Merge pull request #745 from IT-Academy-BCN/fix/#104-localstorage

ivilarop · web-flow · commit 8820bbce9b37 · 2026-02-16T13:48:22.000+01:00
fix(auth): replace localStorage with sessionStorage in interceptor (#104)
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to
 [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+### [itachallenge-frontend-3.26.0-RELEASE] - 2026-02-16
+
+### Changed
+- Authentication now uses `sessionStorage` instead of `localStorage` for storing auth tokens and usernames.
+- Sessions are now tab-specific and expire when the browser tab is closed.
+- Users must log in again after closing the tab (no auto-login).
 ### [ita-challenges-frontend-3.25.1-RELEASE] - 2026-02-16
 
 ### Changed
diff --git a/conf/.env.CI.dev b/conf/.env.CI.dev
@@ -1,2 +1,2 @@
 MICROSERVICE_DEPLOY=ita-challenges-frontend
-MICROSERVICE_VERSION=3.25.1-RELEASE
+MICROSERVICE_VERSION=3.26.0-RELEASE
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "ita-challenges-frontend",
-  "version": "3.25.1-RELEASE",
+  "version": "3.26.0-RELEASE",
    "scripts": {
     "ng": "ng",
     "start": "ng serve --proxy-config proxy.conf.dev.json",
diff --git a/src/app/core/layout/header/desktop-nav/desktop-nav.component.spec.ts b/src/app/core/layout/header/desktop-nav/desktop-nav.component.spec.ts
@@ -4,7 +4,7 @@ import { NavService } from 'src/app/services/nav.service'
 import { TranslateModule } from '@ngx-translate/core'
 import { RouterModule, ActivatedRoute } from '@angular/router'
 import { AuthService } from 'src/app/services/auth.service';
-import { of } from 'rxjs';
+import { of, throwError } from 'rxjs'
 import { By } from '@angular/platform-browser'
 import { Component, Input } from '@angular/core';
 
@@ -36,6 +36,7 @@ class MockAuthService {
   getUserPhoto = jest.fn(() => of('https://mock-photo-url.com/avatar.png'))
 
   checkAndHandleExpiredToken = jest.fn()
+  switchRole = jest.fn((role: string) => of({ token: 'new-token-123' }))
 }
 
 const mockActivatedRoute = {
@@ -162,4 +163,23 @@ describe('DesktopNavComponent', () => {
     component.openRegisterUsersModal();
     expect(openRegisterUsersModalSpy).toHaveBeenCalled();
   });
+
+  it('✅ Should switch role successfully', () => {
+    sessionStorage.clear() 
+    component.onSwitchRole('USER')
+    expect(authService.switchRole).toHaveBeenCalledWith('USER')
+    expect(sessionStorage.getItem('authToken')).toBe('new-token-123')
+    expect(authService.updateUserRoleAndUserNameFromToken).toHaveBeenCalled()
+  })
+
+  it('❌ Should handle switch role error', () => {
+    const consoleSpy = jest.spyOn(console, 'error').mockImplementation()
+    jest.spyOn(authService, 'switchRole').mockReturnValue(
+      throwError(() => new Error('Failed'))
+    )
+    component.onSwitchRole('ADMIN')
+
+    expect(consoleSpy).toHaveBeenCalled()
+    consoleSpy.mockRestore()
+  })
 })
diff --git a/src/app/core/layout/header/desktop-nav/desktop-nav.component.ts b/src/app/core/layout/header/desktop-nav/desktop-nav.component.ts
@@ -89,7 +89,7 @@ export class DesktopNavComponent implements OnInit, OnDestroy{
   onSwitchRole (newRole: 'ADMIN' | 'USER'): void {
     this._authService.switchRole(newRole).subscribe({
       next: (data) => {
-        localStorage.setItem('authToken', data.token)
+        sessionStorage.setItem('authToken', data.token)
         this._authService.updateUserRoleAndUserNameFromToken()
       },
       error: (error) => {
diff --git a/src/app/core/layout/header/mobile-nav/mobile-nav.component.spec.ts b/src/app/core/layout/header/mobile-nav/mobile-nav.component.spec.ts
@@ -26,6 +26,7 @@ class MockAuthService {
   getUserPhoto = jest.fn(() => of('https://mock-photo-url.com/avatar.png'))
 
