Fix login state management (#1778)

* Issue #1639 was caused by a stale login token not being refreshed after the expiry period
* The login code only fetched the login token once when the page was loaded and did not properly reflect login state changes if the user logged in and out unless the page was refreshed.
* Update the React state management code to use a context to pass login state to all the components that need this to render properly.

Author: mattgotteiner

app/frontend/src/api/api.ts

@@ -1,11 +1,11 @@
 const BACKEND_URI = "";
 
 import { ChatAppResponse, ChatAppResponseOrError, ChatAppRequest, Config, SimpleAPIResponse } from "./models";
-import { useLogin, appServicesToken } from "../authConfig";
+import { useLogin, getToken, isUsingAppServicesLogin } from "../authConfig";
 
-export function getHeaders(idToken: string | undefined): Record<string, string> {
+export async function getHeaders(idToken: string | undefined): Promise<Record<string, string>> {
     // If using login and not using app services, add the id token of the logged in account as the authorization
-    if (useLogin && appServicesToken == null) {
+    if (useLogin && !isUsingAppServicesLogin) {
         if (idToken) {
             return { Authorization: `Bearer ${idToken}` };
         }
@@ -23,9 +23,10 @@ export async function configApi(): Promise<Config> {
 }
 
 export async function askApi(request: ChatAppRequest, idToken: string | undefined): Promise<ChatAppResponse> {
+    const headers = await getHeaders(idToken);
     const response = await fetch(`${BACKEND_URI}/ask`, {
         method: "POST",
-        headers: { ...getHeaders(idToken), "Content-Type": "application/json" },
+        headers: { ...headers, "Content-Type": "application/json" },
         body: JSON.stringify(request)
     });
 
@@ -42,9 +43,10 @@ export async function chatApi(request: ChatAppRequest, shouldStream: boolean, id
     if (shouldStream) {
         url += "/stream";
     }
+    const headers = await getHeaders(idToken);
     return await fetch(url, {
         method: "POST",
-        headers: { ...getHeaders(idToken), "Content-Type": "application/json" },
+        headers: { ...headers, "Content-Type": "application/json" },
         body: JSON.stringify(request)
     });
 }
@@ -80,7 +82,7 @@ export function getCitationFilePath(citation: string): string {
 export async function uploadFileApi(request: FormData, idToken: string): Promise<SimpleAPIResponse> {
     const response = await fetch("/upload", {
         method: "POST",
-        headers: getHeaders(idToken),
+        headers: await getHeaders(idToken),
         body: request
     });
 
@@ -93,9 +95,10 @@ export async function uploadFileApi(request: FormData, idToken: string): Promise
 }
 
 export async function deleteUploadedFileApi(filename: string, idToken: string): Promise<SimpleAPIResponse> {
+    const headers = await getHeaders(idToken);
     const response = await fetch("/delete_uploaded", {
         method: "POST",
-        headers: { ...getHeaders(idToken), "Content-Type": "application/json" },
+        headers: { ...headers, "Content-Type": "application/json" },
         body: JSON.stringify({ filename })
     });
 
@@ -110,7 +113,7 @@ export async function deleteUploadedFileApi(filename: string, idToken: string):
 export async function listUploadedFilesApi(idToken: string): Promise<string[]> {
     const response = await fetch(`/list_uploaded`, {
         method: "GET",
-        headers: getHeaders(idToken)
+        headers: await getHeaders(idToken)
     });
 
     if (!response.ok) {

app/frontend/src/authConfig.ts

@@ -10,6 +10,7 @@ interface AppServicesToken {
     id_token: string;
     access_token: string;
     user_claims: Record<string, any>;
+    expires_on: string;
 }
 
 interface AuthSetup {
@@ -92,29 +93,66 @@ export const getRedirectUri = () => {
     return window.location.origin + authSetup.msalConfig.auth.redirectUri;
 };
 
