feat(admin-ui): sessions not revoked after password/role/ user activation status change (#2592)

* feat: sessions not revoked after password/role/ user activation status change

Signed-off-by: duttarnab <arnab.bdutta@gmail.com>

* feat: address code-rabbit comments

Signed-off-by: duttarnab <arnab.bdutta@gmail.com>

---------

Signed-off-by: duttarnab <arnab.bdutta@gmail.com>

Author: duttarnab

admin-ui/api-client.ts

@@ -1,5 +1,6 @@
 import Axios, { AxiosRequestConfig, AxiosHeaders } from 'axios'
 import store from './app/redux/store'
+import { fetchApiTokenWithDefaultScopes, deleteAdminUiSession } from './app/redux/api/backend-api'
 
 const baseUrl =
   (typeof window !== 'undefined' && (window as any).configApiBaseUrl) ||
@@ -33,6 +34,23 @@ AXIOS_INSTANCE.interceptors.request.use((config) => {
   return config
 })
 
+AXIOS_INSTANCE.interceptors.response.use(
+  (response) => response,
+  async (error) => {
+    if (error.response?.status === 403) {
+      try {
+        const response = await fetchApiTokenWithDefaultScopes()
+        await deleteAdminUiSession(response?.access_token)
+        window.location.href = '/admin/logout'
+      } catch (e) {
+        console.error('Failed to cleanup session on 403:', e)
+      }
+    }
+
+    return Promise.reject(error)
+  },
+)
+
 // React Query compatible instance
 export const customInstance = <T>(
   config: AxiosRequestConfig,

admin-ui/app/helpers/navigation.ts

@@ -154,7 +154,7 @@ const ROUTES = {
   // ========== Core app pages ==========
 
   PROFILE: '/profile',
-  LOGOUT: '/logout',
+  LOGOUT: '/admin/logout',
   ERROR_404: '/error-404',
 
   // ========== Wildcard routes ==========

admin-ui/app/redux/api/backend-api.ts

@@ -84,7 +84,7 @@ export const fetchApiAccessToken = (jwt: any, permissionTag: any) => {
 
 export const fetchApiTokenWithDefaultScopes = () => {
   return axios
-    .post('/app/admin-ui/oauth2/api-protection-token', {})
+    .post('/app/admin-ui/oauth2/api-protection-token', {}, { withCredentials: false })
     .then((response) => response.data)
     .catch((error) => {
       console.error('Problems getting API access token in order to process api calls.', error)
@@ -118,9 +118,12 @@ export const createAdminUiSession = (ujwt: string, apiProtectionToken: string) =
 }
 
 // Delete Admin UI session (logout)
-export const deleteAdminUiSession = () => {
+export const deleteAdminUiSession = (token?: string) => {
+  const config = token
+    ? { headers: { Authorization: `Bearer ${token}` } }
+    : { withCredentials: true }
   return axios
-    .delete('/app/admin-ui/oauth2/session', { withCredentials: true })
+    .delete('/app/admin-ui/oauth2/session', config)
     .then((response) => response.data)
     .catch((error) => {
       console.error('Problems deleting Admin UI session.', error)

admin-ui/app/redux/sagas/AttributesSaga.ts

@@ -1,6 +1,6 @@
 // @ts-nocheck
 import { call, all, put, fork, takeLatest, select } from 'redux-saga/effects'
-import { isFourZeroOneError, addAdditionalData } from 'Utils/TokenController'
+import { isFourZeroThreeError, addAdditionalData } from 'Utils/TokenController'
 import { getAttributesResponseRoot, toggleInitAttributeLoader } from '../features/attributesSlice'
 import { postUserAction } from 'Redux/api/backend-api'
 import { FETCH } from '../../audit/UserActionType'
@@ -31,7 +31,7 @@ export function* getAttributesRoot({ payload }) {
     yield call(postUserAction, audit)
   } catch (e) {
     yield put(getAttributesResponseRoot({ data: [] }))
-    if (isFourZeroOneError(e)) {
+    if (isFourZeroThreeError(e)) {
       yield* redirectToLogout()
       return
     }

admin-ui/app/redux/sagas/AuthSaga.ts

@@ -23,7 +23,7 @@ import {
   createAdminUiSessionResponse,
   deleteAdminUiSessionResponse,
 } from 'Redux/features/authSlice'
-import { isFourZeroOneError } from 'Utils/TokenController'
+import { isFourZeroThreeError } from 'Utils/TokenController'
 import { redirectToLogout } from 'Redux/sagas/SagaUtils'
 