   checkAndHandleExpiredToken = jest.fn()
+  switchRole = jest.fn((role: string) => of({ token: 'new-token-123' }))
 }
 
 const mockActivatedRoute = {
diff --git a/src/app/core/layout/header/mobile-nav/mobile-nav.component.ts b/src/app/core/layout/header/mobile-nav/mobile-nav.component.ts
@@ -88,7 +88,7 @@ export class MobileNavComponent implements OnInit, OnDestroy{
   onSwitchRole (newRole: 'ADMIN' | 'USER'): void {
     this._authService.switchRole(newRole).subscribe({
       next: (data) => {
-        localStorage.setItem('authToken', data.token)
+        sessionStorage.setItem('authToken', data.token)
         this._authService.updateUserRoleAndUserNameFromToken()
       },
       error: (error) => {
diff --git a/src/app/interceptors/jwt-interceptor.spec.ts b/src/app/interceptors/jwt-interceptor.spec.ts
@@ -0,0 +1,46 @@
+import { TestBed } from '@angular/core/testing'
+import { HttpTestingController, HttpClientTestingModule } from '@angular/common/http/testing'
+import { HTTP_INTERCEPTORS, HttpClient } from '@angular/common/http'
+import { JwtInterceptor } from './jwt-interceptor'
+import { CookieService } from 'ngx-cookie-service'
+import { environment } from 'src/environments/environment'
+
+describe('JwtInterceptor', () => {
+  let httpMock: HttpTestingController
+  let httpClient: HttpClient
+  const apiUrl = `${environment.BACKEND_ITA_CHALLENGE_BASE_URL}/test`
+
+  beforeEach(() => {
+    TestBed.configureTestingModule({
+      imports: [HttpClientTestingModule],
+      providers: [
+        { provide: CookieService, useValue: {} },
+        { provide: HTTP_INTERCEPTORS, useClass: JwtInterceptor, multi: true }
+      ]
+    })
+    httpMock = TestBed.inject(HttpTestingController)
+    httpClient = TestBed.inject(HttpClient)
+    sessionStorage.clear()
+  })
+
+  afterEach(() => {
+    httpMock.verify()
+  })
+
+  it('should add auth header with token', () => {
+    sessionStorage.setItem('authToken', 'token')
+    httpClient.get(apiUrl).subscribe()
+    expect(httpMock.expectOne(apiUrl).request.headers.get('Authorization')).toBe('Bearer token')
+  })
+
+  it('should NOT add header without token', () => {
+    httpClient.get(apiUrl).subscribe()
+    expect(httpMock.expectOne(apiUrl).request.headers.get('Authorization')).toBeNull()
+  })
+
+  it('should NOT add header for external URLs', () => {
+    sessionStorage.setItem('authToken', 'token')
+    httpClient.get('https://ext.com').subscribe()
+    expect(httpMock.expectOne('https://ext.com').request.headers.get('Authorization')).toBeNull()
+  })
+})
diff --git a/src/app/interceptors/jwt-interceptor.ts b/src/app/interceptors/jwt-interceptor.ts
@@ -12,7 +12,7 @@ export class JwtInterceptor implements HttpInterceptor {
   private readonly cookieService = inject(CookieService)
 
