SessionEventContainer/FixedLengthSessionWarning.js
new file mode 100644
index 000000000..09456ca79
--- /dev/null
+++ b/src/components/SessionEventContainer/FixedLengthSessionWarning.js
@@ -0,0 +1,54 @@
+import { useEffect, useState } from 'react';
+import { FormattedMessage } from 'react-intl';
+import ms from 'ms';
+
+import {
+  MessageBanner
+} from '@folio/stripes-components';
+
+import { useStripes } from '../../StripesContext';
+
+/**
+ * FixedLengthSessionWarning
+ * Show a callout with a countdown timer representing the number of seconds
+ * remaining until the session expires.
+ *
+ * @param {function} callback function to call when clicking "Keep working" button
+ */
+const FixedLengthSessionWarning = () => {
+  const stripes = useStripes();
+  const [remainingMillis, setRemainingMillis] = useState(ms(stripes.config.rtr.fixedLengthSessionWarningTTL));
+
+  // configure an interval timer that sets state each second,
+  // counting down to 0.
+  useEffect(() => {
+    const interval = setInterval(() => {
+      setRemainingMillis(i => i - 1000);
+    }, 1000);
+
+    // cleanup: clear the timer
+    return () => {
+      clearInterval(interval);
+    };
+  }, []);
+
+  /**
+   * timestampFormatter
+   * convert time-remaining to mm:ss. Given the remaining time can easily be
+   * represented as elapsed-time since the JSDate epoch, convert to a
+   * Date object, format it, and extract the minutes and seconds.
+   * That is, given we have 99 seconds left, that converts to a Date
+   * like `1970-01-01T00:01:39.000Z`; extract the `01:39`.
+   */
+  const timestampFormatter = () => {
+    if (remainingMillis >= 1000) {
+      return new Date(remainingMillis).toISOString().substring(14, 19);
+    }
+
+    return '00:00';
+  };
+
+  return <MessageBanner type="warning" show><FormattedMessage id="stripes-core.rtr.fixedLengthSession.timeRemaining" /> {timestampFormatter()}</MessageBanner>;
+};
+
+export default FixedLengthSessionWarning;
diff --git a/src/components/SessionEventContainer/FixedLengthSessionWarning.test.js b/src/components/SessionEventContainer/FixedLengthSessionWarning.test.js
new file mode 100644
index 000000000..d20719c9c
--- /dev/null
+++ b/src/components/SessionEventContainer/FixedLengthSessionWarning.test.js
@@ -0,0 +1,59 @@
+import { render, screen, waitFor } from '@folio/jest-config-stripes/testing-library/react';
+
+import Harness from '../../../test/jest/helpers/harness';
+import FixedLengthSessionWarning from './FixedLengthSessionWarning';
+
+jest.mock('../Root/token-util');
+
+const stripes = {
+  config: {
+    rtr: {
+      fixedLengthSessionWarningTTL: '99s'
+    }
+  }
+};
+
+describe('FixedLengthSessionWarning', () => {
+  it('renders a warning with seconds remaining', async () => {
+    render(<Harness stripes={stripes}><FixedLengthSessionWarning /></Harness>);
+    screen.getByText(/stripes-core.rtr.fixedLengthSession.timeRemaining/);
+    screen.getByText(/01:39/);
+  });
+
+  it('renders 0:00 when time expires', async () => {
+    const zeroSecondsStripes = {
+      config: {
+        rtr: {
+          fixedLengthSessionWarningTTL: '0s'
+        }
+      }
+    };
+
+    render(<Harness stripes={zeroSecondsStripes}><FixedLengthSessionWarning /></Harness>);
+    screen.getByText(/stripes-core.rtr.fixedLengthSession.timeRemaining/);
+    screen.getByText(/0:00/);
+  });
+
+  // I've never had great luck with jest's fake timers, https://jestjs.io/docs/timer-mocks
+  // The modal counts down one second at a time so this test just waits for
+  // two seconds. Great? Nope. Good enough? Sure is.
+  describe('uses timers', () => {
+    it('"like sand through an hourglass, so are the elapsed seconds of this warning" -- Soh Kraits', async () => {
+      jest.spyOn(global, 'setInterval');
+      const zeroSecondsStripes = {
+        config: {
+          rtr: {
+            fixedLengthSessionWarningTTL: '10s'
+          }
+        }
+      };
+
+      render(<Harness stripes={zeroSecondsStripes}><FixedLengthSessionWarning /></Harness>);
+
+      expect(setInterval).toHaveBeenCalledTimes(1);
+      expect(setInterval).toHaveBeenLastCalledWith(expect.any(Function), 1000);
+
+      await waitFor(() => screen.getByText(/00:09/), { timeout: 2000 });
+    });
+  });
+});
diff --git a/src/components/SessionEventContainer/SessionEventContainer.js b/src/components/SessionEventContainer/SessionEventContainer.js
index 21ca8f4e1..fa162d666 100644
--- a/src/components/SessionEventContainer/SessionEventContainer.js
+++ b/src/components/SessionEventContainer/SessionEventContainer.js
@@ -3,15 +3,18 @@ import PropTypes from 'prop-types';
 import createInactivityTimer from 'inactivity-timer';
 import ms from 'ms';
 
-import { SESSION_NAME } from '../../loginServices';
+import { SESSION_NAME, setUnauthorizedPathToSession } from '../../loginServices';
 import KeepWorkingModal from './KeepWorkingModal';
 import { useStripes } from '../../StripesContext';
 import {
   RTR_ACTIVITY_CHANNEL,
   RTR_ERROR_EVENT,
+  RTR_FLS_TIMEOUT_EVENT,
+  RTR_FLS_WARNING_EVENT,
   RTR_TIMEOUT_EVENT
 } from '../Root/constants';
 import { toggleRtrModal } from '../../okapiActions';
+import FixedLengthSessionWarning from './FixedLengthSessionWarning';
 
 //
 // event listeners
@@ -21,15 +24,30 @@ import { toggleRtrModal } from '../../okapiActions';
 // RTR error in this window: logout
 export const thisWindowRtrError = (_e, stripes, history) => {
   console.warn('rtr error; logging out'); // eslint-disable-line no-console
+  setUnauthorizedPathToSession();
   history.push('/logout-timeout');
 };
 
 // idle session timeout in this window: logout
-export const thisWindowRtrTimeout = (_e, stripes, history) => {
+export const thisWindowRtrIstTimeout = (_e, stripes, history) => {
   stripes.logger.log('rtr', 'idle session timeout; logging out');
+  setUnauthorizedPathToSession();
   history.push('/logout-timeout');
 };
 
+// fixed-length session warning in this window: logout
+export const thisWindowRtrFlsWarning = (_e, stripes, setIsFlsVisible) => {
+  stripes.logger.log('rtr', 'fixed-length session warning');
+  setIsFlsVisible(true);
+};
+
+// fixed-length session timeout in this window: logout
+export const thisWindowRtrFlsTimeout = (_e, stripes, history) => {
+  stripes.logger.log('rtr', 'fixed-length session timeout; logging out');
+  setUnauthorizedPathToSession();
+  history.push('/logout');
+};
+
 // localstorage change in another window: logout?
 // logout if it was a timeout event or if SESSION_NAME is being
 // removed from localStorage, an indicator that logout is in-progress
@@ -37,9 +55,11 @@ export const thisWindowRtrTimeout = (_e, stripes, history) => {
 export const otherWindowStorage = (e, stripes, history) => {
   if (e.key === RTR_TIMEOUT_EVENT) {
     stripes.logger.log('rtr', 'idle session timeout; logging out');
+    setUnauthorizedPathToSession();
     history.push('/logout-timeout');
   } else if (!localStorage.getItem(SESSION_NAME)) {
     stripes.logger.log('rtr', 'external localstorage change; logging out');
+    setUnauthorizedPathToSession();
     history.push('/logout');
   }
   return Promise.resolve();
@@ -113,6 +133,9 @@ const SessionEventContainer = ({ history }) => {
   // is the "keep working?" modal visible?
   const [isVisible, setIsVisible] = useState(false);
 
+  // is the fixed-length-session warning visible?
+  const [isFlsVisible, setIsFlsVisible] = useState(false);
+
   // inactivity timers
   const timers = useRef();
   const stripes = useStripes();
@@ -191,7 +214,7 @@ const SessionEventContainer = ({ history }) => {
       channels.window[RTR_ERROR_EVENT] = (e) => thisWindowRtrError(e, stripes, history);
 
       // idle session timeout in this window: logout
-      channels.window[RTR_TIMEOUT_EVENT] = (e) => thisWindowRtrTimeout(e, stripes, history);
+      channels.window[RTR_TIMEOUT_EVENT] = (e) => thisWindowRtrIstTimeout(e, stripes, history);
 
       // localstorage change in another window: logout?
       channels.window.storage = (e) => otherWindowStorage(e, stripes, history);
@@ -204,6 +227,13 @@ const SessionEventContainer = ({ history }) => {
         channels.window[eventName] = (e) => thisWindowActivity(e, stripes, timers, bc);
       });
 
+      // fixed-length session: show session-is-ending warning
+      channels.window[RTR_FLS_WARNING_EVENT] = (e) => thisWindowRtrFlsWarning(e, stripes, setIsFlsVisible);
+
+      // fixed-length session: terminate session
+      channels.window[RTR_FLS_TIMEOUT_EVENT] = (e) => thisWindowRtrFlsTimeout(e, stripes, history);
+
+
       // add listeners
       Object.entries(channels).forEach(([k, channel]) => {
         Object.entries(channel).forEach(([e, h]) => {
@@ -236,13 +266,19 @@ const SessionEventContainer = ({ history }) => {
     // array.
   }, []); // eslint-disable-line react-hooks/exhaustive-deps
 
-  // show the idle-session warning modal if necessary;
-  // otherwise return null
+  const renderList = [];
+
+  // show the idle-session warning modal?
   if (isVisible) {
-    return <KeepWorkingModal callback={keepWorkingCallback} />;
+    renderList.push(<KeepWorkingModal callback={keepWorkingCallback} />);
+  }
+
+  // show the fixed-length session warning?
+  if (isFlsVisible) {
+    renderList.push(<FixedLengthSessionWarning />);
   }
 
-  return null;
+  return renderList.length ? renderList : null;
 };
 
 SessionEventContainer.propTypes = {
diff --git a/src/components/SessionEventContainer/SessionEventContainer.test.js b/src/components/SessionEventContainer/SessionEventContainer.test.js
index 24d9fd04c..06f9c2a02 100644
--- a/src/components/SessionEventContainer/SessionEventContainer.test.js
+++ b/src/components/SessionEventContainer/SessionEventContainer.test.js
@@ -7,7 +7,7 @@ import SessionEventContainer, {
   otherWindowStorage,
   thisWindowActivity,
   thisWindowRtrError,
-  thisWindowRtrTimeout,
+  thisWindowRtrIstTimeout,
 } from './SessionEventContainer';
 import { SESSION_NAME } from '../../loginServices';
 import { RTR_TIMEOUT_EVENT } from '../Root/constants';
@@ -74,7 +74,7 @@ describe('SessionEventContainer event listeners', () => {
     expect(history.push).toHaveBeenCalledWith('/logout-timeout');
   });
 
-  it('thisWindowRtrTimeout', async () => {
+  it('thisWindowRtrIstTimeout', async () => {
     const s = {
       okapi: {
         url: 'http'
@@ -87,7 +87,7 @@ describe('SessionEventContainer event listeners', () => {
 
     const history = { push: jest.fn() };
 
-    thisWindowRtrTimeout(null, s, history);
+    thisWindowRtrIstTimeout(null, s, history);
     expect(history.push).toHaveBeenCalledWith('/logout-timeout');
   });
 
diff --git a/src/loginServices.js b/src/loginServices.js
index 220eb2865..08407e37a 100644
--- a/src/loginServices.js
+++ b/src/loginServices.js
@@ -115,13 +115,16 @@ export const setTokenExpiry = async (te) => {
  * removeUnauthorizedPathFromSession, setUnauthorizedPathToSession, getUnauthorizedPathFromSession
  * remove/set/get unauthorized_path to/from session storage.
  * Used to restore path on returning from login if user accessed a bookmarked
- * URL while unauthenticated and was redirected to login.
+ * URL while unauthenticated and was redirected to login, and when a session
+ * times out, forcing the user to re-authenticate.
  *
  * @see components/OIDCRedirect
  */
 const UNAUTHORIZED_PATH = 'unauthorized_path';
 export const removeUnauthorizedPathFromSession = () => sessionStorage.removeItem(UNAUTHORIZED_PATH);
-export const setUnauthorizedPathToSession = (pathname) => sessionStorage.setItem(UNAUTHORIZED_PATH, pathname);
+export const setUnauthorizedPathToSession = (pathname) => {
+  sessionStorage.setItem(UNAUTHORIZED_PATH, pathname ?? `${window.location.pathname}${window.location.search}`);
+};
 export const getUnauthorizedPathFromSession = () => sessionStorage.getItem(UNAUTHORIZED_PATH);
 