 function* getApiTokenWithDefaultScopes() {
@@ -69,7 +69,7 @@ function* getOAuth2ConfigWorker({ payload }) {
     }
   } catch (error) {
     console.error('Problems getting OAuth2 configuration.', error?.response?.data || error)
-    if (isFourZeroOneError(error)) {
+    if (isFourZeroThreeError(error)) {
       yield* redirectToLogout()
       return
     }
@@ -93,7 +93,7 @@ export function* putConfigWorker({ payload }) {
     }
   } catch (error) {
     yield put(updateToast(true, 'error'))
-    if (isFourZeroOneError(error)) {
+    if (isFourZeroThreeError(error)) {
       yield* redirectToLogout()
       return
     }
@@ -136,8 +136,9 @@ function* getAPIAccessTokenWorker(jwt) {
         statusCode: error?.response?.status,
       }),
     )
-    if (isFourZeroOneError(error)) {
+    if (isFourZeroThreeError(error)) {
       yield* redirectToLogout()
+      return
     }
   }
 }
@@ -163,7 +164,7 @@ function* createAdminUiSessionWorker({ payload }) {
     const errorMessage =
       error?.response?.data?.message || error?.response?.data?.responseMessage || error?.message
     console.error('Problems creating Admin UI session.', error?.response?.data || error)
-    if (isFourZeroOneError(error)) {
+    if (isFourZeroThreeError(error)) {
       yield* redirectToLogout()
       return
     }

admin-ui/app/redux/sagas/HealthSaga.ts

@@ -1,12 +1,12 @@
 // @ts-nocheck
 import { call, all, put, fork, takeLatest, select } from 'redux-saga/effects'
-import { isFourZeroOneError, addAdditionalData } from 'Utils/TokenController'
+import { isFourZeroThreeError, addAdditionalData } from 'Utils/TokenController'
 import { getHealthStatusResponse, getHealthServerStatusResponse } from '../features/healthSlice'
 import { postUserAction } from '../api/backend-api'
 import HealthApi from '../api/HealthApi'
 import { getClient } from '../api/base'
-import { initAudit } from '../sagas/SagaUtils'
 import HealthCheckApi from '../api/HealthCheckApi'
+import { initAudit, redirectToLogout } from '../sagas/SagaUtils'
 const JansConfigApi = require('jans_config_api')
 
 function* newFunction() {
@@ -32,9 +32,10 @@ export function* getHealthStatus({ payload }) {
     yield call(postUserAction, audit)
   } catch (e) {
     yield put(getHealthStatusResponse(null))
-    if (isFourZeroOneError(e)) {
+    if (isFourZeroThreeError(e)) {
       // Session expired - redirect to login
-      window.location.href = '/logout'
+      yield* redirectToLogout()
+      return
     }
   }
 }

admin-ui/app/redux/sagas/InitSaga.ts

@@ -1,6 +1,6 @@
 // @ts-nocheck
 import { call, all, put, fork, takeLatest, select } from 'redux-saga/effects'
-import { isFourZeroOneError, addAdditionalData } from 'Utils/TokenController'
+import { isFourZeroThreeError, addAdditionalData } from 'Utils/TokenController'
 import {
   getAttributesResponse,
   getScriptsResponse,
@@ -47,7 +47,7 @@ export function* getScripts({ payload }) {
     yield call(postUserAction, audit)
   } catch (e) {
     yield put(getScriptsResponse(null))
-    if (isFourZeroOneError(e)) {
+    if (isFourZeroThreeError(e)) {
       yield* redirectToLogout()
       return
     }
@@ -65,7 +65,7 @@ export function* getClients({ payload }) {
     yield call(postUserAction, audit)
   } catch (e) {
     yield put(getClientsResponse(null))
-    if (isFourZeroOneError(e)) {
+    if (isFourZeroThreeError(e)) {
       yield* redirectToLogout()
       return
     }
@@ -82,7 +82,7 @@ export function* getScopes({ payload }) {
     yield call(postUserAction, audit)
   } catch (e) {
     yield put(getScopesResponse(null))
-    if (isFourZeroOneError(e)) {
+    if (isFourZeroThreeError(e)) {
       yield* redirectToLogout()
       return
     }
@@ -99,7 +99,7 @@ export function* getAttributes({ payload }) {
     yield call(postUserAction, audit)
   } catch (e) {
     yield put(getAttributesResponse(null))
-    if (isFourZeroOneError(e)) {
+    if (isFourZeroThreeError(e)) {
       yield* redirectToLogout()
       return
     }

