keycloack token refreshing added + logout on token expiry (#1638)

* keycloack token refreshing added + logout on token expiry * logout on failed refresh * logout with token verification fail * auth fixes * auth docs added * mkdocs.yml mermaid added * remove unnecessary, add changes good for logout * small fix * better comments and easier boolean logic
yaptide · Oct 17, 2024 · 79cb439 · 79cb439
1 parent 784fa1a
commit 79cb439
Show file tree

Hide file tree

Showing 3 changed files with 99 additions and 1 deletion.
diff --git a/docs/authentication.md b/docs/authentication.md
@@ -0,0 +1,74 @@
+# Sequence diagrams
+
+## Keycloak
+
+Overview of login and logout process using keycloak
+
+```mermaid
+sequenceDiagram
+    autonumber
+    actor User
+    participant AuthService
+    participant Keycloak
+    participant Backend
+
+    User ->> AuthService: Request login
+    AuthService ->> Keycloak: Redirect to keycloak login
+    User ->> Keycloak: Login with credentials
+    Keycloak ->> AuthService: Return authenticated token
+    AuthService ->> AuthService: Check token for access to yaptide
+    opt user has access
+        AuthService ->> Backend: Verify token with backend (POST /auth/keycloak)
+        Backend ->> Keycloak: Verify if token is correct
+        opt token verified
+            Keycloak ->> Backend: Signature verified
+            Backend ->> AuthService: Response with accessExp
+            AuthService ->> AuthService: Set token refresh interval based on accessExp
+            AuthService ->> User: Provide auth context
+        end
+        opt signature expired or invalid token or keycloak connection error
+            Backend ->> AuthService: Raise exception Forbidden (403)
+        end
+    end
+    opt user doesn't have access
+        AuthService ->> User: Message with access denied
+    end
+    loop Refresh backend connection every 3 minutes
+        AuthService ->> Backend: Refresh token (GET auth/refresh)
+        Backend ->> AuthService: Response with new backend access token in cookies
+    end
+    loop Refresh token every 1/3 of tokens lifetime
+        AuthService ->> Keycloak: Refresh token
+        Keycloak ->> AuthService: Updated token
+    end
+    User ->> AuthService: Logout
+    AuthService ->> Backend: Invalidate session (DELETE /auth/logout)
+    Backend ->> AuthService: Response with cookies deleted
+    AuthService ->> Keycloak: Logout
+    AuthService ->> User: Clear user data
+```
+
+## Non-Keycloak
+
+Overview of login and logout process while in demo or dev modes
+
+```mermaid
+sequenceDiagram
+    autonumber
+    participant User
+    participant AuthService
+    participant Backend
+
+    User ->> AuthService: Request Login
+    AuthService ->> Backend: Validate Credentials (POST /auth/login)
+    Backend ->> AuthService: Response with accessExp and set access and refresh tokens in cookies
+    AuthService ->> User: Provide Auth Context
+    loop Refresh backend connection every 3 minutes
+        AuthService ->> Backend: Refresh token (GET auth/refresh)
+        Backend ->> AuthService: Response with new backend access token in cookies
+    end
+    User ->> AuthService: Logout
+    AuthService ->> Backend: Invalidate session (DELETE /auth/logout)
+    Backend ->> AuthService: Response with cookies deleted
+    AuthService ->> User: Clear User Data
+```
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -17,6 +17,16 @@ theme:
 nav:
 - Home:
   - Overview: index.md
+  - Authentication: authentication.md
 
 plugins:
 - search
+
+markdown_extensions:
+  - pymdownx.superfences:
+      custom_fences:
+        - name: mermaid
+          class: mermaid
+          format: !!python/name:pymdownx.superfences.fence_code_format
+  - pymdownx.tabbed:
+      alternate_style: true
diff --git a/src/services/AuthService.tsx b/src/services/AuthService.tsx
@@ -194,7 +194,21 @@ const Auth = ({ children }: GenericContextProviderProps) => {
 				);
 		};
 
-		if (!initialized || !keycloak.authenticated) return;
+		if (!initialized) {
+			// keycloak authentication system not initilized (working in demo mode or keycloak not to handle authentication and authorization)
+			// skipping futher checks (for example: to ask backend if the keycloak token is OK
+			return;
+		} else {
+			// keycloak authentication is initilized, so it makes sense to check if user is authenticated in keycloak
+			if (!keycloak.authenticated) {
+				// user not authenticated, forcing logout from yaptide app
+				logout();
+
+				// skipping futher checks (for example: to ask backend if the keycloak token is OK
+				return;
+			}
+			// user authenticated, we proceed with further checks
+		}
 
 		checkPlgridAccessServices(keycloak.tokenParsed)
 			.then(() => {