 // export config values for storing user locale
diff --git a/src/okapiActions.js b/src/okapiActions.js
index b6ff9554f..c9d3795ab 100644
--- a/src/okapiActions.js
+++ b/src/okapiActions.js
@@ -1,54 +1,56 @@
+import { OKAPI_REDUCER_ACTIONS } from './okapiReducer';
+
 function setCurrentUser(currentUser) {
   return {
-    type: 'SET_CURRENT_USER',
+    type: OKAPI_REDUCER_ACTIONS.SET_CURRENT_USER,
     currentUser,
   };
 }
 
 function clearCurrentUser() {
   return {
-    type: 'CLEAR_CURRENT_USER',
+    type: OKAPI_REDUCER_ACTIONS.CLEAR_CURRENT_USER,
   };
 }
 
 function setCurrentPerms(currentPerms) {
   return {
-    type: 'SET_CURRENT_PERMS',
+    type: OKAPI_REDUCER_ACTIONS.SET_CURRENT_PERMS,
     currentPerms,
   };
 }
 
 function setLocale(locale) {
   return {
-    type: 'SET_LOCALE',
+    type: OKAPI_REDUCER_ACTIONS.SET_LOCALE,
     locale,
   };
 }
 
 function setTimezone(timezone) {
   return {
-    type: 'SET_TIMEZONE',
+    type: OKAPI_REDUCER_ACTIONS.SET_TIMEZONE,
     timezone,
   };
 }
 
 function setCurrency(currency) {
   return {
-    type: 'SET_CURRENCY',
+    type: OKAPI_REDUCER_ACTIONS.SET_CURRENCY,
     currency,
   };
 }
 
 function setPlugins(plugins) {
   return {
-    type: 'SET_PLUGINS',
+    type: OKAPI_REDUCER_ACTIONS.SET_PLUGINS,
     plugins,
   };
 }
 
 function setSinglePlugin(name, value) {
   return {
-    type: 'SET_SINGLE_PLUGIN',
+    type: OKAPI_REDUCER_ACTIONS.SET_SINGLE_PLUGIN,
     name,
     value,
   };
@@ -56,115 +58,129 @@ function setSinglePlugin(name, value) {
 
 function setBindings(bindings) {
   return {
-    type: 'SET_BINDINGS',
+    type: OKAPI_REDUCER_ACTIONS.SET_BINDINGS,
     bindings,
   };
 }
 
 function setOkapiToken(token) {
   return {
-    type: 'SET_OKAPI_TOKEN',
+    type: OKAPI_REDUCER_ACTIONS.SET_OKAPI_TOKEN,
     token,
   };
 }
 
 function clearOkapiToken() {
   return {
-    type: 'CLEAR_OKAPI_TOKEN',
+    type: OKAPI_REDUCER_ACTIONS.CLEAR_OKAPI_TOKEN,
   };
 }
 
 function setIsAuthenticated(b) {
   return {
-    type: 'SET_IS_AUTHENTICATED',
+    type: OKAPI_REDUCER_ACTIONS.SET_IS_AUTHENTICATED,
     isAuthenticated: Boolean(b),
   };
 }
 
 function setAuthError(message) {
   return {
-    type: 'SET_AUTH_FAILURE',
+    type: OKAPI_REDUCER_ACTIONS.SET_AUTH_FAILURE,
     message,
   };
 }
 
 function setTranslations(translations) {
   return {
-    type: 'SET_TRANSLATIONS',
+    type: OKAPI_REDUCER_ACTIONS.SET_TRANSLATIONS,
     translations,
   };
 }
 
 function checkSSO(ssoEnabled) {
   return {
-    type: 'CHECK_SSO',
+    type: OKAPI_REDUCER_ACTIONS.CHECK_SSO,
     ssoEnabled,
   };
 }
 
 function setOkapiReady() {
   return {
-    type: 'OKAPI_READY',
+    type: OKAPI_REDUCER_ACTIONS.OKAPI_READY,
   };
 }
 
 function setServerDown() {
   return {
-    type: 'SERVER_DOWN',
+    type: OKAPI_REDUCER_ACTIONS.SERVER_DOWN,
   };
 }
 
 function setSessionData(session) {
   return {
-    type: 'SET_SESSION_DATA',
+    type: OKAPI_REDUCER_ACTIONS.SET_SESSION_DATA,
     session,
   };
 }
 
 function setLoginData(loginData) {
   return {
-    type: 'SET_LOGIN_DATA',
+    type: OKAPI_REDUCER_ACTIONS.SET_LOGIN_DATA,
     loginData,
   };
 }
 
 function updateCurrentUser(data) {
   return {
-    type: 'UPDATE_CURRENT_USER',
+    type: OKAPI_REDUCER_ACTIONS.UPDATE_CURRENT_USER,
     data,
   };
 }
 
 function setOkapiTenant(payload) {
   return {
-    type: 'SET_OKAPI_TENANT',
+    type: OKAPI_REDUCER_ACTIONS.SET_OKAPI_TENANT,
     payload
   };
 }
 
 function setTokenExpiration(tokenExpiration) {
   return {
-    type: 'SET_TOKEN_EXPIRATION',
+    type: OKAPI_REDUCER_ACTIONS.SET_TOKEN_EXPIRATION,
     tokenExpiration,
   };
 }
 
 function setRtrTimeout(rtrTimeout) {
   return {
-    type: 'SET_RTR_TIMEOUT',
+    type: OKAPI_REDUCER_ACTIONS.SET_RTR_TIMEOUT,
     rtrTimeout,
   };
 }
 
 function clearRtrTimeout() {
   return {
-    type: 'CLEAR_RTR_TIMEOUT',
+    type: OKAPI_REDUCER_ACTIONS.CLEAR_RTR_TIMEOUT,
+  };
+}
+
+function setRtrFlsTimeout(rtrFlsTimeout) {
+  return {
+    type: OKAPI_REDUCER_ACTIONS.SET_RTR_FLS_TIMEOUT,
+    rtrFlsTimeout,
   };
 }
 
+function clearRtrFlsTimeout() {
+  return {
+    type: OKAPI_REDUCER_ACTIONS.CLEAR_RTR_FLS_TIMEOUT,
+  };
+}
+
+
 function toggleRtrModal(isVisible) {
   return {
-    type: 'TOGGLE_RTR_MODAL',
+    type: OKAPI_REDUCER_ACTIONS.TOGGLE_RTR_MODAL,
     isVisible,
   };
 }
@@ -173,6 +189,7 @@ export {
   checkSSO,
   clearCurrentUser,
   clearOkapiToken,
+  clearRtrFlsTimeout,
   clearRtrTimeout,
   setAuthError,
   setBindings,
@@ -185,6 +202,7 @@ export {
   setOkapiReady,
   setOkapiToken,
   setPlugins,
+  setRtrFlsTimeout,
   setRtrTimeout,
   setServerDown,
   setSessionData,
diff --git a/src/okapiReducer.js b/src/okapiReducer.js
index 6c4f1f475..2fc52174b 100644
--- a/src/okapiReducer.js
+++ b/src/okapiReducer.js
@@ -1,78 +1,119 @@
+export const OKAPI_REDUCER_ACTIONS = {
+  CHECK_SSO: 'CHECK_SSO',
+  CLEAR_CURRENT_USER: 'CLEAR_CURRENT_USER',
+  CLEAR_OKAPI_TOKEN: 'CLEAR_OKAPI_TOKEN',
+  CLEAR_RTR_FLS_TIMEOUT: 'CLEAR_RTR_FLS_TIMEOUT',
+  CLEAR_RTR_TIMEOUT: 'CLEAR_RTR_TIMEOUT',
+  OKAPI_READY: 'OKAPI_READY',
+  SERVER_DOWN: 'SERVER_DOWN',
+  SET_AUTH_FAILURE: 'SET_AUTH_FAILURE',
+  SET_BINDINGS: 'SET_BINDINGS',
+  SET_CURRENCY: 'SET_CURRENCY',
+  SET_CURRENT_PERMS: 'SET_CURRENT_PERMS',
+  SET_CURRENT_USER: 'SET_CURRENT_USER',
+  SET_IS_AUTHENTICATED: 'SET_IS_AUTHENTICATED',
+  SET_LOCALE: 'SET_LOCALE',
+  SET_LOGIN_DATA: 'SET_LOGIN_DATA',
+  SET_OKAPI_TENANT: 'SET_OKAPI_TENANT',
+  SET_OKAPI_TOKEN: 'SET_OKAPI_TOKEN',
+  SET_PLUGINS: 'SET_PLUGINS',
+  SET_RTR_FLS_TIMEOUT: 'SET_RTR_FLS_TIMEOUT',
+  SET_RTR_TIMEOUT: 'SET_RTR_TIMEOUT',
+  SET_SESSION_DATA: 'SET_SESSION_DATA',
+  SET_SINGLE_PLUGIN: 'SET_SINGLE_PLUGIN',
+  SET_TIMEZONE: 'SET_TIMEZONE',
+  SET_TOKEN_EXPIRATION: 'SET_TOKEN_EXPIRATION',
+  SET_TRANSLATIONS: 'SET_TRANSLATIONS',
+  TOGGLE_RTR_MODAL: 'TOGGLE_RTR_MODAL',
+  UPDATE_CURRENT_USER: 'UPDATE_CURRENT_USER',
+};
+
 export default function okapiReducer(state = {}, action) {
   switch (action.type) {
-    case 'SET_OKAPI_TENANT': {
+    case OKAPI_REDUCER_ACTIONS.SET_OKAPI_TENANT: {
       const { tenant, clientId } = action.payload;
       return Object.assign({}, state, { tenant, clientId });
     }
-    case 'SET_OKAPI_TOKEN':
+    case OKAPI_REDUCER_ACTIONS.SET_OKAPI_TOKEN:
       return Object.assign({}, state, { token: action.token });
-    case 'CLEAR_OKAPI_TOKEN':
+    case OKAPI_REDUCER_ACTIONS.CLEAR_OKAPI_TOKEN:
       return Object.assign({}, state, { token: null });
-    case 'SET_CURRENT_USER':
+    case OKAPI_REDUCER_ACTIONS.SET_CURRENT_USER:
       return Object.assign({}, state, { currentUser: action.currentUser });
-    case 'SET_IS_AUTHENTICATED': {
+    case OKAPI_REDUCER_ACTIONS.SET_IS_AUTHENTICATED: {
       const newState = {
         isAuthenticated: action.isAuthenticated,
       };
-      // if we're logging out, clear the RTR timeout
-      // and other rtr-related values
+      // if we're logging out, clear the RTR timeouts and related values
       if (!action.isAuthenticated) {
         clearTimeout(state.rtrTimeout);
+        clearTimeout(state.rtrFlsTimeout);
         newState.rtrModalIsVisible = false;
         newState.rtrTimeout = undefined;
+        newState.rtrFlsTimeout = undefined;
       }
 
       return { ...state, ...newState };
     }
-    case 'SET_LOCALE':
+    case OKAPI_REDUCER_ACTIONS.SET_LOCALE:
       return Object.assign({}, state, { locale: action.locale });
-    case 'SET_TIMEZONE':
+    case OKAPI_REDUCER_ACTIONS.SET_TIMEZONE:
       return Object.assign({}, state, { timezone: action.timezone });
-    case 'SET_CURRENCY':
+    case OKAPI_REDUCER_ACTIONS.SET_CURRENCY:
       return Object.assign({}, state, { currency: action.currency });
-    case 'SET_PLUGINS':
+    case OKAPI_REDUCER_ACTIONS.SET_PLUGINS:
       return Object.assign({}, state, { plugins: action.plugins });
-    case 'SET_SINGLE_PLUGIN':
+    case OKAPI_REDUCER_ACTIONS.SET_SINGLE_PLUGIN:
       return Object.assign({}, state, { plugins: Object.assign({}, state.plugins, { [action.name]: action.value }) });
-    case 'SET_BINDINGS':
+    case OKAPI_REDUCER_ACTIONS.SET_BINDINGS:
       return Object.assign({}, state, { bindings: action.bindings });
-    case 'SET_CURRENT_PERMS':
+    case OKAPI_REDUCER_ACTIONS.SET_CURRENT_PERMS:
       return Object.assign({}, state, { currentPerms: action.currentPerms });
-    case 'SET_LOGIN_DATA':
+    case OKAPI_REDUCER_ACTIONS.SET_LOGIN_DATA:
       return Object.assign({}, state, { loginData: action.loginData });
-    case 'SET_TOKEN_EXPIRATION':
+    case OKAPI_REDUCER_ACTIONS.SET_TOKEN_EXPIRATION:
       return Object.assign({}, state, { loginData: { ...state.loginData, tokenExpiration: action.tokenExpiration } });
-    case 'CLEAR_CURRENT_USER':
+    case OKAPI_REDUCER_ACTIONS.CLEAR_CURRENT_USER:
       return Object.assign({}, state, { currentUser: {}, currentPerms: {} });
-    case 'SET_SESSION_DATA': {
+    case OKAPI_REDUCER_ACTIONS.SET_SESSION_DATA: {
       const { isAuthenticated, perms, tenant, token, user } = action.session;
       const sessionTenant = tenant || state.tenant;
 
       return { ...state, currentUser: user, currentPerms: perms, isAuthenticated, tenant: sessionTenant, token };
     }
-    case 'SET_AUTH_FAILURE':
+    case OKAPI_REDUCER_ACTIONS.SET_AUTH_FAILURE:
       return Object.assign({}, state, { authFailure: action.message });
-    case 'SET_TRANSLATIONS':
+    case OKAPI_REDUCER_ACTIONS.SET_TRANSLATIONS:
       return Object.assign({}, state, { translations: action.translations });
-    case 'CHECK_SSO':
+    case OKAPI_REDUCER_ACTIONS.CHECK_SSO:
       return Object.assign({}, state, { ssoEnabled: action.ssoEnabled });
-    case 'OKAPI_READY':
+    case OKAPI_REDUCER_ACTIONS.OKAPI_READY:
       return Object.assign({}, state, { okapiReady: true });
-    case 'SERVER_DOWN':
+    case OKAPI_REDUCER_ACTIONS.SERVER_DOWN:
       return Object.assign({}, state, { serverDown: true });
-    case 'UPDATE_CURRENT_USER':
+    case OKAPI_REDUCER_ACTIONS.UPDATE_CURRENT_USER:
       return { ...state, currentUser: { ...state.currentUser, ...action.data } };
 
