Don't return 401 if refresh token is invalid, continue like unauthorized

The user don't care if their refresh token expired, the right approach is to treat them like unauthorized and either allow anonymous access or redirect to the authorization endpoint.
jirutka · Oct 4, 2023 · a74c19b · a74c19b
1 parent 00cee68
commit a74c19b
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 6 deletions.
diff --git a/integration-tests/authorize.test.ts b/integration-tests/authorize.test.ts
@@ -48,7 +48,10 @@ describe('Authorize', () => {
 
       when("I make a request to a secured page")
 
-      then("the response status should be {status}", 401)
+      then("the proxy should redirect me to $oidc_server_url/authorize", ({ resp, oauthServerUrl }) => {
+        assert(resp.statusCode === 303)
+        assert(resp.headers.location!.split('?')[0] === `${oauthServerUrl}/authorize`)
+      })
 
       and("session variable {varName} should be cleared", Session.RefreshToken)
     })

diff --git a/src/handlers/auth-access.ts b/src/handlers/auth-access.ts
@@ -26,10 +26,20 @@ export const auth_access: RequestHandler = async (ctx) => {
   const refreshToken = vars[Session.RefreshToken]
   if (refreshToken) {
     log.info?.(`authorize: refreshing token for user ${getCookie(Cookie.Username)}`)
-    const { idToken } = await refreshTokens(ctx, refreshToken)
 
-    exposeClaims(ctx, idToken)
-    return authorizeAccess(ctx, idToken, conf)
+    const tokenSet = await refreshTokens(ctx, refreshToken).catch(err => {
+      if (err.status === 401) {
+        // The refresh token probably just expired, so let's act like the user
+        // is unauthenticated.
+        log.info?.(`authorize: invalid refresh token: ${err.detail ?? err.message}`)
+      } else {
+        throw err
+      }
+    })
+    if (tokenSet) {
+      exposeClaims(ctx, tokenSet.idToken)
+      return authorizeAccess(ctx, tokenSet.idToken, conf)
+    }
   }
 
   if (isAnonymousAllowed(conf)) {

diff --git a/src/handlers/auth-pages.ts b/src/handlers/auth-pages.ts
@@ -53,9 +53,19 @@ export const auth_pages: RequestHandler = async (ctx) => {
   const refreshToken = vars[Session.RefreshToken]
   if (refreshToken) {
     log.info?.(`authorize: refreshing token for user ${getCookie(Cookie.Username)}`)
-    const { idToken } = await refreshTokens(ctx, refreshToken)
 
-    return await authorizeAccess(ctx, idToken, accessRule)
+    const tokenSet = await refreshTokens(ctx, refreshToken).catch(err => {
+      if (err.status === 401) {
+        // The refresh token probably just expired, so let's act like the user
+        // is unauthenticated.
+        log.info?.(`authorize: invalid refresh token: ${err.detail ?? err.message}`)
+      } else {
+        throw err
+      }
+    })
+    if (tokenSet) {
+      return await authorizeAccess(ctx, tokenSet.idToken, accessRule)
+    }
   }
 
   if (isAnonymousAllowed(accessRule)) {