admin-ui/app/redux/sagas/LicenseDetailsSaga.ts

@@ -8,9 +8,9 @@ import {
 } from '../features/licenseDetailsSlice'
 import { getClient } from 'Redux/api/base'
 import LicenseDetailsApi from '../api/LicenseDetailsApi'
-import { initAudit } from 'Redux/sagas/SagaUtils'
+import { initAudit, redirectToLogout } from 'Redux/sagas/SagaUtils'
 import { postUserAction } from 'Redux/api/backend-api'
-import { addAdditionalData, isFourZeroOneError } from 'Utils/TokenController'
+import { addAdditionalData, isFourZeroThreeError } from 'Utils/TokenController'
 import { API_LICENSE } from '../../audit/Resources'
 import { DELETION } from '@/audit/UserActionType'
 const JansConfigApi = require('jans_config_api')
@@ -42,9 +42,10 @@ export function* resetLicenseConfigWorker(action: ResetLicenseAction) {
       yield put(setLicenseResetFailure())
     }
   } catch (error) {
-    if (isFourZeroOneError(error)) {
+    if (isFourZeroThreeError(error)) {
       // Session expired - redirect to login
-      window.location.href = '/logout'
+      yield* redirectToLogout()
+      return
     }
   }
 }
@@ -60,9 +61,10 @@ export function* getLicenseDetailsWorker() {
   } catch (e) {
     console.log('error in getting license details: ', e)
     yield put(getLicenseDetailsResponse(null))
-    if (isFourZeroOneError(e)) {
+    if (isFourZeroThreeError(e)) {
       // Session expired - redirect to login
-      window.location.href = '/logout'
+      yield* redirectToLogout()
+      return
     }
   }
 }
@@ -77,9 +79,10 @@ export function* updateLicenseDetailsWorker({ payload }) {
     yield call(postUserAction, audit)
   } catch (e) {
     yield put(updateLicenseDetailsResponse(null))
-    if (isFourZeroOneError(e)) {
+    if (isFourZeroThreeError(e)) {
       // Session expired - redirect to login
-      window.location.href = '/logout'
+      yield* redirectToLogout()
+      return
     }
   }
 }

admin-ui/app/redux/sagas/LockSaga.ts

@@ -1,9 +1,9 @@
 // @ts-nocheck
 import { call, all, put, fork, select, takeLatest } from 'redux-saga/effects'
-import { isFourZeroOneError } from 'Utils/TokenController'
+import { isFourZeroThreeError } from 'Utils/TokenController'
 
 import { getClient } from '../api/base'
-import { initAudit } from '../sagas/SagaUtils'
+import { initAudit, redirectToLogout } from '../sagas/SagaUtils'
 import LockApi from '../api/LockApi'
 import { getLockStatusResponse } from '../features/lockSlice'
 const JansConfigApi = require('jans_config_api')
@@ -22,9 +22,10 @@ export function* getLockMau({ payload }) {
     yield put(getLockStatusResponse({ data }))
   } catch (e) {
     yield put(getLockStatusResponse(null))
-    if (isFourZeroOneError(e)) {
+    if (isFourZeroThreeError(e)) {
       // Session expired - redirect to login
-      window.location.href = '/logout'
+      yield* redirectToLogout()
+      return
     }
   }
 }

admin-ui/app/redux/sagas/MauSaga.ts

@@ -1,6 +1,6 @@
 // @ts-nocheck
 import { call, all, put, fork, takeLatest, select } from 'redux-saga/effects'
-import { isFourZeroOneError, addAdditionalData } from 'Utils/TokenController'
+import { isFourZeroThreeError, addAdditionalData } from 'Utils/TokenController'
 import { getMauResponse } from 'Plugins/admin/redux/features/mauSlice'
 import { postUserAction } from '../api/backend-api'
 import MauApi from '../api/MauApi'
@@ -26,7 +26,7 @@ export function* getMau({ payload }) {
     return data
   } catch (e) {
     yield put(getMauResponse(null))
-    if (isFourZeroOneError(e)) {
+    if (isFourZeroThreeError(e)) {
       yield* redirectToLogout()
       return
     }