-    // clear existing timeout and set a new one
-    case 'SET_RTR_TIMEOUT': {
+    // clear existing AT rotation timeout and set a new one
+    case OKAPI_REDUCER_ACTIONS.SET_RTR_TIMEOUT: {
       clearTimeout(state.rtrTimeout);
       return { ...state, rtrTimeout: action.rtrTimeout };
     }
-    case 'CLEAR_RTR_TIMEOUT': {
+    case OKAPI_REDUCER_ACTIONS.CLEAR_RTR_TIMEOUT: {
       clearTimeout(state.rtrTimeout);
       return { ...state, rtrTimeout: undefined };
     }
-    case 'TOGGLE_RTR_MODAL': {
+    // clear existing FLS timeout and set a new one
+    case OKAPI_REDUCER_ACTIONS.SET_RTR_FLS_TIMEOUT: {
+      clearTimeout(state.rtrFlsTimeout);
+      return { ...state, rtrFlsTimeout: action.rtrFlsTimeout };
+    }
+    case OKAPI_REDUCER_ACTIONS.CLEAR_RTR_FLS_TIMEOUT: {
+      clearTimeout(state.rtrFlsTimeout);
+      return { ...state, rtrFlsTimeout: undefined };
+    }
+
+    case OKAPI_REDUCER_ACTIONS.TOGGLE_RTR_MODAL: {
       return { ...state, rtrModalIsVisible: action.isVisible };
     }
 
diff --git a/src/okapiReducer.test.js b/src/okapiReducer.test.js
index 5c0cb8021..ce366491e 100644
--- a/src/okapiReducer.test.js
+++ b/src/okapiReducer.test.js
@@ -1,10 +1,11 @@
-import okapiReducer from './okapiReducer';
+import okapiReducer, { OKAPI_REDUCER_ACTIONS } from './okapiReducer';
+
 
 describe('okapiReducer', () => {
   describe('SET_IS_AUTHENTICATED', () => {
     it('sets isAuthenticated to true', () => {
       const isAuthenticated = true;
-      const o = okapiReducer({}, { type: 'SET_IS_AUTHENTICATED', isAuthenticated: true });
+      const o = okapiReducer({}, { type: OKAPI_REDUCER_ACTIONS.SET_IS_AUTHENTICATED, isAuthenticated: true });
       expect(o).toMatchObject({ isAuthenticated });
     });
 
@@ -14,24 +15,25 @@ describe('okapiReducer', () => {
         rtrTimeout: 123,
       };
       const ct = jest.spyOn(window, 'clearTimeout');
-      const o = okapiReducer(state, { type: 'SET_IS_AUTHENTICATED', isAuthenticated: false });
+      const o = okapiReducer(state, { type: OKAPI_REDUCER_ACTIONS.SET_IS_AUTHENTICATED, isAuthenticated: false });
       expect(o.isAuthenticated).toBe(false);
       expect(o.rtrModalIsVisible).toBe(false);
       expect(o.rtrTimeout).toBe(undefined);
+      expect(o.rtrFlsTimeout).toBe(undefined);
       expect(ct).toHaveBeenCalled();
     });
   });
 
   it('SET_LOGIN_DATA', () => {
     const loginData = 'loginData';
-    const o = okapiReducer({}, { type: 'SET_LOGIN_DATA', loginData });
+    const o = okapiReducer({}, { type: OKAPI_REDUCER_ACTIONS.SET_LOGIN_DATA, loginData });
     expect(o).toMatchObject({ loginData });
   });
 
   it('UPDATE_CURRENT_USER', () => {
     const initialState = { funky: 'chicken' };
     const data = { monkey: 'bagel' };
-    const o = okapiReducer(initialState, { type: 'UPDATE_CURRENT_USER', data });
+    const o = okapiReducer(initialState, { type: OKAPI_REDUCER_ACTIONS.UPDATE_CURRENT_USER, data });
     expect(o).toMatchObject({ ...initialState, currentUser: { ...data } });
   });
 
@@ -51,7 +53,7 @@ describe('okapiReducer', () => {
       },
       tenant: 'institutional',
     };
-    const o = okapiReducer(initialState, { type: 'SET_SESSION_DATA', session });
+    const o = okapiReducer(initialState, { type: OKAPI_REDUCER_ACTIONS.SET_SESSION_DATA, session });
     const { user, perms, ...rest } = session;
     expect(o).toMatchObject({
       ...initialState,
@@ -70,7 +72,7 @@ describe('okapiReducer', () => {
 
     const newState = { rtrTimeout: 997 };
 
-    const o = okapiReducer(state, { type: 'SET_RTR_TIMEOUT', rtrTimeout: newState.rtrTimeout });
+    const o = okapiReducer(state, { type: OKAPI_REDUCER_ACTIONS.SET_RTR_TIMEOUT, rtrTimeout: newState.rtrTimeout });
     expect(o).toMatchObject(newState);
 
     expect(ct).toHaveBeenCalledWith(state.rtrTimeout);
@@ -83,14 +85,41 @@ describe('okapiReducer', () => {
       rtrTimeout: 991,
     };
 
-    const o = okapiReducer(state, { type: 'CLEAR_RTR_TIMEOUT' });
+    const o = okapiReducer(state, { type: OKAPI_REDUCER_ACTIONS.CLEAR_RTR_TIMEOUT });
     expect(o).toMatchObject({});
     expect(ct).toHaveBeenCalledWith(state.rtrTimeout);
   });
 
   it('TOGGLE_RTR_MODAL', () => {
     const rtrModalIsVisible = true;
-    const o = okapiReducer({}, { type: 'TOGGLE_RTR_MODAL', isVisible: true });
+    const o = okapiReducer({}, { type: OKAPI_REDUCER_ACTIONS.TOGGLE_RTR_MODAL, isVisible: true });
     expect(o).toMatchObject({ rtrModalIsVisible });
   });
+
+  it('SET_RTR_FLS_TIMEOUT', () => {
+    const ct = jest.spyOn(window, 'clearTimeout');
+
+    const state = {
+      rtrFlsTimeout: 991,
+    };
+
+    const newState = { rtrFlsTimeout: 997 };
+
+    const o = okapiReducer(state, { type: OKAPI_REDUCER_ACTIONS.SET_RTR_FLS_TIMEOUT, rtrFlsTimeout: newState.rtrFlsTimeout });
+    expect(o).toMatchObject(newState);
+
+    expect(ct).toHaveBeenCalledWith(state.rtrFlsTimeout);
+  });
+
+  it('CLEAR_RTR_FLS_TIMEOUT', () => {
+    const ct = jest.spyOn(window, 'clearTimeout');
+
+    const state = {
+      rtrFlsTimeout: 991,
+    };
+
+    const o = okapiReducer(state, { type: OKAPI_REDUCER_ACTIONS.CLEAR_RTR_FLS_TIMEOUT });
+    expect(o).toMatchObject({});
+    expect(ct).toHaveBeenCalledWith(state.rtrFlsTimeout);
+  });
 });
diff --git a/translations/stripes-core/en.json b/translations/stripes-core/en.json
index b08b58fc5..27953d60d 100644
--- a/translations/stripes-core/en.json
+++ b/translations/stripes-core/en.json
@@ -13,7 +13,6 @@
   "title.noPermission": "No permission",
   "title.cookieEnabled": "Cookies are required to login. Please enable cookies and try again.",
   "title.logout": "Log out",
-  "title.cookieEnabled": "Cookies are required to login. Please enable cookies and try again.",
   "front.welcome": "Welcome, the Future Of Libraries Is OPEN!",
   "front.home": "Home",
   "front.about": "Software versions",
@@ -168,5 +167,7 @@
   "rtr.idleSession.timeRemaining": "Time remaining",
   "rtr.idleSession.keepWorking": "Keep working",
   "rtr.idleSession.sessionExpiredSoSad": "Your session expired due to inactivity.",
-  "rtr.idleSession.logInAgain": "Log in again"
+  "rtr.idleSession.logInAgain": "Log in again",
+  "rtr.fixedLengthSession.timeRemaining": "Your session will end soon! Time remaining:"
+
 }
diff --git a/translations/stripes-core/en_US.json b/translations/stripes-core/en_US.json
index 5571a649d..cdc0f228f 100644
--- a/translations/stripes-core/en_US.json
+++ b/translations/stripes-core/en_US.json
@@ -152,12 +152,12 @@
     "stale.reload": "Click here to reload.",
     "placeholder.forgotPassword": "Enter email or phone",
     "placeholder.forgotUsername": "Enter email or phone",
-    "title.cookieEnabled": "Cookies are required to login. Please enable cookies and try again.",
     "errors.sso.session.failed": "SSO Login failed. Please try again",
     "logoutPending": "Log out in process...",
     "rtr.idleSession.modalHeader": "Your session will expire soon!",
     "rtr.idleSession.timeRemaining": "Time remaining",
     "rtr.idleSession.keepWorking": "Keep working",
     "rtr.idleSession.sessionExpiredSoSad": "Your session expired due to inactivity.",
-    "rtr.idleSession.logInAgain": "Log in again"
+    "rtr.idleSession.logInAgain": "Log in again",
+    "rtr.fixedLengthSession.timeRemaining": "Your session will end soon! Time remaining:"
 }

From 48ca51748e9d424ebd9fb874135411588f16ed05 Mon Sep 17 00:00:00 2001
From: Ryan Berger <rberger@ebsco.com>
Date: Tue, 23 Jul 2024 12:36:37 -0400
Subject: [PATCH 52/63] Add back missing reference to state (#1506)

so that state is not dropped when adding permission display names. The previous code was improper Redux behavior.
---
 src/discoverServices.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/discoverServices.js b/src/discoverServices.js
index 0da05c8a9..6b3a2d6ad 100644
--- a/src/discoverServices.js
+++ b/src/discoverServices.js
@@ -297,7 +297,7 @@ export function discoveryReducer(state = {}, action) {
       for (const entry of action.data.permissionSets || []) {
         permissions[entry.permissionName] = entry.displayName;
       }
-      return { permissionDisplayNames: { ...state.permissionDisplayNames, ...permissions } };
+      return { ...state, permissionDisplayNames: { ...state.permissionDisplayNames, ...permissions } };
     }
     case 'DISCOVERY_PROVIDERS': {
       if (action.data.provides?.length > 0) {

From c25e068e2c1df869b171e663be9eac4f80a5240d Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Fri, 26 Jul 2024 16:12:40 -0400
Subject: [PATCH 53/63] STCOR-869 do not store /logout as a "return-to" URL
 (#1510)

When a session ends due to timeout, the current location is stored in
order to allow the subsequent session to begin where the previous one
left off. If the "session timeout" event fires more than once**,
however, this could lead to the `/logout` location being stored as
the "return to" location with obvious dire consequences.

There are two changes here:
1. Don't allow locations beginning with `/logout` to be stored. This
   fixes the symptom, not the root cause, but is still worthwhile.
2. Store the session-timeout interval ID in redux, and manage that timer
   via a redux action. Even though this _still_ shouldn't fire more than
   once, if it does, this allows us to cancel the previous timer before
   adding the next one. This is an attempt to fix the root cause.