-// Get an access token if a user logged in using app services authentication
-// Returns null if the app doesn't support app services authentication
+// Cache the app services token if it's available
+// https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/this#global_context
+declare global {
+    var cachedAppServicesToken: AppServicesToken | null;
+}
+globalThis.cachedAppServicesToken = null;
+
+/**
+ * Retrieves an access token if the user is logged in using app services authentication.
+ * Checks if the current token is expired and fetches a new token if necessary.
+ * Returns null if the app doesn't support app services authentication.
+ *
+ * @returns {Promise<AppServicesToken | null>} A promise that resolves to an AppServicesToken if the user is authenticated, or null if authentication is not supported or fails.
+ */
 const getAppServicesToken = (): Promise<AppServicesToken | null> => {
-    return fetch(appServicesAuthTokenRefreshUrl).then(r => {
-        if (r.ok) {
-            return fetch(appServicesAuthTokenUrl).then(r => {
+    const checkNotExpired = (appServicesToken: AppServicesToken) => {
+        const currentDate = new Date();
+        const expiresOnDate = new Date(appServicesToken.expires_on);
+        return expiresOnDate > currentDate;
+    };
+
+    if (globalThis.cachedAppServicesToken && checkNotExpired(globalThis.cachedAppServicesToken)) {
+        return Promise.resolve(globalThis.cachedAppServicesToken);
+    }
+
+    const getAppServicesTokenFromMe: () => Promise<AppServicesToken | null> = () => {
+        return fetch(appServicesAuthTokenUrl).then(r => {
+            if (r.ok) {
+                return r.json().then(json => {
+                    if (json.length > 0) {
+                        return {
+                            id_token: json[0]["id_token"] as string,
+                            access_token: json[0]["access_token"] as string,
+                            user_claims: json[0]["user_claims"].reduce((acc: Record<string, any>, item: Record<string, any>) => {
+                                acc[item.typ] = item.val;
+                                return acc;
+                            }, {}) as Record<string, any>,
+                            expires_on: json[0]["expires_on"] as string
+                        } as AppServicesToken;
+                    }
+
+                    return null;
+                });
+            }
+
+            return null;
+        });
+    };
+
+    return getAppServicesTokenFromMe().then(token => {
+        if (token) {
+            if (checkNotExpired(token)) {
+                globalThis.cachedAppServicesToken = token;
+                return token;
+            }
+
+            return fetch(appServicesAuthTokenRefreshUrl).then(r => {
                 if (r.ok) {
-                    return r.json().then(json => {
-                        if (json.length > 0) {
-                            return {
-                                id_token: json[0]["id_token"] as string,
-                                access_token: json[0]["access_token"] as string,
-                                user_claims: json[0]["user_claims"].reduce((acc: Record<string, any>, item: Record<string, any>) => {
-                                    acc[item.typ] = item.val;
-                                    return acc;
-                                }, {}) as Record<string, any>
-                            };
-                        }
-
-                        return null;
-                    });
+                    return getAppServicesTokenFromMe();
                 }
-
                 return null;
             });
         }
@@ -123,24 +161,40 @@ const getAppServicesToken = (): Promise<AppServicesToken | null> => {
     });
 };
 
-export const appServicesToken = await getAppServicesToken();
+export const isUsingAppServicesLogin = (await getAppServicesToken()) != null;
 
 // Sign out of app services
 // Learn more at https://learn.microsoft.com/azure/app-service/configure-authentication-customize-sign-in-out#sign-out-of-a-session
 export const appServicesLogout = () => {
     window.location.href = appServicesAuthLogoutUrl;
 };
 
-// Determine if the user is logged in
-// The user may have logged in either using the app services login or the on-page login
-export const isLoggedIn = (client: IPublicClientApplication | undefined): boolean => {
-    return client?.getActiveAccount() != null || appServicesToken != null;
+/**
+ * Determines if the user is logged in either via the MSAL public client application or the app services login.
+ * @param {IPublicClientApplication | undefined} client - The MSAL public client application instance, or undefined if not available.
+ * @returns {Promise<boolean>} A promise that resolves to true if the user is logged in, false otherwise.
+ */
+export const checkLoggedIn = async (client: IPublicClientApplication | undefined): Promise<boolean> => {
+    if (client) {
+        const activeAccount = client.getActiveAccount();
+        if (activeAccount) {
+            return true;
+        }
+    }
+
+    const appServicesToken = await getAppServicesToken();
+    if (appServicesToken) {
+        return true;
+    }
+
+    return false;
 };
 