   intercept (request: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
-    const token: string = this.cookieService.get('authToken')
+    const token: string = sessionStorage.getItem('authToken') ?? ''
     const isApiUrl = request.url.startsWith(environment.BACKEND_ITA_CHALLENGE_BASE_URL)
     if (isApiUrl && token !== '') {
       // Agregar el token al encabezado Authorization
diff --git a/src/app/modules/mentor/mentor-login/mentor-login.component.spec.ts b/src/app/modules/mentor/mentor-login/mentor-login.component.spec.ts
@@ -150,34 +150,58 @@ describe('MentorLoginComponent', () => {
       environment.BACKEND_ITA_CHALLENGE_BASE_URL + environment.BACKEND_GITHUB_VALIDATE_ENDPOINT,
       { code: 'testCode' }
     )
-    expect(localStorage.getItem('username')).toBe('testUser')
-    expect(localStorage.getItem('authToken')).toBe('123456')
+    expect(sessionStorage.getItem('username')).toBe('testUser')
+    expect(sessionStorage.getItem('authToken')).toBe('123456')
     expect(authServiceMock.updateUserRoleAndUserNameFromToken).toHaveBeenCalled()
     expect(routerSpy).toHaveBeenCalledWith([], { queryParams: { code: null }, queryParamsHandling: 'merge' })
     expect(modalSpy).toHaveBeenCalled()
     expect(loginSuccessSpy).toHaveBeenCalledWith(true)
   })
 
+  it('❌ Should handle invalid GitHub response and clean storage', () => {
+    sessionStorage.setItem('username', 'testUser')
+    sessionStorage.setItem('authToken', '123456')
+
+    const mockResponse = { isValid: false, username: '', token: '' }
+    jest.spyOn(component.http, 'post').mockReturnValue(of(mockResponse))
+    const errorSpy = jest.spyOn(component, 'showError')
+
+    component.authenticateWithGitHub('testCode')
+
+    expect(errorSpy).toHaveBeenCalledWith('unauthorized')
+    expect(sessionStorage.getItem('username')).toBeNull()
+    expect(sessionStorage.getItem('authToken')).toBeNull()
+  })
+
   it.each<ErrorHandlingTestCase>([
     { statusCode: 401, expectedError: 'unauthorized' },
     { statusCode: 403, expectedError: 'unauthorized' },
-    { statusCode: 500, expectedError: 'server_error' }
+    { statusCode: 500, expectedError: 'server_error' },
+    { statusCode: 404, expectedError: 'unauthorized' }
   ])('❌ Should handle error %i and show error message', ({ statusCode, expectedError }, done) => {
-    localStorage.setItem('username', 'testUser')
-    localStorage.setItem('authToken', '123456')
+    sessionStorage.setItem('username', 'testUser')
+    sessionStorage.setItem('authToken', '123456')
 
     const httpSpy = jest.spyOn(component.http, 'post').mockReturnValue(
       throwError(() => ({ status: statusCode }))
     )
 
     const errorSpy = jest.spyOn(component, 'showError')
-
+    const consoleSpy = jest.spyOn(console, 'error').mockImplementation()
     component.authenticateWithGitHub('testCode')
 
     setTimeout(() => {
       expect(httpSpy).toHaveBeenCalled()
       expect(errorSpy).toHaveBeenCalledWith(expectedError)
       expect(component.isLoading).toBe(false)
+      if (statusCode === 403) {
+        expect(sessionStorage.getItem('username')).toBeNull()
+        expect(sessionStorage.getItem('authToken')).toBeNull()
+      }
+      if (statusCode === 404) {
+        expect(consoleSpy).toHaveBeenCalled()
+      }
+      consoleSpy.mockRestore()
 
       done()
     }, 100)
@@ -193,4 +217,13 @@ describe('MentorLoginComponent', () => {
     expect(component.isErrorVisible).toBe(false)
     expect(component.isShowTermsError).toBe(false)
   })
+
+  it('✅ Should redirect to GitHub signup', () => {
+    delete (window as any).location
+    window.location = { href: '' } as any
+    
+    component.redirectToRegister()
+    
+    expect(window.location.href).toBe('https://github.com/signup')
+  })
 })
diff --git a/src/app/modules/mentor/mentor-login/mentor-login.component.ts b/src/app/modules/mentor/mentor-login/mentor-login.component.ts
@@ -80,17 +80,17 @@ export class MentorLoginComponent implements OnInit {
     this.http.post<GitHubAuthResponse>(url, { code }).subscribe({
       next: (response) => {
         if (response.isValid) {
-          localStorage.setItem('authToken', response.token)
-          localStorage.setItem('username', response.username)
+          sessionStorage.setItem('authToken', response.token)
+          sessionStorage.setItem('username', response.username)
           