Refs STCOR-869
---
 src/components/Root/FFetch.js | 11 ++++++----
 src/loginServices.js          |  5 ++++-
 src/loginServices.test.js     | 38 +++++++++++++++++++++++++++++++++++
 src/okapiActions.js           | 16 ++++++++++++++-
 src/okapiReducer.js           | 17 ++++++++++++++++
 src/okapiReducer.test.js      | 30 +++++++++++++++++++++++++++
 6 files changed, 111 insertions(+), 6 deletions(-)

diff --git a/src/components/Root/FFetch.js b/src/components/Root/FFetch.js
index a689523f8..0b10068d1 100644
--- a/src/components/Root/FFetch.js
+++ b/src/components/Root/FFetch.js
@@ -46,6 +46,7 @@ import { okapi as okapiConfig } from 'stripes-config';
 import {
   setRtrTimeout,
   setRtrFlsTimeout,
+  setRtrFlsWarningTimeout,
 } from '../../okapiActions';
 
 import { getTokenExpiry } from '../../loginServices';
@@ -100,7 +101,7 @@ export class FFetch {
   /**
    * scheduleRotation
    * Given a promise that resolves with timestamps for the AT's and RT's
-   * expiration, configure relevant corresponding timers: 
+   * expiration, configure relevant corresponding timers:
    * * before the AT expires, conduct RTR
    * * when the RT is about to expire, send a "session will end" event
    * * when the RT expires, send a "session ended" event"
@@ -131,15 +132,17 @@ export class FFetch {
 
       // schedule FLS end-of-session warning
       this.logger.log('rtr-fls', `end-of-session warning at ${new Date(rotationInterval.refreshTokenExpiration - ms(this.rtrConfig.fixedLengthSessionWarningTTL))}`);
-      this.store.dispatch(setRtrFlsTimeout(setTimeout(() => {
+      this.store.dispatch(setRtrFlsWarningTimeout(setTimeout(() => {
+        this.logger.log('rtr-fls', 'emitting RTR_FLS_WARNING_EVENT');
         window.dispatchEvent(new Event(RTR_FLS_WARNING_EVENT));
       }, rtWarningInterval)));
 
       // schedule FLS end-of-session logout
       this.logger.log('rtr-fls', `session will end at ${new Date(rotationInterval.refreshTokenExpiration)}`);
-      setTimeout(() => {
+      this.store.dispatch(setRtrFlsTimeout(setTimeout(() => {
+        this.logger.log('rtr-fls', 'emitting RTR_FLS_TIMEOUT_EVENT');
         window.dispatchEvent(new Event(RTR_FLS_TIMEOUT_EVENT));
-      }, rtTimeoutInterval);
+      }, rtTimeoutInterval)));
     });
   };
 
diff --git a/src/loginServices.js b/src/loginServices.js
index 08407e37a..d30576c46 100644
--- a/src/loginServices.js
+++ b/src/loginServices.js
@@ -123,7 +123,10 @@ export const setTokenExpiry = async (te) => {
 const UNAUTHORIZED_PATH = 'unauthorized_path';
 export const removeUnauthorizedPathFromSession = () => sessionStorage.removeItem(UNAUTHORIZED_PATH);
 export const setUnauthorizedPathToSession = (pathname) => {
-  sessionStorage.setItem(UNAUTHORIZED_PATH, pathname ?? `${window.location.pathname}${window.location.search}`);
+  const path = pathname ?? `${window.location.pathname}${window.location.search}`;
+  if (!path.startsWith('/logout')) {
+    sessionStorage.setItem(UNAUTHORIZED_PATH, pathname ?? `${window.location.pathname}${window.location.search}`);
+  }
 };
 export const getUnauthorizedPathFromSession = () => sessionStorage.getItem(UNAUTHORIZED_PATH);
 
diff --git a/src/loginServices.test.js b/src/loginServices.test.js
index 6827bf9ae..60579cd8f 100644
--- a/src/loginServices.test.js
+++ b/src/loginServices.test.js
@@ -4,11 +4,13 @@ import {
   createOkapiSession,
   getOkapiSession,
   getTokenExpiry,
+  getUnauthorizedPathFromSession,
   handleLoginError,
   loadTranslations,
   logout,
   processOkapiSession,
   setTokenExpiry,
+  setUnauthorizedPathToSession,
   spreadUserWithPerms,
   supportedLocales,
   supportedNumberingSystems,
@@ -557,3 +559,39 @@ describe('logout', () => {
     });
   });
 });
+
+describe('setUnauthorizedPathToSession', () => {
+  beforeEach(() => {
+    window.sessionStorage.clear();
+  });
+
+  afterEach(() => {
+    window.sessionStorage.clear();
+  });
+
+  it('with an argument, uses it', () => {
+    const monkey = 'bagel';
+    setUnauthorizedPathToSession(monkey);
+    expect(getUnauthorizedPathFromSession()).toEqual(monkey);
+  });
+
+  it('without an argument, pulls value from window.location', () => {
+    window.location.pathname = '/monkey-bagel';
+    setUnauthorizedPathToSession();
+    expect(getUnauthorizedPathFromSession()).toEqual(window.location.pathname);
+  });
+
+  describe('refuses to set locations beginning with "/logout"', () => {
+    it('with an argument', () => {
+      const monkey = '/logout-timeout';
+      setUnauthorizedPathToSession(monkey);
+      expect(getUnauthorizedPathFromSession()).toBeFalsy();
+    });
+
+    it('without an argument', () => {
+      window.location.pathname = '/logout-timeout';
+      setUnauthorizedPathToSession();
+      expect(getUnauthorizedPathFromSession()).toBeFalsy();
+    });
+  });
+});
diff --git a/src/okapiActions.js b/src/okapiActions.js
index c9d3795ab..6debc86ca 100644
--- a/src/okapiActions.js
+++ b/src/okapiActions.js
@@ -164,6 +164,19 @@ function clearRtrTimeout() {
   };
 }
 
+function setRtrFlsWarningTimeout(rtrFlsWarningTimeout) {
+  return {
+    type: OKAPI_REDUCER_ACTIONS.SET_RTR_FLS_WARNING_TIMEOUT,
+    rtrFlsWarningTimeout,
+  };
+}
+
+function clearRtrFlsWarningTimeout() {
+  return {
+    type: OKAPI_REDUCER_ACTIONS.CLEAR_RTR_FLS_WARNING_TIMEOUT,
+  };
+}
+
 function setRtrFlsTimeout(rtrFlsTimeout) {
   return {
     type: OKAPI_REDUCER_ACTIONS.SET_RTR_FLS_TIMEOUT,
@@ -177,7 +190,6 @@ function clearRtrFlsTimeout() {
   };
 }
 
-
 function toggleRtrModal(isVisible) {
   return {
     type: OKAPI_REDUCER_ACTIONS.TOGGLE_RTR_MODAL,
@@ -190,6 +202,7 @@ export {
   clearCurrentUser,
   clearOkapiToken,
   clearRtrFlsTimeout,
+  clearRtrFlsWarningTimeout,
   clearRtrTimeout,
   setAuthError,
   setBindings,
@@ -203,6 +216,7 @@ export {
   setOkapiToken,
   setPlugins,
   setRtrFlsTimeout,
+  setRtrFlsWarningTimeout,
   setRtrTimeout,
   setServerDown,
   setSessionData,
diff --git a/src/okapiReducer.js b/src/okapiReducer.js
index 2fc52174b..023e215d0 100644
--- a/src/okapiReducer.js
+++ b/src/okapiReducer.js
@@ -3,6 +3,7 @@ export const OKAPI_REDUCER_ACTIONS = {
   CLEAR_CURRENT_USER: 'CLEAR_CURRENT_USER',
   CLEAR_OKAPI_TOKEN: 'CLEAR_OKAPI_TOKEN',
   CLEAR_RTR_FLS_TIMEOUT: 'CLEAR_RTR_FLS_TIMEOUT',
+  CLEAR_RTR_FLS_WARNING_TIMEOUT: 'CLEAR_RTR_FLS_WARNING_TIMEOUT',
   CLEAR_RTR_TIMEOUT: 'CLEAR_RTR_TIMEOUT',
   OKAPI_READY: 'OKAPI_READY',
   SERVER_DOWN: 'SERVER_DOWN',
@@ -18,6 +19,7 @@ export const OKAPI_REDUCER_ACTIONS = {
   SET_OKAPI_TOKEN: 'SET_OKAPI_TOKEN',
   SET_PLUGINS: 'SET_PLUGINS',
   SET_RTR_FLS_TIMEOUT: 'SET_RTR_FLS_TIMEOUT',
+  SET_RTR_FLS_WARNING_TIMEOUT: 'SET_RTR_FLS_WARNING_TIMEOUT',
   SET_RTR_TIMEOUT: 'SET_RTR_TIMEOUT',
   SET_SESSION_DATA: 'SET_SESSION_DATA',
   SET_SINGLE_PLUGIN: 'SET_SINGLE_PLUGIN',
@@ -47,9 +49,11 @@ export default function okapiReducer(state = {}, action) {
       // if we're logging out, clear the RTR timeouts and related values
       if (!action.isAuthenticated) {
         clearTimeout(state.rtrTimeout);
+        clearTimeout(state.rtrFlsWarningTimeout);
         clearTimeout(state.rtrFlsTimeout);
         newState.rtrModalIsVisible = false;
         newState.rtrTimeout = undefined;
+        newState.rtrFlsWarningTimeout = undefined;
         newState.rtrFlsTimeout = undefined;
       }
 
@@ -99,10 +103,23 @@ export default function okapiReducer(state = {}, action) {
       clearTimeout(state.rtrTimeout);
       return { ...state, rtrTimeout: action.rtrTimeout };
     }
+
     case OKAPI_REDUCER_ACTIONS.CLEAR_RTR_TIMEOUT: {
       clearTimeout(state.rtrTimeout);
       return { ...state, rtrTimeout: undefined };
     }
+
+    // clear existing FLS warning timeout and set a new one
+    case OKAPI_REDUCER_ACTIONS.SET_RTR_FLS_WARNING_TIMEOUT: {
+      clearTimeout(state.rtrFlsWarningTimeout);
+      return { ...state, rtrFlsWarningTimeout: action.rtrFlsWarningTimeout };
+    }
+
+    case OKAPI_REDUCER_ACTIONS.CLEAR_RTR_FLS_WARNING_TIMEOUT: {
+      clearTimeout(state.rtrFlsWarningTimeout);
+      return { ...state, rtrFlsWarningTimeout: undefined };
+    }
+
     // clear existing FLS timeout and set a new one
     case OKAPI_REDUCER_ACTIONS.SET_RTR_FLS_TIMEOUT: {
       clearTimeout(state.rtrFlsTimeout);
diff --git a/src/okapiReducer.test.js b/src/okapiReducer.test.js
index ce366491e..5a825bbce 100644
--- a/src/okapiReducer.test.js
+++ b/src/okapiReducer.test.js
@@ -13,6 +13,8 @@ describe('okapiReducer', () => {
       const state = {
         rtrModalIsVisible: true,
         rtrTimeout: 123,
+        rtrFlsTimeout: 123,
+        rtrFlsWarningTimeout: 123,
       };
       const ct = jest.spyOn(window, 'clearTimeout');
       const o = okapiReducer(state, { type: OKAPI_REDUCER_ACTIONS.SET_IS_AUTHENTICATED, isAuthenticated: false });
@@ -20,6 +22,7 @@ describe('okapiReducer', () => {
       expect(o.rtrModalIsVisible).toBe(false);
       expect(o.rtrTimeout).toBe(undefined);
       expect(o.rtrFlsTimeout).toBe(undefined);
+      expect(o.rtrFlsWarningTimeout).toBe(undefined);
       expect(ct).toHaveBeenCalled();
     });
   });
@@ -122,4 +125,31 @@ describe('okapiReducer', () => {
     expect(o).toMatchObject({});
     expect(ct).toHaveBeenCalledWith(state.rtrFlsTimeout);
   });
+
+  it('SET_RTR_FLS_WARNING_TIMEOUT', () => {
+    const ct = jest.spyOn(window, 'clearTimeout');
+
+    const state = {
+      rtrFlsWarningTimeout: 991,
+    };
+
+    const newState = { rtrFlsWarningTimeout: 997 };
+
+    const o = okapiReducer(state, { type: OKAPI_REDUCER_ACTIONS.SET_RTR_FLS_WARNING_TIMEOUT, rtrFlsWarningTimeout: newState.rtrFlsWarningTimeout });
+    expect(o).toMatchObject(newState);
+
+    expect(ct).toHaveBeenCalledWith(state.rtrFlsWarningTimeout);
+  });
+
+  it('CLEAR_RTR_FLS_WARNING_TIMEOUT', () => {
+    const ct = jest.spyOn(window, 'clearTimeout');
+
+    const state = {
+      rtrFlsWarningTimeout: 991,
+    };
+
+    const o = okapiReducer(state, { type: OKAPI_REDUCER_ACTIONS.CLEAR_RTR_FLS_WARNING_TIMEOUT });
+    expect(o).toMatchObject({});
+    expect(ct).toHaveBeenCalledWith(state.rtrFlsWarningTimeout);
+  });
 });

From da01a6a26417a44d64d9c6e96a0bd1aaa69c1cfc Mon Sep 17 00:00:00 2001
From: Ryan Berger <rberger@ebsco.com>
Date: Thu, 8 Aug 2024 15:54:24 -0400
Subject: [PATCH 54/63] [STCOR-869] Add small margin to ensure /logout is
 called before cookie expires (#1513)

* Added a small time margin to wait so that cookie is not deleted before /logout request

