fix session refresh detection (#118)

* fix session refresh detection

* align some auth checks

* remove complete profile stuff

* ignore type issue

* last one

Author: a-type

admin/src/services/fetch.ts

@@ -1,14 +1,6 @@
 import { createFetch } from '@a-type/auth-fetch';
-import { AlefError } from '@alef/common';
 
 export const fetch = createFetch({
 	refreshSessionEndpoint: `${import.meta.env.VITE_PUBLIC_API_ORIGIN}/auth/refresh`,
 	logoutEndpoint: `${import.meta.env.VITE_PUBLIC_API_ORIGIN}/auth/logout`,
-	isSessionExpired: (res) => {
-		const asAlefError = AlefError.fromResponse(res);
-		if (asAlefError) {
-			return asAlefError.code === AlefError.Code.SessionExpired;
-		}
-		return false;
-	},
 });

app/src/pages/HomePage.tsx

@@ -1,22 +1,10 @@
 import { Redirect } from '@/components/Redirect';
 import { isHeadset } from '@/services/os';
-import { useMe } from '@/services/publicApi/userHooks';
-import { useNavigate } from '@verdant-web/react-router';
-import { lazy, useEffect } from 'react';
+import { lazy } from 'react';
 
 const LazyMainScene = lazy(() => import('@/components/xr/MainScene'));
 
 const HomePage = () => {
-	const { data: session } = useMe();
-	const navigate = useNavigate();
-	const incompleteProfile = session && !session.emailVerifiedAt;
-	useEffect(() => {
-		// don't bother people on headsets with this
-		if (!isHeadset && incompleteProfile) {
-			navigate('/complete-signup');
-		}
-	}, [incompleteProfile, navigate]);
-
 	if (!isHeadset) {
 		// on desktop/mobile, editor is the default page.
 		return <Redirect to="/editor" />;

app/src/services/fetch.ts

@@ -1,15 +1,7 @@
 import { publicApiOrigin } from '@/env';
 import { createFetch } from '@a-type/auth-fetch';
-import { AlefError } from '@alef/common';
 
 export const fetch = createFetch({
 	refreshSessionEndpoint: `${publicApiOrigin}/auth/refresh`,
 	logoutEndpoint: `${publicApiOrigin}/auth/logout`,
-	isSessionExpired: (res) => {
-		const asAlefError = AlefError.fromResponse(res);
-		if (asAlefError) {
-			return asAlefError.code === AlefError.Code.SessionExpired;
-		}
-		return false;
-	},
 });

app/src/services/publicApi/utils.ts

@@ -15,6 +15,9 @@ export async function fallbackWhenOfflineOrError<TResponseData, TFallback = null
 	try {
 		const res = await req;
 		if (!res.ok) {
+			if (res.status === 401) {
+				return fallback;
+			}
 			const asAlefError = AlefError.fromResponse(res);
 			console.error(asAlefError);
 			toast.error(!asAlefError ? 'Server error! Check your network.' : asAlefError.message);

packages/common/src/error.ts

@@ -1,8 +1,6 @@
 export enum AlefErrorCode {
 	BadRequest = 40000,
 	Unauthorized = 40100,
-	SessionExpired = 40101,
-	SessionInvalid = 40102,
 	Forbidden = 40300,
 	NotFound = 40400,
 	Conflict = 40900,

services/src/admin-api/index.ts

@@ -10,7 +10,7 @@ import { furnitureRouter } from './routers/furniture.js';
 import { usersRouter } from './routers/users.js';
 
 const adminApp = new Hono<Env>()
-	.onError(handleError)
+	.onError(handleError as any /* TODO: fix ctx type compatibility junk */)
 	.use(requestId())
 	.use(
 		cors({

services/src/middleware/errors.ts

@@ -1,8 +1,11 @@
 import { AuthError } from '@a-type/auth';
 import { AlefError } from '@alef/common';
+import { Context } from 'hono';
 import { ZodError } from 'zod';
+import { sessions } from '../public-api/auth/session';
+import { Env } from '../public-api/config/ctx';
 
-export function handleError(reason: unknown): Response {
+export function handleError(reason: unknown, ctx: Context<Env>): Response {
 	if (AlefError.isInstance(reason)) {
 		if (reason.code > AlefError.Code.InternalServerError) {
 			console.error('Unexpected AlefError:', reason);
@@ -11,12 +14,19 @@ export function handleError(reason: unknown): Response {
 	}
 
 	if (reason instanceof AuthError) {
-		return new Response(reason.message, {
-			status: reason.statusCode,
-			headers: {
-				'Content-Type': 'text/plain',
-			},
-		});
+		// for invalid sessions, log the user out.
+		if (reason.message === AuthError.Messages.InvalidSession || reason.message === AuthError.Messages.InvalidRefreshToken) {
+			const { headers } = sessions.clearSession(ctx);
+			return new Response(reason.message, {
+				status: 401,
+				headers: {
+					'Content-Type': 'text/plain',
+					'x-alef-error': AlefError.Code.Unauthorized.toString(),
+					...headers,
+				},
+			});
+		}
+		return reason.toResponse();
 	}
 
 	if (reason instanceof ZodError) {

services/src/middleware/session.ts

@@ -1,4 +1,4 @@
-import { AuthError, Session } from '@a-type/auth';
+import { Session } from '@a-type/auth';
 import { AlefError, assertPrefixedId, PrefixedId } from '@alef/common';
 import { RpcStub } from 'cloudflare:workers';
 import { Context } from 'hono';
@@ -12,23 +12,7 @@ export type SessionWithPrefixedIds = Omit<Session, 'userId'> & {
 };
 
 async function getRequestSessionOrThrow(ctx: Context): Promise<SessionWithPrefixedIds> {
-	let session: Session | null = null;
-	try {
-		session = await sessions.getSession(ctx);
-	} catch (err) {
-		if (err instanceof AuthError) {
-			if (err.message === AuthError.Messages.SessionExpired) {
-				throw new AlefError(AlefError.Code.SessionExpired, 'Session expired. Please refresh your session or log in again.', err);
-			} else if (err.message === AuthError.Messages.InvalidSession) {
-				// remove the invalid session
-				const { headers } = sessions.clearSession(ctx);
-				throw new AlefError(AlefError.Code.SessionInvalid, 'Invalid session. Please log in again.', err, {
-					headers,
-				});
-			}
-		}
-		throw err;
-	}
+	const session = await sessions.getSession(ctx);
 
 	if (!session) {
 		throw new AlefError(AlefError.Code.Unauthorized, 'You must be logged in to access this functionality.');