Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redirect to login page when token is invalid, inactive or expired #1341

Open
sauljabin opened this issue Feb 27, 2025 · 1 comment
Open

Redirect to login page when token is invalid, inactive or expired #1341

sauljabin opened this issue Feb 27, 2025 · 1 comment
Assignees
@bryson-g
Labels
bug An issue with correctness, stability, performance, or API conformance.
Milestone
LittleHorse 1.0

Comments

@sauljabin
Copy link
Member

sauljabin commented Feb 27, 2025
edited
Loading

Context

The dashboard throws an error when the token is inactive and there is a session already opened.

Steps To Reproduce

lhctl ~/.config/littlehorse.config file

LHC_API_HOST=localhost
LHC_API_PORT=2023
LHC_API_PROTOCOL=TLS
LHC_OAUTH_CLIENT_ID=lhctl
LHC_OAUTH_SERVER_URL=http://localhost:8888/realms/lh
LHC_CA_CERT=/<PATH TO YOUR LH REPO>/local-dev/certs/ca/ca.crt

Dashboard .env file

LHC_API_HOST=localhost
LHC_API_PORT=2023
LHC_API_PROTOCOL=TLS
LHD_OAUTH_ENABLED=true
LHC_CA_CERT=/<PATH TO YOUR LH REPO>/local-dev/certs/ca/ca.crt
NEXTAUTH_SECRET=anyrandomstring
KEYCLOAK_CLIENT_ID=dashboard
KEYCLOAK_CLIENT_SECRET=74b897a0b5804ad3879b2117e1d51015
KEYCLOAK_ISSUER_URI=http://localhost:8888/realms/lh
NEXTAUTH_URL=http://localhost:3000

Setup with keycloak

./local-dev/issue-certificates.sh
./local-dev/setup.sh --keycloak

Run server

./local-dev/do-server.sh oauth

Run dashboard and login

npm install
npm run dev

Then login into the dashboard http://localhost:3000/api/auth/signin?callbackUrl=/

User: user
Pass: password

Close session in keycloak

Go to http://localhost:8888/admin/master/console/#/lh/sessions and close the session:

Image

Important: restart the server

At this point there is a token in the frontend and in the lh server. But that token if invalid now.

Is you restart the server then when it receives the token again it's going to validate it and throws an error:

Image

In the backend:

Image

Expected Behavior

If the token is invalid it should not show an error to the user, it should redirect to the login page.
It should log an error or export an error metric.

Additional Context

Proposal:

Components

Dashboard
@sauljabin sauljabin added the bug An issue with correctness, stability, performance, or API conformance. label Feb 27, 2025
@sauljabin sauljabin added this to the LittleHorse 1.0 milestone Feb 27, 2025
@sauljabin sauljabin mentioned this issue Feb 27, 2025
Open
@mijailr
Copy link
Contributor

mijailr commented Feb 27, 2025

Fascinating bug, after a quick discussion with @sauljabin and @bryson-g we agreed that the best way to cover this scenario is by:

  • Matching the maxAge of the NextAuth token to the lh-server token cache.
  • Implementing global error handler and swr, to redirect to the login page when an authentication issue is detected. (this should occur only when authentication is enabled)

To consider, to match lh-server maxAgeto the token cache is because the current implementation uses introspection to validate the token, if in the future the lh-server team agrees to implement JWKS, it would simplify this problem because we can just rely on the token expiration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bryson-g bryson-g

Labels
bug An issue with correctness, stability, performance, or API conformance.
Projects
No open projects
LittleHorse 1.0
Status: No status
Milestone
LittleHorse 1.0
Development

No branches or pull requests
3 participants
@mijailr @sauljabin @bryson-g