* Fix test and lint issue
---
 src/components/Root/FFetch.js      | 3 ++-
 src/components/Root/FFetch.test.js | 5 +++--
 src/components/Root/constants.js   | 6 ++++++
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/components/Root/FFetch.js b/src/components/Root/FFetch.js
index 0b10068d1..658139dc2 100644
--- a/src/components/Root/FFetch.js
+++ b/src/components/Root/FFetch.js
@@ -65,6 +65,7 @@ import {
   RTR_AT_TTL_FRACTION,
   RTR_ERROR_EVENT,
   RTR_FLS_TIMEOUT_EVENT,
+  RTR_TIME_MARGIN_IN_MS,
   RTR_FLS_WARNING_EVENT,
   RTR_RT_EXPIRY_IF_UNKNOWN,
 } from './constants';
@@ -142,7 +143,7 @@ export class FFetch {
       this.store.dispatch(setRtrFlsTimeout(setTimeout(() => {
         this.logger.log('rtr-fls', 'emitting RTR_FLS_TIMEOUT_EVENT');
         window.dispatchEvent(new Event(RTR_FLS_TIMEOUT_EVENT));
-      }, rtTimeoutInterval)));
+      }, rtTimeoutInterval - RTR_TIME_MARGIN_IN_MS))); // Calling /logout a small margin before cookie is deleted to ensure it is included in the request
     });
   };
 
diff --git a/src/components/Root/FFetch.test.js b/src/components/Root/FFetch.test.js
index 048dce81b..461414e91 100644
--- a/src/components/Root/FFetch.test.js
+++ b/src/components/Root/FFetch.test.js
@@ -11,6 +11,7 @@ import {
   RTR_AT_EXPIRY_IF_UNKNOWN,
   RTR_AT_TTL_FRACTION,
   RTR_FLS_WARNING_TTL,
+  RTR_TIME_MARGIN_IN_MS,
 } from './constants';
 
 jest.mock('../../loginServices', () => ({
@@ -206,7 +207,7 @@ describe('FFetch class', () => {
       expect(st).toHaveBeenCalledWith(expect.any(Function), (refreshTokenExpiration - whatTimeIsItMrFox) - ms(RTR_FLS_WARNING_TTL));
 
       // FLS timeout
-      expect(st).toHaveBeenCalledWith(expect.any(Function), (refreshTokenExpiration - whatTimeIsItMrFox));
+      expect(st).toHaveBeenCalledWith(expect.any(Function), (refreshTokenExpiration - whatTimeIsItMrFox - RTR_TIME_MARGIN_IN_MS));
     });
 
     it('handles RTR data in the session', async () => {
@@ -379,7 +380,7 @@ describe('FFetch class', () => {
       expect(st).toHaveBeenCalledWith(expect.any(Function), (refreshTokenExpiration - whatTimeIsItMrFox) - ms(RTR_FLS_WARNING_TTL));
 
       // FLS timeout
-      expect(st).toHaveBeenCalledWith(expect.any(Function), (refreshTokenExpiration - whatTimeIsItMrFox));
+      expect(st).toHaveBeenCalledWith(expect.any(Function), (refreshTokenExpiration - whatTimeIsItMrFox - RTR_TIME_MARGIN_IN_MS));
     });
   });
 
diff --git a/src/components/Root/constants.js b/src/components/Root/constants.js
index 1ec4b5623..a4cb30681 100644
--- a/src/components/Root/constants.js
+++ b/src/components/Root/constants.js
@@ -87,3 +87,9 @@ export const RTR_IDLE_MODAL_TTL = '1m';
  */
 export const RTR_AT_EXPIRY_IF_UNKNOWN = '10s';
 export const RTR_RT_EXPIRY_IF_UNKNOWN = '10m';
+
+/**
+ * To account for minor delays between events (such as cookie expiration and API calls),
+ * this is a small amount of time to wait so the proper order can be ensured if they happen simultaneously.
+ */
+export const RTR_TIME_MARGIN_IN_MS = 200;

From 3ecfebc2d26b24b4c1e49a9c0638a8b71b65e912 Mon Sep 17 00:00:00 2001
From: aidynoJ <121284650+aidynoJ@users.noreply.github.com>
Date: Fri, 16 Aug 2024 17:00:37 +0600
Subject: [PATCH 55/63] STCOR-872: expose queryKeys from useChunkedCQLFetch
 hook (#1520)

Refs STCOR-872.
---
 src/queries/useChunkedCQLFetch.js      |  7 +++++--
 src/queries/useChunkedCQLFetch.test.js | 20 ++++++++++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/src/queries/useChunkedCQLFetch.js b/src/queries/useChunkedCQLFetch.js
index ff83a5ea8..79ed6876b 100644
--- a/src/queries/useChunkedCQLFetch.js
+++ b/src/queries/useChunkedCQLFetch.js
@@ -96,7 +96,9 @@ const useChunkedCQLFetch = ({
     STEP_SIZE
   ]);
 
-  const itemQueries = useQueries(getQueryArray());
+  const queryArray = getQueryArray();
+
+  const itemQueries = useQueries(queryArray);
 
   // Once chunk has finished fetching, fetch next chunk
   useEffect(() => {
@@ -133,7 +135,8 @@ const useChunkedCQLFetch = ({
     itemQueries,
     isLoading,
     // Offer all fetched orderLines in flattened array once ready
-    items: isLoading ? [] : reduceFunction(itemQueries)
+    items: isLoading ? [] : reduceFunction(itemQueries),
+    queryKeys: queryArray.map(q => q.queryKey)
   };
 };
 
diff --git a/src/queries/useChunkedCQLFetch.test.js b/src/queries/useChunkedCQLFetch.test.js
index 95b4826bb..31c150790 100644
--- a/src/queries/useChunkedCQLFetch.test.js
+++ b/src/queries/useChunkedCQLFetch.test.js
@@ -193,5 +193,25 @@ describe('Given useChunkedCQLFetch', () => {
 
       expect(result.current.itemQueries?.length).toEqual(2);
     });
+
+    it('expose queryKeys based on given ids and endpoint', async () => {
+      const { result } = renderHook(() => useChunkedCQLFetch({
+        ...baseOptions,
+        STEP_SIZE: 2
+      }), { wrapper });
+
+      await waitFor(() => {
+        const loadingQueries = result.current.itemQueries?.filter(iq => iq.isLoading);
+
+        return loadingQueries.length === 0;
+      });
+
+      expect(result.current.queryKeys).toHaveLength(3);
+      expect(result.current.queryKeys).toStrictEqual([
+        ['stripes-core', 'users', ['1234-5678-a', '1234-5678-b']],
+        ['stripes-core', 'users', ['1234-5678-c', '1234-5678-d']],
+        ['stripes-core', 'users', ['1234-5678-e']]
+      ]);
+    });
   });
 });

From 859a5200969eed3b9b0289bd48842b2df0e80b34 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Fri, 16 Aug 2024 18:05:57 -0400
Subject: [PATCH 56/63] STCOR-874 provide "key" prop to SessionEventContainer
 elements (#1521) (#1524)

Without a `key` prop to distinguish the elements rendered by
`<SessionEventContainer>`, they could interact badly. In particular, if
both elements (`<KeepWorkingModal>`, `<FixedLengthSessionWarning>`) were
displayed, dismissing the former would cause the latter to remount,
thus restarting the timer and putting it out of sync with when the
session will actually end.

When React warns you about missing keys, it ain't foolin'!

Refs STCOR-874

(cherry picked from commit d4e9f1d2a84a7e6e4039328914303e4f0d15c5d8)
---
 CHANGELOG.md                                                  | 1 +
 src/components/SessionEventContainer/SessionEventContainer.js | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bb1ac3d59..d90281e0d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,7 @@
 * Correctly evaluate `stripes.okapi` before rendering `<RootWithIntl>`. Refs STCOR-864.
 * `/users-keycloak/_self` is an authentication request. Refs STCOR-866.
 * Terminate the session when the fixed-length session expires. Refs STCOR-862.
+* Provide `key` to elements in `<SessionEventContainer>`. Refs STCOR-874.
 
 ## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.0...v10.1.1)
diff --git a/src/components/SessionEventContainer/SessionEventContainer.js b/src/components/SessionEventContainer/SessionEventContainer.js
index fa162d666..af19c588a 100644
--- a/src/components/SessionEventContainer/SessionEventContainer.js
+++ b/src/components/SessionEventContainer/SessionEventContainer.js
@@ -270,12 +270,12 @@ const SessionEventContainer = ({ history }) => {
 
   // show the idle-session warning modal?
   if (isVisible) {
-    renderList.push(<KeepWorkingModal callback={keepWorkingCallback} />);
+    renderList.push(<KeepWorkingModal callback={keepWorkingCallback} key="KeepWorkingModal" />);
   }
 
   // show the fixed-length session warning?
   if (isFlsVisible) {
-    renderList.push(<FixedLengthSessionWarning />);
+    renderList.push(<FixedLengthSessionWarning key="FixedLengthSessionWarning" />);
   }
 
   return renderList.length ? renderList : null;

From 54e5eff61accca4e6d186fb5cfa9447802425ea6 Mon Sep 17 00:00:00 2001
From: Yury Saukou <yury_saukou@epam.com>
Date: Mon, 19 Aug 2024 09:58:25 +0400
Subject: [PATCH 57/63] STCOR-873 Ensure support for the passed `tenantId`
 value by `useChunkedCQLFetch` for manipulations in the context of a specific
 tenant (#1519)

* STCOR-873 Ensure support for the passed 'tenantId' value by 'useChunkedCQLFetch' for manipulations in the context of a specific tenant

* resolve description issues

* tests
---
 CHANGELOG.md                           |  1 +
 src/queries/useChunkedCQLFetch.js      | 13 +++---
 src/queries/useChunkedCQLFetch.test.js | 61 +++++++++++++++++++++-----
 3 files changed, 59 insertions(+), 16 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d90281e0d..fe0fc0bd0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,7 @@
 * Correctly evaluate `stripes.okapi` before rendering `<RootWithIntl>`. Refs STCOR-864.
 * `/users-keycloak/_self` is an authentication request. Refs STCOR-866.
 * Terminate the session when the fixed-length session expires. Refs STCOR-862.
+* Ensure support for the passed `tenantId` value by `useChunkedCQLFetch` for manipulations in the context of a specific tenant. Refs STCOR-873.
 * Provide `key` to elements in `<SessionEventContainer>`. Refs STCOR-874.
 
 ## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
diff --git a/src/queries/useChunkedCQLFetch.js b/src/queries/useChunkedCQLFetch.js
index 79ed6876b..9b13ee177 100644
--- a/src/queries/useChunkedCQLFetch.js
+++ b/src/queries/useChunkedCQLFetch.js
@@ -38,9 +38,10 @@ const useChunkedCQLFetch = ({
   limit = 1000, // Item limit to fetch on each request
   queryOptions: passedQueryOptions = {}, // Options to pass to each query
   reduceFunction, // Function to reduce fetched objects at the end into single array
-  STEP_SIZE = STEP_SIZE_DEFAULT // Number of IDs fetch per request
+  STEP_SIZE = STEP_SIZE_DEFAULT, // Number of IDs fetch per request
+  tenantId, // Tenant ID to which requests should be directed
 }) => {
-  const ky = useOkapiKy();
+  const ky = useOkapiKy({ tenant: tenantId });
 
   // Destructure passed query options to grab enabled
   const { enabled: queryEnabled = true, ...queryOptions } = passedQueryOptions;
@@ -69,9 +70,10 @@ const useChunkedCQLFetch = ({
           endpoint,
           ids,
           queryOptions,
-          STEP_SIZE
+          STEP_SIZE,
+          tenantId,
         }) :
-        ['stripes-core', endpoint, chunkedItem];
+        ['stripes-core', endpoint, chunkedItem, tenantId];
       queryArray.push({
         queryKey,
         queryFn: () => ky.get(`${endpoint}?limit=${limit}&query=${query}`).json(),
@@ -93,7 +95,8 @@ const useChunkedCQLFetch = ({
     ky,
     queryEnabled,
     queryOptions,
-    STEP_SIZE
+    STEP_SIZE,
+    tenantId,
   ]);
 
   const queryArray = getQueryArray();
diff --git a/src/queries/useChunkedCQLFetch.test.js b/src/queries/useChunkedCQLFetch.test.js
index 31c150790..a742a3537 100644
--- a/src/queries/useChunkedCQLFetch.test.js
+++ b/src/queries/useChunkedCQLFetch.test.js
@@ -42,6 +42,15 @@ const baseOptions = {
 // Set these up in beforeEach so it's fresh for each describe -- otherwise get improper test component changes(?)
 let queryClient;
 let wrapper;
+
+const response = [{ dummy: 'result' }];
+const mockUseOkapiKyValue = {
+  get: jest.fn(() => ({
+    json: () => Promise.resolve(response),
+  })),
+};
+const mockUseOkapiKy = useOkapiKy;
+
 describe('Given useChunkedCQLFetch', () => {
   beforeEach(() => {
     queryClient = new QueryClient({
@@ -57,14 +66,10 @@ describe('Given useChunkedCQLFetch', () => {
         {children}
       </QueryClientProvider>
     );
-    const response = [{ dummy: 'result' }];
 
