IALERT-3185: Manage 401 Requests to Ensure Unauthenticated Users Are Logged Out

[bseifert14]

Description

IALERT-3185 was created to ensure that an invalid user is automatically logged out after a certain amount of time. This occurs when a request returns a 401 error (more on that here).

Proposed Fix

I created a class HttpInterceptor, with the goal of intercepting requests, checking that they are valid and then proceeding from there. The way this works is any request that is sent, will be intercepted by this class and checked on it's status, determines if it's a url that should be handled by a 401, and ensures that it's a alert call. More explained on these below:

1. Status: We want to ensure that the status is a 401, this means the request is unauthenticated.
2. Should be handled by 401: There are certain endpoints that we should avoid (AUTH_ENDPOINTS) for the sole reason that we could create infinite loops and because a 401 based on that url might have a different meaning. Here are the reasonings for each of those:
   • /alert/api/login: 401 means invalid password credentials - we should just show a "wrong password" message
   • /alert/api/verify: 401 means a session check failed - this is normal as the user is not logged in yet
   • /alert/api/verify/saml: Same as /alert/api/verify
   • /alert/api/csrf: 401 means a CSRF token request - this is also normal as we are waiting to get a new token for the user
   • /alert/api/logout: 401 means the session has expired and the user should be logged out
3. Ensure it's an Alert call: There could be cases where we make requests to external third party sites, in these instances we do not want to log the user out on a 401 request.

[Copilot]

Pull Request Overview

This PR implements automatic logout functionality for unauthenticated users by creating an HTTP interceptor that monitors API responses for 401 status codes. The interceptor ensures users are logged out when their session expires, while avoiding logout triggers for specific authentication endpoints.

Key changes:

• Creates a new HttpInterceptor class to monitor HTTP responses
• Implements global fetch interception to handle 401 responses automatically
• Integrates the interceptor into the application startup process

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
ui/src/main/js/common/util/HttpInterceptor.js	New interceptor class that monitors fetch requests and triggers logout on 401 responses from Alert API endpoints
ui/src/main/js/Index.js	Initializes the HTTP interceptor during application startup

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Remove this commented-out debugging code before merging to production.

Suggested change

// if (this.shouldHandleUnauthorized({status: 401, ...response}, args[0])) {

[bseifert14]

Keeping this in for testing purposes

[Copilot]

The URL parameter (args[0]) may not always be a string. When using fetch with a Request object, args[0] would be a Request instance, not a URL string. Consider extracting the URL properly: const url = typeof args[0] === 'string' ? args[0] : args[0].url;

Suggested change

	if (this.shouldHandleUnauthorized(response, args[0])) {
	// if (this.shouldHandleUnauthorized({status: 401, ...response}, args[0])) {
	const url = typeof args[0] === 'string' ? args[0] : args[0].url;
	if (this.shouldHandleUnauthorized(response, url)) {