           this.authService.updateUserRoleAndUserNameFromToken()
 
           this.closeModal()
           this.loginSuccess.emit(true)
         } else {
           this.showError('unauthorized')
-          localStorage.removeItem('username')
-          localStorage.removeItem('authToken')
+          sessionStorage.removeItem('username')
+          sessionStorage.removeItem('authToken')
         }
       },
       error: (err) => {
@@ -104,8 +104,8 @@ export class MentorLoginComponent implements OnInit {
           this.showError('server_error')
         } else if (err.status === 403) {
           this.showError('unauthorized') // Error 403: El usuario no existe en GitHub.
-          localStorage.removeItem('username')
-          localStorage.removeItem('authToken')
+          sessionStorage.removeItem('username')
+          sessionStorage.removeItem('authToken')
         } else {
           this.showError('unauthorized')
           console.error(err)
diff --git a/src/app/services/auth.service.spec.ts b/src/app/services/auth.service.spec.ts
@@ -16,6 +16,8 @@ describe('AuthService', () => {
   let router: Router;
 
   beforeEach(() => {
+    sessionStorage.clear();
+    localStorage.clear();
 
     const translateServiceMock = {
       instant: (key: string) => key,
@@ -39,6 +41,7 @@ describe('AuthService', () => {
   });
 
   afterEach(() => {
+    sessionStorage.clear();
     localStorage.clear();
     httpMock.verify();
   });
@@ -56,7 +59,7 @@ describe('AuthService', () => {
 
   it('should return the correct role when there is a valid token', fakeAsync(() => {
     const token = btoa(JSON.stringify({ role: 'ADMIN' }));
-    localStorage.setItem('authToken', `header.${token}.signature`);
+    sessionStorage.setItem('authToken', `header.${token}.signature`);
 
     spyOn(service, 'getUserPhoto').and.returnValue(of('https://github.com/avatar.jpg'));
 
@@ -80,14 +83,15 @@ describe('AuthService', () => {
   });
 
   it('should emit updated role when updateUserRoleAndUserNameFromToken is called', fakeAsync(() => {
+    sessionStorage.clear();
     spyOn(service, 'getUserPhoto').and.returnValue(of('https://github.com/avatar.jpg'))
     let initialRole: string | undefined;
     service.getUserRole().pipe(first()).subscribe(r => initialRole = r);
     tick();
     expect(initialRole).toBe('');
 
     const token = btoa(JSON.stringify({ role: 'ADMIN' }));
-    localStorage.setItem('authToken', `header.${token}.signature`);
+    sessionStorage.setItem('authToken', `header.${token}.signature`);
     service.updateUserRoleAndUserNameFromToken();
 
     let updatedRole: string | undefined;
@@ -99,24 +103,26 @@ describe('AuthService', () => {
   it('should emit empty role when token is removed', fakeAsync(() => {
     spyOn(service, 'getUserPhoto').and.returnValue(of('https://github.com/avatar.jpg'))
     const token = btoa(JSON.stringify({ role: 'ADMIN' }));
-    localStorage.setItem('authToken', `header.${token}.signature`);
-    service.updateUserRoleAndUserNameFromToken();
-
+    sessionStorage.setItem('authToken', `header.${token}.signature`);
+    
     let initialRole: string | undefined;
-    service.getUserRole().pipe(first()).subscribe(r => initialRole = r);
+    service.getUserRole().subscribe(r => initialRole = r);
+    service.updateUserRoleAndUserNameFromToken();
     tick();
     expect(initialRole).toBe('ADMIN');
 
