Merge pull request #458 from bcgov/BCHEP-589

fix(BCHEP-589): extended logout flow to incl contractors, hardened API auth logic

Author: AdvSol-Darrel

app/frontend/components/domains/navigation/index.tsx

@@ -414,16 +414,32 @@ const AppRoutes = observer(() => {
 
   useEffect(() => {
     if (tokenExpired) {
+      const isContractorFlow =
+        entryPoint === 'isContractor' ||
+        currentUser?.isContractor ||
+        sessionStorage.getItem('isContractorFlow') === 'true' ||
+        location.pathname.startsWith('/contractor');
+
+      const isAdminFlow =
+        entryPoint === 'isAdmin' ||
+        entryPoint === 'isAdminMgr' ||
+        entryPoint === 'isSysAdmin' ||
+        currentUser?.isAdmin ||
+        currentUser?.isAdminManager ||
+        currentUser?.isSystemAdmin;
+
       resetAuth();
       setAfterLoginPath(location.pathname);
-      if (entryPoint) {
+      if (isContractorFlow) {
+        navigate('/contractor');
+      } else if (isAdminFlow) {
         navigate('/admin');
       } else {
         navigate('/login');
       }
       uiStore.flashMessage.show(EFlashMessageStatus.warning, t('auth.tokenExpired'), null);
     }
-  }, [tokenExpired]);
+  }, [tokenExpired, entryPoint, currentUser, location.pathname, navigate, resetAuth, setAfterLoginPath, t, uiStore]);
 
   useEffect(() => {
     const storedPath = sessionStorage.getItem('afterLoginPath') || afterLoginPath;

app/frontend/services/api/monitors.ts

@@ -1,45 +1,79 @@
-import * as R from "ramda"
-import { ISessionStore } from "../../stores/session-store"
-import { IUIStore } from "../../stores/ui-store"
-import { isNilOrEmpty } from "../../utils"
-import { API_ERROR_TYPES } from "../../utils/api-errors"
-import { Api } from "."
+import * as R from 'ramda';
+import { ISessionStore } from '../../stores/session-store';
+import { IUIStore } from '../../stores/ui-store';
+import { isNilOrEmpty } from '../../utils';
+import { API_ERROR_TYPES } from '../../utils/api-errors';
+import { Api } from '.';
 
 /**
   Watches for "flash" messages from the server and reports them.
  */
 export const addFlashMessageMonitor = (api: Api, uiStore: IUIStore) => {
   api.addMonitor((response) => {
     // assuming these are just CLIENT_ERROR - other types handled below in addApiErrorMonitor
-    const messageConfig: { [key: string]: any } = R.path(["data", "meta", "message"], response)
-    if (isNilOrEmpty(messageConfig)) return
+    const messageConfig: { [key: string]: any } = R.path(['data', 'meta', 'message'], response);
+    if (isNilOrEmpty(messageConfig)) return;
 
-    const { title, message, type } = messageConfig
-    uiStore.flashMessage.show(type, title, message)
-  })
-}
+    const { title, message, type } = messageConfig;
+    uiStore.flashMessage.show(type, title, message);
+  });
+};
 
 export const addApiErrorMonitor = (api: Api, uiStore: IUIStore) => {
   api.addMonitor((response) => {
     if (response.problem) {
-      const err = API_ERROR_TYPES[response.problem]
+      const err = API_ERROR_TYPES[response.problem];
       if (err) {
-        uiStore.flashMessage.show(err.type, err.message, null)
+        uiStore.flashMessage.show(err.type, err.message, null);
       }
     }
-  })
-}
+  });
+};
 
 export const addApiUnauthorizedError = (api: Api, sessionStore: ISessionStore) => {
   api.addMonitor((response) => {
-    if (response.status == 401) {
-      const requestUrl = new URL(response.originalError.request.responseURL)
-      const whitelistedPaths = ["validate_token", "login"] // avoid infinite loops
+    if (response.status === 401) {
+      const requestUrl = response.originalError?.request?.responseURL || response.config?.url || '';
+      let requestPathname = '';
 
-      if (requestUrl && !whitelistedPaths.map((path) => `/api/${path}`).includes(requestUrl.pathname)) {
-        sessionStore.setTokenExpired(true)
-        // the redirect logic handled in navigation/index.tsx based on above flag
+      try {
+        requestPathname = requestUrl ? new URL(requestUrl, window.location.origin).pathname : '';
+      } catch {
+        requestPathname = '';
+      }
+
+      const validateTokenPath = '/api/validate_token';
+      const loginPath = '/api/login';
+      const isValidateTokenRequest = requestPathname === validateTokenPath;
+      const isLoginRequest = requestPathname === loginPath;
+
+      // Ignore login 401s and initial unauthenticated validate_token checks.
+      // If validate_token starts returning 401 after being logged in, treat it as session expiry.
+      if (isLoginRequest) return;
+      if (isValidateTokenRequest && !sessionStore.loggedIn) return;
+
+      sessionStore.setTokenExpired(true);
+      // redirect logic handled in navigation/index.tsx based on above flag
+
+      const currentUser = sessionStore.rootStore?.userStore?.currentUser;
+      const isContractorFlow =
+        sessionStore.entryPoint === 'isContractor' ||
+        currentUser?.isContractor ||
+        sessionStorage.getItem('isContractorFlow') === 'true' ||
+        window.location.pathname.startsWith('/contractor');
+      const isAdminFlow =
+        sessionStore.entryPoint === 'isAdmin' ||
+        sessionStore.entryPoint === 'isAdminMgr' ||
+        sessionStore.entryPoint === 'isSysAdmin' ||
+        currentUser?.isAdmin ||
+        currentUser?.isAdminManager ||
+        currentUser?.isSystemAdmin;
+
+      const targetPath = isContractorFlow ? '/contractor' : isAdminFlow ? '/admin' : '/login';
+
+      if (window.location.pathname !== targetPath) {
+        window.location.replace(targetPath);
       }
     }
-  })
-}
+  });
+};

app/frontend/stores/session-store.ts

@@ -63,14 +63,24 @@ export const SessionStoreModel = types
     logout: flow(function* () {
       self.isLoggingOut = true;
       const response: any = yield self.environment.api.logout();
+
+      const isContractorFlow =
+        self.entryPoint === 'isContractor' ||
+        self.rootStore.userStore.currentUser?.isContractor ||
+        sessionStorage.getItem('isContractorFlow') === 'true' ||
+        window.location.pathname.startsWith('/contractor');
+
+      const isAdminFlow = self.entryPoint === 'isAdmin';
+
       if (response.ok) {
         self.resetAuth();
       }
+
       const origin = window.location.origin;
       let finalRedirect = origin;
-      if (self.entryPoint === 'isAdmin') {
+      if (isAdminFlow) {
         finalRedirect += '/admin';
-      } else if (self.entryPoint === 'isContractor') {
+      } else if (isContractorFlow) {
         finalRedirect += '/welcome/contractor';
       } else {
         finalRedirect += '/';