 // Get an access token for use with the API server.
 // ID token received when logging in may not be used for this purpose because it has the incorrect audience
 // Use the access token from app services login if available
-export const getToken = (client: IPublicClientApplication): Promise<string | undefined> => {
+export const getToken = async (client: IPublicClientApplication): Promise<string | undefined> => {
+    const appServicesToken = await getAppServicesToken();
     if (appServicesToken) {
         return Promise.resolve(appServicesToken.access_token);
     }
@@ -156,3 +210,43 @@ export const getToken = (client: IPublicClientApplication): Promise<string | und
             return undefined;
         });
 };
+
+/**
+ * Retrieves the username of the active account.
+ * If no active account is found, attempts to retrieve the username from the app services login token if available.
+ * @param {IPublicClientApplication} client - The MSAL public client application instance.
+ * @returns {Promise<string | null>} The username of the active account, or null if no username is found.
+ */
+export const getUsername = async (client: IPublicClientApplication): Promise<string | null> => {
+    const activeAccount = client.getActiveAccount();
+    if (activeAccount) {
+        return activeAccount.username;
+    }
+
+    const appServicesToken = await getAppServicesToken();
+    if (appServicesToken?.user_claims) {
+        return appServicesToken.user_claims.preferred_username;
+    }
+
+    return null;
+};
+
+/**
+ * Retrieves the token claims of the active account.
+ * If no active account is found, attempts to retrieve the token claims from the app services login token if available.
+ * @param {IPublicClientApplication} client - The MSAL public client application instance.
+ * @returns {Promise<Record<string, unknown> | undefined>} A promise that resolves to the token claims of the active account, the user claims from the app services login token, or undefined if no claims are found.
+ */
+export const getTokenClaims = async (client: IPublicClientApplication): Promise<Record<string, unknown> | undefined> => {
+    const activeAccount = client.getActiveAccount();
+    if (activeAccount) {
+        return activeAccount.idTokenClaims;
+    }
+
+    const appServicesToken = await getAppServicesToken();
+    if (appServicesToken) {
+        return appServicesToken.user_claims;
+    }
+
+    return undefined;
+};

app/frontend/src/components/AnalysisPanel/AnalysisPanel.tsx

@@ -39,7 +39,7 @@ export const AnalysisPanel = ({ answer, activeTab, activeCitation, citationHeigh
             const originalHash = activeCitation.indexOf("#") ? activeCitation.split("#")[1] : "";
             const response = await fetch(activeCitation, {
                 method: "GET",
-                headers: getHeaders(token)
+                headers: await getHeaders(token)
             });
             const citationContent = await response.blob();
             let citationObjectUrl = URL.createObjectURL(citationContent);

app/frontend/src/components/LoginButton/LoginButton.tsx

@@ -2,13 +2,23 @@ import { DefaultButton } from "@fluentui/react";
 import { useMsal } from "@azure/msal-react";
 
 import styles from "./LoginButton.module.css";
-import { getRedirectUri, loginRequest } from "../../authConfig";
-import { appServicesToken, appServicesLogout } from "../../authConfig";
+import { getRedirectUri, loginRequest, appServicesLogout, getUsername, checkLoggedIn } from "../../authConfig";
+import { useState, useEffect, useContext } from "react";
+import { LoginContext } from "../../loginContext";
 
 export const LoginButton = () => {
     const { instance } = useMsal();
+    const { loggedIn, setLoggedIn } = useContext(LoginContext);
     const activeAccount = instance.getActiveAccount();
-    const isLoggedIn = (activeAccount || appServicesToken) != null;
+    const [username, setUsername] = useState("");
+
+    useEffect(() => {
+        const fetchUsername = async () => {
+            setUsername((await getUsername(instance)) ?? "");
+        };
+
+        fetchUsername();
+    }, []);
 