-    const mockUseOkapiKy = useOkapiKy;
-    mockUseOkapiKy.mockReturnValue({
-      get: () => ({
-        json: () => Promise.resolve(response),
-      }),
-    });
+    mockUseOkapiKy.mockClear();
+    mockUseOkapiKyValue.get.mockClear();
+    mockUseOkapiKy.mockReturnValue(mockUseOkapiKyValue);
   });
 
   describe('sets up correct number of fetches', () => {
@@ -197,7 +202,8 @@ describe('Given useChunkedCQLFetch', () => {
     it('expose queryKeys based on given ids and endpoint', async () => {
       const { result } = renderHook(() => useChunkedCQLFetch({
         ...baseOptions,
-        STEP_SIZE: 2
+        STEP_SIZE: 2,
+        tenantId: 'central',
       }), { wrapper });
 
       await waitFor(() => {
@@ -208,10 +214,43 @@ describe('Given useChunkedCQLFetch', () => {
 
       expect(result.current.queryKeys).toHaveLength(3);
       expect(result.current.queryKeys).toStrictEqual([
-        ['stripes-core', 'users', ['1234-5678-a', '1234-5678-b']],
-        ['stripes-core', 'users', ['1234-5678-c', '1234-5678-d']],
-        ['stripes-core', 'users', ['1234-5678-e']]
+        ['stripes-core', 'users', ['1234-5678-a', '1234-5678-b'], 'central'],
+        ['stripes-core', 'users', ['1234-5678-c', '1234-5678-d'], 'central'],
+        ['stripes-core', 'users', ['1234-5678-e'], 'central']
       ]);
     });
   });
+
+  describe('allows work in provided tenant', () => {
+    const providedTenantId = 'providedTenantId';
+
+    it('sets up 1 fetch using alternate tenant ID', async () => {
+      const { result } = renderHook(() => useChunkedCQLFetch({
+        ...baseOptions,
+        tenantId: providedTenantId,
+      }), { wrapper });
+
+      await waitFor(() => {
+        return result.current.itemQueries?.filter(iq => iq.isLoading)?.length === 0;
+      });
+
+      expect(mockUseOkapiKy).toHaveBeenCalledWith({ tenant: providedTenantId });
+    });
+
+    it('includes tenantId in the generateQueryKey function', async () => {
+      const generateQueryKey = jest.fn();
+
+      const { result } = renderHook(() => useChunkedCQLFetch({
+        ...baseOptions,
+        generateQueryKey,
+        tenantId: providedTenantId,
+      }), { wrapper });
+
+      await waitFor(() => {
+        return result.current.itemQueries?.filter(iq => iq.isLoading)?.length === 0;
+      });
+
+      expect(generateQueryKey).toHaveBeenCalledWith(expect.objectContaining({ tenantId: providedTenantId }));
+    });
+  });
 });

From d3f2c20442823166756af437b46c69efaf4bd8ff Mon Sep 17 00:00:00 2001
From: Ryan Berger <rberger@ebsco.com>
Date: Fri, 23 Aug 2024 12:31:52 -0400
Subject: [PATCH 58/63] [STCOR-876] Remember requested URL path on Login
 (Regression bug)  (#1526)

* Ensure setUnauthorizedPathToSession is called in AuthnLogin to remember requested path on login

* Also remember URL params
---
 src/RootWithIntl.js                     | 1 +
 src/components/AuthnLogin/AuthnLogin.js | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/RootWithIntl.js b/src/RootWithIntl.js
index b51265cc9..94f0702a4 100644
--- a/src/RootWithIntl.js
+++ b/src/RootWithIntl.js
@@ -163,6 +163,7 @@ const RootWithIntl = ({ stripes, token = '', isAuthenticated = false, disableAut
                       />
                       <TitledRoute
                         name="login"
+                        path="*"
                         component={<AuthnLogin stripes={connectedStripes} />}
                       />
                     </Switch>
diff --git a/src/components/AuthnLogin/AuthnLogin.js b/src/components/AuthnLogin/AuthnLogin.js
index 093c3db68..2d9c92cfd 100644
--- a/src/components/AuthnLogin/AuthnLogin.js
+++ b/src/components/AuthnLogin/AuthnLogin.js
@@ -1,4 +1,4 @@
-import React, { useEffect } from 'react';
+import React, { useLayoutEffect } from 'react';
 import PropTypes from 'prop-types';
 import Redirect from '../Redirect';
 import PreLoginLanding from '../PreLoginLanding';
@@ -18,7 +18,7 @@ const AuthnLogin = ({ stripes }) => {
     stripes.store.dispatch(setOkapiTenant({ tenant, clientId }));
   };
 
-  useEffect(() => {
+  useLayoutEffect(() => {
     /**
      * Cache the current path so we can return to it after authenticating.
      * In RootWithIntl, unauthenticated visits to protected paths will be
@@ -36,7 +36,7 @@ const AuthnLogin = ({ stripes }) => {
      * @see OIDCRedirect
      */
     if (okapi.authnUrl && window.location.pathname !== '/') {
-      setUnauthorizedPathToSession(window.location.pathname);
+      setUnauthorizedPathToSession(window.location.pathname + window.location.search);
     }
 
     // If only 1 tenant is defined in config (in either okapi or config.tenantOptions) set to okapi to be accessed there

From f6948219696cfb049cc313f9c229c08325eeb29e Mon Sep 17 00:00:00 2001
From: Ryan Berger <rberger@ebsco.com>
Date: Mon, 9 Sep 2024 15:13:50 -0400
Subject: [PATCH 59/63] [STCOR-885] Clear saved entry path so that subsequent
 logins will use default base URL. (#1531)

* Clear saved entry path so that subsequent logins will use default base URL

* Moving removeUnauthorizedPathFromSession() to OIDCRedirect so the value is cleared right after being used rather than on logout

* Add comment
---
 src/components/AuthnLogin/AuthnLogin.js |  2 +-
 src/components/OIDCRedirect.js          | 12 +++++++++---
 src/loginServices.js                    |  2 +-
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/components/AuthnLogin/AuthnLogin.js b/src/components/AuthnLogin/AuthnLogin.js
index 2d9c92cfd..1519c59c2 100644
--- a/src/components/AuthnLogin/AuthnLogin.js
+++ b/src/components/AuthnLogin/AuthnLogin.js
@@ -36,7 +36,7 @@ const AuthnLogin = ({ stripes }) => {
      * @see OIDCRedirect
      */
     if (okapi.authnUrl && window.location.pathname !== '/') {
-      setUnauthorizedPathToSession(window.location.pathname + window.location.search);
+      setUnauthorizedPathToSession();
     }
 
     // If only 1 tenant is defined in config (in either okapi or config.tenantOptions) set to okapi to be accessed there
diff --git a/src/components/OIDCRedirect.js b/src/components/OIDCRedirect.js
index c224b3dad..9d463fe9a 100644
--- a/src/components/OIDCRedirect.js
+++ b/src/components/OIDCRedirect.js
@@ -1,7 +1,11 @@
 import { withRouter, Redirect, useLocation } from 'react-router';
 import queryString from 'query-string';
 import { useStripes } from '../StripesContext';
-import { getUnauthorizedPathFromSession } from '../loginServices';
+import { getUnauthorizedPathFromSession, removeUnauthorizedPathFromSession } from '../loginServices';
+
+// Setting at top of component since value should be retained during re-renders
+// but will be correctly re-fetched when redirected from Keycloak login page.
+const unauthorizedPath = getUnauthorizedPathFromSession();
 
 /**
  * OIDCRedirect authenticated route handler for /oidc-landing.
@@ -29,8 +33,10 @@ const OIDCRedirect = () => {
 
   const getUrl = () => {
     if (stripes.okapi.authnUrl) {
-      const unauthorizedPath = getUnauthorizedPathFromSession();
-      if (unauthorizedPath) return unauthorizedPath;
+      if (unauthorizedPath) {
+        removeUnauthorizedPathFromSession();
+        return unauthorizedPath;
+      }
     }
 
     const params = getParams();
diff --git a/src/loginServices.js b/src/loginServices.js
index d30576c46..4f05d7c13 100644
--- a/src/loginServices.js
+++ b/src/loginServices.js
@@ -125,7 +125,7 @@ export const removeUnauthorizedPathFromSession = () => sessionStorage.removeItem
 export const setUnauthorizedPathToSession = (pathname) => {
   const path = pathname ?? `${window.location.pathname}${window.location.search}`;
   if (!path.startsWith('/logout')) {
-    sessionStorage.setItem(UNAUTHORIZED_PATH, pathname ?? `${window.location.pathname}${window.location.search}`);
+    sessionStorage.setItem(UNAUTHORIZED_PATH, path);
   }
 };
 export const getUnauthorizedPathFromSession = () => sessionStorage.getItem(UNAUTHORIZED_PATH);

From 2106d9c05476c2c2b587897f641376e3089514d1 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Thu, 12 Sep 2024 18:12:09 -0400
Subject: [PATCH 60/63] STCOR-875 sync to master

`keycloak-ramsons` is different from `master` in numerous small but
significant ways. This brings them back into compatibility.

Refs STCOR-875
---
 src/components/LogoutTimeout/LogoutTimeout.js | 46 ++++++++-----------
 .../SessionEventContainer.js                  | 34 +++++++++-----
 2 files changed, 41 insertions(+), 39 deletions(-)

diff --git a/src/components/LogoutTimeout/LogoutTimeout.js b/src/components/LogoutTimeout/LogoutTimeout.js
index e0af76f17..34f0fc446 100644
--- a/src/components/LogoutTimeout/LogoutTimeout.js
+++ b/src/components/LogoutTimeout/LogoutTimeout.js
@@ -1,57 +1,49 @@
-import { useEffect, useState } from 'react';
 import { FormattedMessage } from 'react-intl';
 import { branding } from 'stripes-config';
+import { Redirect } from 'react-router';
 
 import {
   Button,
   Col,
   Headline,
-  LoadingView,
   Row,
 } from '@folio/stripes-components';
 
 import OrganizationLogo from '../OrganizationLogo';
 import { useStripes } from '../../StripesContext';
-import { logout } from '../../loginServices';
 
 import styles from './LogoutTimeout.css';
+import {
+  getUnauthorizedPathFromSession,
+  removeUnauthorizedPathFromSession,
+} from '../../loginServices';
 
 /**
  * LogoutTimeout
- * Show a "sorry, your session timed out message"; if the session is still
- * active, call logout() to end it.
+ * For unauthenticated users, show a "sorry, your session timed out" message
+ * with a link to login page. For authenticated users, redirect to / since
+ * showing such a message would be a misleading lie.
  *
  * Having a static route to this page allows the logout handler to choose
  * between redirecting straight to the login page (if the user chose to
- * logout) or to this page (if the session timed out).
+ * logout) or to this page (if the session timeout out).
  *
  * This corresponds to the '/logout-timeout' route.
  */
 const LogoutTimeout = () => {
   const stripes = useStripes();
-  const [didLogout, setDidLogout] = useState(false);
-
-  useEffect(
-    () => {
-      if (stripes.okapi.isAuthenticated) {
-        // returns a promise, which we ignore
-        logout(stripes.okapi.url, stripes.store)
-          .then(setDidLogout(true));
-      } else {
-        setDidLogout(true);
-      }
-    },
-    // no dependencies because we only want to start the logout process once.
-    // we don't care about changes to stripes; certainly it'll be updated as
-    // part of the logout process
-    // eslint-disable-next-line react-hooks/exhaustive-deps
-    []
-  );
 
-  if (!didLogout) {
-    return <LoadingView />;
+  if (stripes.okapi.isAuthenticated) {
+    return <Redirect to="/" />;
   }
 
+  const handleClick = (_e) => {
+    removeUnauthorizedPathFromSession();
+  };
+
+  const previousPath = getUnauthorizedPathFromSession();
+  const redirectTo = previousPath ?? '/';
+
   return (
     <main>
       <div className={styles.wrapper} style={branding.style?.login ?? {}}>
@@ -68,7 +60,7 @@ const LogoutTimeout = () => {
           </Row>
           <Row center="xs">
             <Col xs={12}>
-              <Button to="/"><FormattedMessage id="stripes-core.rtr.idleSession.logInAgain" /></Button>
+              <Button to={redirectTo} onClick={handleClick}><FormattedMessage id="stripes-core.rtr.idleSession.logInAgain" /></Button>
             </Col>
           </Row>
         </div>
diff --git a/src/components/SessionEventContainer/SessionEventContainer.js b/src/components/SessionEventContainer/SessionEventContainer.js
index af19c588a..a611bbfb1 100644
--- a/src/components/SessionEventContainer/SessionEventContainer.js
+++ b/src/components/SessionEventContainer/SessionEventContainer.js
@@ -3,7 +3,7 @@ import PropTypes from 'prop-types';
 import createInactivityTimer from 'inactivity-timer';
 import ms from 'ms';
 
