VIA-172 AJ/AS Handled fixed expiry of session and some other corner cases

ankur-jain-nhs · ankur-jain-nhs · commit 645d0f424305 · 2025-06-02T17:58:11.000+01:00
diff --git a/auth.ts b/auth.ts
@@ -7,8 +7,6 @@ import NextAuth, { type DefaultSession } from "next-auth";
 import "next-auth/jwt";
 import { jwtDecode } from "jwt-decode";
 import { Logger } from "pino";
-import pemToCryptoKey from "@src/utils/auth/pem-to-crypto-key";
-import { JWT } from "@auth/core/jwt";
 import { generateClientAssertion } from "@src/utils/auth/generate-refresh-client-assertion";
 
 export interface DecodedToken {
@@ -21,10 +19,10 @@ export interface DecodedToken {
 declare module "next-auth" {
   interface Session {
     user: {
-      nhs_number: string | null,
-      birthdate: string | null,
-      access_token?: string,
-    } & DefaultSession["user"]
+      nhs_number: string,
+      birthdate: string,
+      access_token: string,
+    } & DefaultSession["user"],
   }
 
   interface Profile {
@@ -35,17 +33,20 @@ declare module "next-auth" {
 declare module "next-auth/jwt" {
   interface JWT {
     user: {
-      nhs_number: string | null,
-      birthdate: string | null,
+      nhs_number: string,
+      birthdate: string,
     },
     expires_at: number,
-    refresh_token?: string,
-    access_token?: string,
+    refresh_token: string,
+    access_token: string,
+    fixedExpiry: number;
   }
 }
 
 const log: Logger = logger.child({ module: "auth" });
 
+const MAX_SESSION_AGE_SECONDS: number = 12 * 60 * 60; // 12 hours of continuous usage
+const DEFAULT_ACCESS_TOKEN_EXPIRY: number = 5 * 60; // 5 minutes
 
 export const { handlers, signIn, signOut, auth } = NextAuth(async () => {
   const config: AppConfig = await configProvider();
@@ -61,7 +62,7 @@ export const { handlers, signIn, signOut, auth } = NextAuth(async () => {
     },
     session: {
       strategy: "jwt",
-      maxAge: 12 * 60 * 60,
+      maxAge: MAX_SESSION_AGE_SECONDS, // 12 hours of continuous usage
     },
     trustHost: true,
     callbacks: {
@@ -85,52 +86,61 @@ export const { handlers, signIn, signOut, auth } = NextAuth(async () => {
         return isValidToken;
       },
       async jwt({ token, account, profile}) {
-        let updatedToken: JWT = {
+        if (!token) {
+          log.error("No token available in jwt callback.");
+          return null;
+        }
+
+        let updatedToken = {
           ...token,
           user: {
             nhs_number: token.user?.nhs_number ?? "",
-            birthdate: token.user?.birthdate ?? null,
+            birthdate: token.user?.birthdate ?? "",
           },
           expires_at: token.expires_at ?? 0,
           access_token: token.access_token ?? "",
-          refresh_token: token.refresh_token
+          refresh_token: token.refresh_token ?? ""
         };
 
-        // Initial login - account and profile are only defined for the initial login, afterward they become undefined
-        if (account && profile) {
-          updatedToken = {
-            ...updatedToken,
-            expires_at: account.expires_at ?? updatedToken.expires_at,
-            access_token: account.access_token ?? updatedToken.access_token,
-            refresh_token: account.refresh_token ?? updatedToken.refresh_token,
-            user: {
-              nhs_number: profile.nhs_number ?? updatedToken.user.nhs_number,
-              birthdate: profile.birthdate ?? updatedToken.user.birthdate,
-            },
-          };
-        }
+        try {
+          const nowInSeconds = Math.floor(Date.now() / 1000);
 
-        // Access Token missing or expired
-        if (!updatedToken.expires_at || Date.now() >= updatedToken.expires_at * 1000) {
-          logger.warn(`Token expired or expires_at missing. Attempting to refresh. Current refresh_token: ${updatedToken.refresh_token ? 'present' : 'missing'}`);
+          // Maximum age reached scenario:
+          // Invalidate session after fixedExpiry
+          if (updatedToken.fixedExpiry && nowInSeconds >= updatedToken.fixedExpiry) {
+            logger.info("Session has reached the max age");
+            return null;
+          }
 