-    localStorage.removeItem('authToken');
+    sessionStorage.removeItem('authToken');
     service.updateUserRoleAndUserNameFromToken();
 
     let updatedRole: string | undefined;
-    service.getUserRole().pipe(first()).subscribe(r => updatedRole = r);
+    service.getUserRole().subscribe(r => updatedRole = r);
     tick();
     expect(updatedRole).toBe('');
   }));
 
   it('should return true if user is logged in (auth token exists)', () => {
+    sessionStorage.clear();
+    localStorage.clear();
     const validToken = [
       btoa(JSON.stringify({ alg: 'HS256', typ: 'JWT' })),
       btoa(JSON.stringify({
@@ -128,7 +134,7 @@ describe('AuthService', () => {
       })),
       'signature'
     ].join('.')
-    localStorage.setItem('authToken', validToken)
+    sessionStorage.setItem('authToken', validToken)
     expect(service.isUserLoggedIn()).toBe(true)
   })
 
@@ -157,24 +163,25 @@ describe('AuthService', () => {
 
     tick();
 
-    expect(localStorage.getItem('authToken')).toBeNull();
-    expect(localStorage.getItem('username')).toBeNull();
+    expect(sessionStorage.getItem('authToken')).toBeNull();
+    expect(sessionStorage.getItem('username')).toBeNull();
 
     expect(routerSpy).toHaveBeenCalledWith([environment.AUTH_REDIRECT_URL]);
     expect(updateAuthStatusSpy).toHaveBeenCalled();
     expect(updateUserRoleAndUserNameFromTokenSpy).toHaveBeenCalled();
   }));
 
   it('should return authorization header with token if token exists', () => {
-    localStorage.setItem('authToken', 'test-token');
+    sessionStorage.clear();
+    sessionStorage.setItem('authToken', 'test-token');
     
     const headers = service.getAuthHeaders();
 
     expect(headers.Authorization).toBe('Bearer test-token');
   });
 
   it('should return empty authorization header if no token exists', () => {
-    localStorage.removeItem('authToken');
+    sessionStorage.removeItem('authToken');
 
     const headers = service.getAuthHeaders();
     expect(headers.Authorization).toBe('');
diff --git a/src/app/services/auth.service.ts b/src/app/services/auth.service.ts
@@ -123,7 +123,7 @@ export class AuthService {
   }
 
   getAuthToken(): string | null {
-    return localStorage.getItem('authToken');
+    return sessionStorage.getItem('authToken');
   }
 
   getAuthHeaders(): { Authorization: string } {
@@ -132,8 +132,8 @@ export class AuthService {
   }
 
   clearAuthData(): void {
-    localStorage.removeItem('authToken');
-    localStorage.removeItem('username');
+    sessionStorage.removeItem('authToken');
+    sessionStorage.removeItem('username');
   }
 
   private handleLogoutSuccess(): void {

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`MICROSERVICE_DEPLOY=ita-challenges-frontend`
`2`		`-MICROSERVICE_VERSION=3.25.1-RELEASE`
	`2`	`+MICROSERVICE_VERSION=3.26.0-RELEASE`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "ita-challenges-frontend",`
`3`		`- "version": "3.25.1-RELEASE",`
	`3`	`+ "version": "3.26.0-RELEASE",`
`4`	`4`	`"scripts": {`
`5`	`5`	`"ng": "ng",`
`6`	`6`	`"start": "ng serve --proxy-config proxy.conf.dev.json",`
Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ class MockAuthService {`
`26`	`26`	`getUserPhoto = jest.fn(() => of('https://mock-photo-url.com/avatar.png'))`
`27`	`27`
`28`	`28`	`checkAndHandleExpiredToken = jest.fn()`
	`29`	`+ switchRole = jest.fn((role: string) => of({ token: 'new-token-123' }))`
`29`	`30`	`}`
`30`	`31`
`31`	`32`	`const mockActivatedRoute = {`