-import { SESSION_NAME, setUnauthorizedPathToSession } from '../../loginServices';
+import { logout, SESSION_NAME, setUnauthorizedPathToSession } from '../../loginServices';
 import KeepWorkingModal from './KeepWorkingModal';
 import { useStripes } from '../../StripesContext';
 import {
@@ -22,20 +22,26 @@ import FixedLengthSessionWarning from './FixedLengthSessionWarning';
 //
 
 // RTR error in this window: logout
-export const thisWindowRtrError = (_e, stripes, history) => {
+export const thisWindowRtrError = (_e, stripes, history, queryClient) => {
   console.warn('rtr error; logging out'); // eslint-disable-line no-console
   setUnauthorizedPathToSession();
-  history.push('/logout-timeout');
+  return logout(stripes.okapi.url, stripes.store, queryClient)
+    .then(() => {
+      history.push('/logout-timeout');
+    });
 };
 
 // idle session timeout in this window: logout
-export const thisWindowRtrIstTimeout = (_e, stripes, history) => {
+export const thisWindowRtrIstTimeout = (_e, stripes, history, queryClient) => {
   stripes.logger.log('rtr', 'idle session timeout; logging out');
   setUnauthorizedPathToSession();
-  history.push('/logout-timeout');
+  return logout(stripes.okapi.url, stripes.store, queryClient)
+    .then(() => {
+      history.push('/logout-timeout');
+    });
 };
 
-// fixed-length session warning in this window: logout
+// fixed-length session warning in this window
 export const thisWindowRtrFlsWarning = (_e, stripes, setIsFlsVisible) => {
   stripes.logger.log('rtr', 'fixed-length session warning');
   setIsFlsVisible(true);
@@ -52,11 +58,14 @@ export const thisWindowRtrFlsTimeout = (_e, stripes, history) => {
 // logout if it was a timeout event or if SESSION_NAME is being
 // removed from localStorage, an indicator that logout is in-progress
 // in another window and so must occur here as well
-export const otherWindowStorage = (e, stripes, history) => {
+export const otherWindowStorage = (e, stripes, history, queryClient) => {
   if (e.key === RTR_TIMEOUT_EVENT) {
     stripes.logger.log('rtr', 'idle session timeout; logging out');
     setUnauthorizedPathToSession();
-    history.push('/logout-timeout');
+    return logout(stripes.okapi.url, stripes.store, queryClient)
+      .then(() => {
+        history.push('/logout-timeout');
+      });
   } else if (!localStorage.getItem(SESSION_NAME)) {
     stripes.logger.log('rtr', 'external localstorage change; logging out');
     setUnauthorizedPathToSession();
@@ -129,7 +138,7 @@ export const thisWindowActivity = (_e, stripes, timers, broadcastChannel) => {
  * @param {object} history
  * @returns KeepWorkingModal or null
  */
-const SessionEventContainer = ({ history }) => {
+const SessionEventContainer = ({ history, queryClient }) => {
   // is the "keep working?" modal visible?
   const [isVisible, setIsVisible] = useState(false);
 
@@ -211,13 +220,13 @@ const SessionEventContainer = ({ history }) => {
       timers.current = { showModalIT, logoutIT };
 
       // RTR error in this window: logout
-      channels.window[RTR_ERROR_EVENT] = (e) => thisWindowRtrError(e, stripes, history);
+      channels.window[RTR_ERROR_EVENT] = (e) => thisWindowRtrError(e, stripes, history, queryClient);
 
       // idle session timeout in this window: logout
-      channels.window[RTR_TIMEOUT_EVENT] = (e) => thisWindowRtrIstTimeout(e, stripes, history);
+      channels.window[RTR_TIMEOUT_EVENT] = (e) => thisWindowRtrIstTimeout(e, stripes, history, queryClient);
 
       // localstorage change in another window: logout?
-      channels.window.storage = (e) => otherWindowStorage(e, stripes, history);
+      channels.window.storage = (e) => otherWindowStorage(e, stripes, history, queryClient);
 
       // activity in another window: send keep-alive to idle-timers.
       channels.bc.message = (message) => otherWindowActivity(message, stripes, timers, setIsVisible);
@@ -283,6 +292,7 @@ const SessionEventContainer = ({ history }) => {
 
 SessionEventContainer.propTypes = {
   history: PropTypes.object,
+  queryClient: PropTypes.object,
 };
 
 export default SessionEventContainer;

From e08f5de0feef2f322f8f6498ef26220501b7e343 Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Thu, 12 Sep 2024 21:28:50 -0400
Subject: [PATCH 61/63] additional test corrections

---
 .../SessionEventContainer.test.js             | 34 ++++++++++++++++---
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/src/components/SessionEventContainer/SessionEventContainer.test.js b/src/components/SessionEventContainer/SessionEventContainer.test.js
index 06f9c2a02..020d9a201 100644
--- a/src/components/SessionEventContainer/SessionEventContainer.test.js
+++ b/src/components/SessionEventContainer/SessionEventContainer.test.js
@@ -9,7 +9,11 @@ import SessionEventContainer, {
   thisWindowRtrError,
   thisWindowRtrIstTimeout,
 } from './SessionEventContainer';
-import { SESSION_NAME } from '../../loginServices';
+import {
+  logout,
+  setUnauthorizedPathToSession,
+  SESSION_NAME
+} from '../../loginServices';
 import { RTR_TIMEOUT_EVENT } from '../Root/constants';
 
 import { toggleRtrModal } from '../../okapiActions';
@@ -69,8 +73,16 @@ describe('SessionEventContainer', () => {
 describe('SessionEventContainer event listeners', () => {
   it('thisWindowRtrError', async () => {
     const history = { push: jest.fn() };
+    const logoutMock = logout;
+    logoutMock.mockReturnValue(Promise.resolve());
 
-    thisWindowRtrError(null, { okapi: { url: 'http' } }, history);
+    const setUnauthorizedPathToSessionMock = setUnauthorizedPathToSession;
+    setUnauthorizedPathToSessionMock.mockReturnValue(null);
+
+    await thisWindowRtrError(null, { okapi: { url: 'http' } }, history);
+
+    expect(logout).toHaveBeenCalled();
+    expect(setUnauthorizedPathToSession).toHaveBeenCalled();
     expect(history.push).toHaveBeenCalledWith('/logout-timeout');
   });
 
@@ -87,7 +99,12 @@ describe('SessionEventContainer event listeners', () => {
 
     const history = { push: jest.fn() };
 
-    thisWindowRtrIstTimeout(null, s, history);
+    const setUnauthorizedPathToSessionMock = setUnauthorizedPathToSession;
+    setUnauthorizedPathToSessionMock.mockReturnValue(null);
+
+    await thisWindowRtrIstTimeout(null, s, history);
+    expect(logout).toHaveBeenCalled();
+    expect(setUnauthorizedPathToSession).toHaveBeenCalled();
     expect(history.push).toHaveBeenCalledWith('/logout-timeout');
   });
 
@@ -108,8 +125,13 @@ describe('SessionEventContainer event listeners', () => {
         }
       };
       const history = { push: jest.fn() };
+      const qc = {};
+      const setUnauthorizedPathToSessionMock = setUnauthorizedPathToSession;
+      setUnauthorizedPathToSessionMock.mockReturnValue(null);
 
-      otherWindowStorage(e, s, history);
+      await otherWindowStorage(e, s, history, qc);
+      expect(logout).toHaveBeenCalledWith(s.okapi.url, s.store, qc);
+      expect(setUnauthorizedPathToSession).toHaveBeenCalled();
       expect(history.push).toHaveBeenCalledWith('/logout-timeout');
     });
 
@@ -125,8 +147,10 @@ describe('SessionEventContainer event listeners', () => {
         }
       };
       const history = { push: jest.fn() };
+      const qc = {};
 
-      otherWindowStorage(e, s, history);
+      await otherWindowStorage(e, s, history, qc);
+      expect(logout).toHaveBeenCalledWith(s.okapi.url, s.store, qc);
       expect(history.push).toHaveBeenCalledWith('/logout');
     });
   });

From 28845c3f234acc884ae56ad81fb90f5075e25abe Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Tue, 17 Sep 2024 14:37:04 -0400
Subject: [PATCH 62/63] STCOR-875 restore the simplicity of logout in STCOR-865

The bugfix for STCOR-865, #1500, resulted in vastly simpler logic
in the SessionEventContainer event handlers as well as simple and
predictable and behavior in the Logout and LogoutTimeout components.
Restore that logic; it's better.

Refs STCOR-865, STCOR-875
---
 src/components/Logout/Logout.js               | 10 +----
 src/components/LogoutTimeout/LogoutTimeout.js | 42 ++++++++++++------
 .../LogoutTimeout/LogoutTimeout.test.js       | 43 +++++++++++++++----
 .../SessionEventContainer.js                  | 34 ++++++---------
 .../SessionEventContainer.test.js             | 24 ++---------
 5 files changed, 82 insertions(+), 71 deletions(-)

diff --git a/src/components/Logout/Logout.js b/src/components/Logout/Logout.js
index c8361a16f..3d582c732 100644
--- a/src/components/Logout/Logout.js
+++ b/src/components/Logout/Logout.js
@@ -1,5 +1,4 @@
 import { useEffect, useState } from 'react';
-import PropTypes from 'prop-types';
 import { Redirect } from 'react-router';
 import { FormattedMessage } from 'react-intl';
 
@@ -13,16 +12,15 @@ import { getLocale, logout } from '../../loginServices';
  * This corresponds to the '/logout' route, allowing that route to be directly
  * accessible rather than only accessible through the menu action.
  *
- * @param {object} history
  */
-const Logout = ({ history }) => {
+const Logout = () => {
   const stripes = useStripes();
   const [didLogout, setDidLogout] = useState(false);
 
   useEffect(
     () => {
       getLocale(stripes.okapi.url, stripes.store, stripes.okapi.tenant)
-        .then(logout(stripes.okapi.url, stripes.store, history))
+        .then(logout(stripes.okapi.url, stripes.store))
         .then(setDidLogout(true));
     },
     // no dependencies because we only want to start the logout process once.
@@ -35,8 +33,4 @@ const Logout = ({ history }) => {
   return didLogout ? <Redirect to="/" /> : <FormattedMessage id="stripes-core.logoutPending" />;
 };
 
-Logout.propTypes = {
-  history: PropTypes.object,
-};
-
 export default Logout;
diff --git a/src/components/LogoutTimeout/LogoutTimeout.js b/src/components/LogoutTimeout/LogoutTimeout.js
index 34f0fc446..557a32c05 100644
--- a/src/components/LogoutTimeout/LogoutTimeout.js
+++ b/src/components/LogoutTimeout/LogoutTimeout.js
@@ -1,48 +1,66 @@
+import { useEffect, useState } from 'react';
 import { FormattedMessage } from 'react-intl';
 import { branding } from 'stripes-config';
-import { Redirect } from 'react-router';
 
 import {
   Button,
   Col,
   Headline,
+  LoadingView,
   Row,
 } from '@folio/stripes-components';
 
 import OrganizationLogo from '../OrganizationLogo';
 import { useStripes } from '../../StripesContext';
-
-import styles from './LogoutTimeout.css';
 import {
   getUnauthorizedPathFromSession,
+  logout,
   removeUnauthorizedPathFromSession,
 } from '../../loginServices';
 
+import styles from './LogoutTimeout.css';
+
 /**
  * LogoutTimeout
- * For unauthenticated users, show a "sorry, your session timed out" message
- * with a link to login page. For authenticated users, redirect to / since
- * showing such a message would be a misleading lie.
+ * Show a "sorry, your session timed out message"; if the session is still
+ * active, call logout() to end it.
  *
  * Having a static route to this page allows the logout handler to choose
  * between redirecting straight to the login page (if the user chose to
- * logout) or to this page (if the session timeout out).
+ * logout) or to this page (if the session timed out).
  *
  * This corresponds to the '/logout-timeout' route.
  */
 const LogoutTimeout = () => {
   const stripes = useStripes();
+  const [didLogout, setDidLogout] = useState(false);
 
-  if (stripes.okapi.isAuthenticated) {
-    return <Redirect to="/" />;
-  }
+  useEffect(
+    () => {
+      if (stripes.okapi.isAuthenticated) {
+        // returns a promise, which we ignore
+        logout(stripes.okapi.url, stripes.store)
+          .then(setDidLogout(true));
+      } else {
+        setDidLogout(true);
+      }
+    },
+    // no dependencies because we only want to start the logout process once.
+    // we don't care about changes to stripes; certainly it'll be updated as
+    // part of the logout process
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+    []
+  );
 
   const handleClick = (_e) => {
     removeUnauthorizedPathFromSession();
   };
 