     const handleLoginPopup = () => {
         /**
@@ -21,7 +31,11 @@ export const LoginButton = () => {
                 ...loginRequest,
                 redirectUri: getRedirectUri()
             })
-            .catch(error => console.log(error));
+            .catch(error => console.log(error))
+            .then(async () => {
+                setLoggedIn(await checkLoggedIn(instance));
+                setUsername((await getUsername(instance)) ?? "");
+            });
     };
     const handleLogoutPopup = () => {
         if (activeAccount) {
@@ -30,17 +44,20 @@ export const LoginButton = () => {
                     mainWindowRedirectUri: "/", // redirects the top level app after logout
                     account: instance.getActiveAccount()
                 })
-                .catch(error => console.log(error));
+                .catch(error => console.log(error))
+                .then(async () => {
+                    setLoggedIn(await checkLoggedIn(instance));
+                    setUsername((await getUsername(instance)) ?? "");
+                });
         } else {
             appServicesLogout();
         }
     };
-    const logoutText = `Logout\n${activeAccount?.username ?? appServicesToken?.user_claims?.preferred_username}`;
     return (
         <DefaultButton
-            text={isLoggedIn ? logoutText : "Login"}
+            text={loggedIn ? `Logout\n${username}` : "Login"}
             className={styles.loginButton}
-            onClick={isLoggedIn ? handleLogoutPopup : handleLoginPopup}
+            onClick={loggedIn ? handleLogoutPopup : handleLoginPopup}
         ></DefaultButton>
     );
 };

app/frontend/src/components/QuestionInput/QuestionInput.tsx

@@ -1,12 +1,13 @@
-import { useState, useEffect } from "react";
+import { useState, useEffect, useContext } from "react";
 import { Stack, TextField } from "@fluentui/react";
 import { Button, Tooltip } from "@fluentui/react-components";
 import { Send28Filled } from "@fluentui/react-icons";
 import { useMsal } from "@azure/msal-react";
 
-import { isLoggedIn, requireLogin } from "../../authConfig";
 import styles from "./QuestionInput.module.css";
 import { SpeechInput } from "./SpeechInput";
+import { LoginContext } from "../../loginContext";
+import { requireLogin } from "../../authConfig";
 
 interface Props {
     onSend: (question: string) => void;
@@ -19,6 +20,7 @@ interface Props {
 
 export const QuestionInput = ({ onSend, disabled, placeholder, clearOnSend, initQuestion, showSpeechInput }: Props) => {
     const [question, setQuestion] = useState<string>("");
+    const { loggedIn } = useContext(LoginContext);
 
     useEffect(() => {
         initQuestion && setQuestion(initQuestion);
@@ -51,8 +53,7 @@ export const QuestionInput = ({ onSend, disabled, placeholder, clearOnSend, init
         }
     };
 
-    const { instance } = useMsal();
-    const disableRequiredAccessControl = requireLogin && !isLoggedIn(instance);
+    const disableRequiredAccessControl = requireLogin && !loggedIn;
     const sendQuestionDisabled = disabled || !question.trim() || requireLogin;
 
     if (disableRequiredAccessControl) {

app/frontend/src/components/TokenClaimsDisplay/TokenClaimsDisplay.tsx

@@ -10,7 +10,8 @@ import {
     createTableColumn,
     TableColumnDefinition
 } from "@fluentui/react-table";
-import { appServicesToken } from "../../authConfig";
+import { getTokenClaims } from "../../authConfig";
+import { useState, useEffect } from "react";
 
 type Claim = {
     name: string;
@@ -20,6 +21,15 @@ type Claim = {
 export const TokenClaimsDisplay = () => {
     const { instance } = useMsal();
     const activeAccount = instance.getActiveAccount();
+    const [claims, setClaims] = useState<Record<string, unknown> | undefined>(undefined);
+
+    useEffect(() => {
+        const fetchClaims = async () => {
+            setClaims(await getTokenClaims(instance));
+        };
+
+        fetchClaims();
+    }, []);
 
     const ToString = (a: string | any) => {
         if (typeof a === "string") {
@@ -43,7 +53,7 @@ export const TokenClaimsDisplay = () => {
             return { name: key, value: ToString((o ?? {})[originalKey]) };
         });
     };
-    const items: Claim[] = createClaims(activeAccount?.idTokenClaims ?? appServicesToken?.user_claims);
+    const items: Claim[] = createClaims(claims);
 
     const columns: TableColumnDefinition<Claim>[] = [
         createTableColumn<Claim>({