-          if(!updatedToken.refresh_token) {
-            logger.error("No refresh token available to new access token. User will be logged out.");
-            return {
+          // Initial login scenario:
+          // account and profile are only defined for the initial login,
+          // afterward they become undefined
+          if (account && profile) {
+            updatedToken = {
               ...updatedToken,
-              expires_at: 0,
-              access_token: "",
-              refresh_token: undefined,
+              expires_at: account.expires_at ?? 0,
+              access_token: account.access_token ?? "",
+              refresh_token: account.refresh_token ?? "",
               user: {
-                nhs_number: null,
-                birthdate: null,
+                nhs_number: profile.nhs_number ?? "",
+                birthdate: profile.birthdate ?? "",
               },
+              fixedExpiry: nowInSeconds + MAX_SESSION_AGE_SECONDS
             };
+            return updatedToken;
           }
 
-          try {
-            logger.warn("Attempting to retrieve new access token");
-            const clientAssertion = await generateClientAssertion(await pemToCryptoKey(config.NHS_LOGIN_PRIVATE_KEY));
+          // Refresh token scenario:
+          // Access Token missing or expired
+          if (!updatedToken.expires_at || nowInSeconds >= updatedToken.expires_at) {
+            logger.info("Attempting to refresh token");
+
+            if (!updatedToken.refresh_token) {
+              logger.error("Refresh token missing");
+              return null;
+            }
+
+            const clientAssertion = await generateClientAssertion(config);
 
             const requestBody = {
               grant_type: "refresh_token",
@@ -152,46 +162,34 @@ export const { handlers, signIn, signOut, auth } = NextAuth(async () => {
 
             const newTokens = tokensOrError as {
               access_token: string;
-              expires_in: number;
+              expires_in?: number;
               refresh_token?: string;
             };
 
             updatedToken = {
               ...updatedToken,
               access_token: newTokens.access_token,
-              expires_at: Math.floor(Date.now() / 1000 + newTokens.expires_in),
+              expires_at: nowInSeconds + (newTokens.expires_in ?? DEFAULT_ACCESS_TOKEN_EXPIRY),
               refresh_token: newTokens.refresh_token ?? updatedToken.refresh_token,
-              user: {
-                nhs_number: updatedToken.user.nhs_number,
-                birthdate: updatedToken.user.birthdate,
-              },
             };
 
-            logger.warn("Token successfully refreshed");
-          } catch (error) {
-            logger.error("Error during access_token refresh: ", error);
-
-            return {
-              ...updatedToken,
-              expires_at: 0,
-              access_token: "",
-              refresh_token: undefined,
-              user: {
-                nhs_number: updatedToken.user.nhs_number ?? "",
-                birthdate: updatedToken.user.birthdate ?? null,
-              },
-            };
+            return updatedToken;
           }
+        } catch (error) {
+          log.error(error, "Error in jwt callback");
+          return null;
         }
 
         return updatedToken;
       },
+
       async session({ session, token }) {
         if(token?.user && session.user) {
           session.user.nhs_number = token.user.nhs_number;
           session.user.birthdate = token.user.birthdate;
           session.user.access_token = token.access_token;
         }
+
         return session;
       }
     },
diff --git a/src/utils/auth/generate-refresh-client-assertion.ts b/src/utils/auth/generate-refresh-client-assertion.ts
@@ -1,9 +1,8 @@
-import { AppConfig, configProvider } from "@src/utils/config";
+import { AppConfig } from "@src/utils/config";
+import pemToCryptoKey from "@src/utils/auth/pem-to-crypto-key";
 
-const generateClientAssertion = async (
-  privateKey: CryptoKey,
-): Promise<string> => {
-  const config: AppConfig = await configProvider();
+const generateClientAssertion = async (config: AppConfig): Promise<string> => {
+  const privateKey = await pemToCryptoKey(config.NHS_LOGIN_PRIVATE_KEY);
   const now = Math.floor(Date.now() / 1000);
   const payload = {
     iss: config.NHS_LOGIN_CLIENT_ID,