-  const previousPath = getUnauthorizedPathFromSession();
-  const redirectTo = previousPath ?? '/';
+  const redirectTo = getUnauthorizedPathFromSession() || '/';
+
+  if (!didLogout) {
+    return <LoadingView />;
+  }
 
   return (
     <main>
diff --git a/src/components/LogoutTimeout/LogoutTimeout.test.js b/src/components/LogoutTimeout/LogoutTimeout.test.js
index 532c5c4e5..cb8606eac 100644
--- a/src/components/LogoutTimeout/LogoutTimeout.test.js
+++ b/src/components/LogoutTimeout/LogoutTimeout.test.js
@@ -3,7 +3,7 @@ import { userEvent } from '@folio/jest-config-stripes/testing-library/user-event
 
 import LogoutTimeout from './LogoutTimeout';
 import { useStripes } from '../../StripesContext';
-import { getUnauthorizedPathFromSession, setUnauthorizedPathToSession } from '../../loginServices';
+import { getUnauthorizedPathFromSession, logout, setUnauthorizedPathToSession } from '../../loginServices';
 
 jest.mock('../OrganizationLogo');
 jest.mock('../../StripesContext');
@@ -11,6 +11,13 @@ jest.mock('react-router', () => ({
   Redirect: () => <div>Redirect</div>,
 }));
 
+jest.mock('../../loginServices', () => ({
+  logout: jest.fn(() => Promise.resolve()),
+  getUnauthorizedPathFromSession: jest.fn(),
+  removeUnauthorizedPathFromSession: jest.fn(),
+  setUnauthorizedPathToSession: jest.fn(),
+}));
+
 describe('LogoutTimeout', () => {
   describe('if not authenticated', () => {
     it('renders a timeout message', async () => {
@@ -21,7 +28,7 @@ describe('LogoutTimeout', () => {
       screen.getByText('stripes-core.rtr.idleSession.sessionExpiredSoSad');
     });
 
-    it('clears previous path from storage after clicking', async () => {
+    it('clears previous path from storage after clicking "log in again"', async () => {
       const previousPath = '/monkey?bagel';
       setUnauthorizedPathToSession(previousPath);
       const user = userEvent.setup();
@@ -31,16 +38,34 @@ describe('LogoutTimeout', () => {
       render(<LogoutTimeout />);
 
       await user.click(screen.getByRole('button'));
-
-      expect(getUnauthorizedPathFromSession()).toBe(null);
+      expect(getUnauthorizedPathFromSession()).toBeFalsy();
     });
   });
 
-  it('if authenticated, renders a redirect', async () => {
-    const mockUseStripes = useStripes;
-    mockUseStripes.mockReturnValue({ okapi: { isAuthenticated: true } });
+  describe('if not authenticated', () => {
+    it('calls logout then renders a timeout message', async () => {
+      const mockUseStripes = useStripes;
+      mockUseStripes.mockReturnValue({ okapi: { isAuthenticated: true } });
+
+      render(<LogoutTimeout />);
+      expect(logout).toHaveBeenCalled();
+      screen.getByText('stripes-core.rtr.idleSession.sessionExpiredSoSad');
+    });
+
+    it('clears previous path from storage after clicking "log in again"', async () => {
+      const previousPath = '/monkey?bagel';
+      setUnauthorizedPathToSession(previousPath);
+      const user = userEvent.setup();
+      const mockUseStripes = useStripes;
+      mockUseStripes.mockReturnValue({ okapi: { isAuthenticated: true } });
+
+      render(<LogoutTimeout />);
+
+      expect(logout).toHaveBeenCalled();
+      screen.getByText('stripes-core.rtr.idleSession.sessionExpiredSoSad');
 
-    render(<LogoutTimeout />);
-    screen.getByText('Redirect');
+      await user.click(screen.getByRole('button'));
+      expect(getUnauthorizedPathFromSession()).toBeFalsy();
+    });
   });
 });
diff --git a/src/components/SessionEventContainer/SessionEventContainer.js b/src/components/SessionEventContainer/SessionEventContainer.js
index a611bbfb1..af19c588a 100644
--- a/src/components/SessionEventContainer/SessionEventContainer.js
+++ b/src/components/SessionEventContainer/SessionEventContainer.js
@@ -3,7 +3,7 @@ import PropTypes from 'prop-types';
 import createInactivityTimer from 'inactivity-timer';
 import ms from 'ms';
 
-import { logout, SESSION_NAME, setUnauthorizedPathToSession } from '../../loginServices';
+import { SESSION_NAME, setUnauthorizedPathToSession } from '../../loginServices';
 import KeepWorkingModal from './KeepWorkingModal';
 import { useStripes } from '../../StripesContext';
 import {
@@ -22,26 +22,20 @@ import FixedLengthSessionWarning from './FixedLengthSessionWarning';
 //
 
 // RTR error in this window: logout
-export const thisWindowRtrError = (_e, stripes, history, queryClient) => {
+export const thisWindowRtrError = (_e, stripes, history) => {
   console.warn('rtr error; logging out'); // eslint-disable-line no-console
   setUnauthorizedPathToSession();
-  return logout(stripes.okapi.url, stripes.store, queryClient)
-    .then(() => {
-      history.push('/logout-timeout');
-    });
+  history.push('/logout-timeout');
 };
 
 // idle session timeout in this window: logout
-export const thisWindowRtrIstTimeout = (_e, stripes, history, queryClient) => {
+export const thisWindowRtrIstTimeout = (_e, stripes, history) => {
   stripes.logger.log('rtr', 'idle session timeout; logging out');
   setUnauthorizedPathToSession();
-  return logout(stripes.okapi.url, stripes.store, queryClient)
-    .then(() => {
-      history.push('/logout-timeout');
-    });
+  history.push('/logout-timeout');
 };
 
-// fixed-length session warning in this window
+// fixed-length session warning in this window: logout
 export const thisWindowRtrFlsWarning = (_e, stripes, setIsFlsVisible) => {
   stripes.logger.log('rtr', 'fixed-length session warning');
   setIsFlsVisible(true);
@@ -58,14 +52,11 @@ export const thisWindowRtrFlsTimeout = (_e, stripes, history) => {
 // logout if it was a timeout event or if SESSION_NAME is being
 // removed from localStorage, an indicator that logout is in-progress
 // in another window and so must occur here as well
-export const otherWindowStorage = (e, stripes, history, queryClient) => {
+export const otherWindowStorage = (e, stripes, history) => {
   if (e.key === RTR_TIMEOUT_EVENT) {
     stripes.logger.log('rtr', 'idle session timeout; logging out');
     setUnauthorizedPathToSession();
-    return logout(stripes.okapi.url, stripes.store, queryClient)
-      .then(() => {
-        history.push('/logout-timeout');
-      });
+    history.push('/logout-timeout');
   } else if (!localStorage.getItem(SESSION_NAME)) {
     stripes.logger.log('rtr', 'external localstorage change; logging out');
     setUnauthorizedPathToSession();
@@ -138,7 +129,7 @@ export const thisWindowActivity = (_e, stripes, timers, broadcastChannel) => {
  * @param {object} history
  * @returns KeepWorkingModal or null
  */
-const SessionEventContainer = ({ history, queryClient }) => {
+const SessionEventContainer = ({ history }) => {
   // is the "keep working?" modal visible?
   const [isVisible, setIsVisible] = useState(false);
 
@@ -220,13 +211,13 @@ const SessionEventContainer = ({ history, queryClient }) => {
       timers.current = { showModalIT, logoutIT };
 
       // RTR error in this window: logout
-      channels.window[RTR_ERROR_EVENT] = (e) => thisWindowRtrError(e, stripes, history, queryClient);
+      channels.window[RTR_ERROR_EVENT] = (e) => thisWindowRtrError(e, stripes, history);
 
       // idle session timeout in this window: logout
-      channels.window[RTR_TIMEOUT_EVENT] = (e) => thisWindowRtrIstTimeout(e, stripes, history, queryClient);
+      channels.window[RTR_TIMEOUT_EVENT] = (e) => thisWindowRtrIstTimeout(e, stripes, history);
 
       // localstorage change in another window: logout?
-      channels.window.storage = (e) => otherWindowStorage(e, stripes, history, queryClient);
+      channels.window.storage = (e) => otherWindowStorage(e, stripes, history);
 
       // activity in another window: send keep-alive to idle-timers.
       channels.bc.message = (message) => otherWindowActivity(message, stripes, timers, setIsVisible);
@@ -292,7 +283,6 @@ const SessionEventContainer = ({ history, queryClient }) => {
 
 SessionEventContainer.propTypes = {
   history: PropTypes.object,
-  queryClient: PropTypes.object,
 };
 
 export default SessionEventContainer;
diff --git a/src/components/SessionEventContainer/SessionEventContainer.test.js b/src/components/SessionEventContainer/SessionEventContainer.test.js
index cd7694caa..ddca458c5 100644
--- a/src/components/SessionEventContainer/SessionEventContainer.test.js
+++ b/src/components/SessionEventContainer/SessionEventContainer.test.js
@@ -10,7 +10,6 @@ import SessionEventContainer, {
   thisWindowRtrIstTimeout,
 } from './SessionEventContainer';
 import {
-  logout,
   setUnauthorizedPathToSession,
   SESSION_NAME,
 } from '../../loginServices';
@@ -73,14 +72,11 @@ describe('SessionEventContainer', () => {
 describe('SessionEventContainer event listeners', () => {
   it('thisWindowRtrError', async () => {
     const history = { push: jest.fn() };
-    const logoutMock = logout;
-    logoutMock.mockReturnValue(Promise.resolve());
 
     const setUnauthorizedPathToSessionMock = setUnauthorizedPathToSession;
     setUnauthorizedPathToSessionMock.mockReturnValue(null);
 
-    await thisWindowRtrError(null, { okapi: { url: 'http' } }, history);
-    expect(logout).toHaveBeenCalled();
+    thisWindowRtrError(null, { okapi: { url: 'http' } }, history);
     expect(setUnauthorizedPathToSession).toHaveBeenCalled();
     expect(history.push).toHaveBeenCalledWith('/logout-timeout');
   });
@@ -98,12 +94,7 @@ describe('SessionEventContainer event listeners', () => {
 
     const history = { push: jest.fn() };
 
-    const setUnauthorizedPathToSessionMock = setUnauthorizedPathToSession;
-    setUnauthorizedPathToSessionMock.mockReturnValue(null);
-
-    await thisWindowRtrIstTimeout(null, s, history);
-    expect(logout).toHaveBeenCalled();
-    expect(setUnauthorizedPathToSession).toHaveBeenCalled();
+    thisWindowRtrIstTimeout(null, s, history);
     expect(history.push).toHaveBeenCalledWith('/logout-timeout');
   });
 
@@ -124,13 +115,8 @@ describe('SessionEventContainer event listeners', () => {
         }
       };
       const history = { push: jest.fn() };
-      const qc = {};
-      const setUnauthorizedPathToSessionMock = setUnauthorizedPathToSession;
-      setUnauthorizedPathToSessionMock.mockReturnValue(null);
 
-      await otherWindowStorage(e, s, history, qc);
-      expect(logout).toHaveBeenCalledWith(s.okapi.url, s.store, qc);
-      expect(setUnauthorizedPathToSession).toHaveBeenCalled();
+      otherWindowStorage(e, s, history);
       expect(history.push).toHaveBeenCalledWith('/logout-timeout');
     });
 
@@ -146,10 +132,8 @@ describe('SessionEventContainer event listeners', () => {
         }
       };
       const history = { push: jest.fn() };
-      const qc = {};
 
-      await otherWindowStorage(e, s, history, qc);
-      expect(logout).toHaveBeenCalledWith(s.okapi.url, s.store, qc);
+      otherWindowStorage(e, s, history);
       expect(history.push).toHaveBeenCalledWith('/logout');
     });
   });

From a59cfad40d259146f2ed620275e8fde8d2e076dd Mon Sep 17 00:00:00 2001
From: Zak Burke <zburke@ebsco.com>
Date: Fri, 20 Sep 2024 14:03:05 -0400
Subject: [PATCH 63/63] STCOR-889 include all reference interfaces in
 optionalOkapiInterfaces (#1536)

Include the optional interfaces `consortia`, `roles`, and
`users-keycloak`.

Refs STCOR-889
---
 CHANGELOG.md | 1 +
 package.json | 5 ++++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8dad9440e..45d8b4cce 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -30,6 +30,7 @@
 * Ensure support for the passed `tenantId` value by `useChunkedCQLFetch` for manipulations in the context of a specific tenant. Refs STCOR-873.
 * When re-authenticating after logout timeout, return to previous location. Refs STCOR-849.
 * Add `nl` (Dutch, Flemish) to the supported locales. Refs STCOR-878.
+* Include optional okapi interfaces, `consortia`, `roles`, `users-keycloak`. Refs STCOR-889.
 
 ## [10.1.1](https://github.com/folio-org/stripes-core/tree/v10.1.1) (2024-03-25)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.0...v10.1.1)
diff --git a/package.json b/package.json
index bc16b0811..d2dee852d 100644
--- a/package.json
+++ b/package.json
@@ -29,7 +29,10 @@
       "configuration": "2.0"
     },
     "optionalOkapiInterfaces": {
-      "login-saml": "2.0"
+      "consortia": "1.0",
+      "login-saml": "2.0",
+      "roles": "1.1",
+      "users-keycloak": "1.0"
     },
     "permissionSets": [
       {