redirect/refresh on token expiration

simplified:
- deduplicate splitGroupList
- nav bar subtitle cleanup
- remove env CADENCE_WEB_JWT_TOKEN and its usage

Author: Stanislav Bychkov

README.md

@@ -22,7 +22,6 @@ Set these environment variables if you need to change their defaults
 | CADENCE_WEB_HOSTNAME         | Host name to serve on                                                         | 0.0.0.0          |
 | CADENCE_ADMIN_SECURITY_TOKEN | Admin token for accessing admin methods                                       | ''               |
 | CADENCE_WEB_RBAC_ENABLED     | Enables RBAC-aware UI (login/logout).                                         | false            |
-| CADENCE_WEB_JWT_TOKEN        | Static Cadence JWT forwarded when no request token exists                     | ''               |
 | CADENCE_GRPC_TLS_CA_FILE     | Path to root CA certificate file for enabling one-way TLS on gRPC connections | ''               |
 | CADENCE_WEB_SERVICE_NAME     | Name of the web service used as GRPC caller and OTEL resource name            | cadence-web      |
 

src/components/app-nav-bar/app-nav-bar.tsx

@@ -1,10 +1,16 @@
 'use client';
-import React, { useMemo, useState } from 'react';
+import React, {
+  useCallback,
+  useEffect,
+  useMemo,
+  useRef,
+  useState,
+} from 'react';
 
 import { AppNavBar as BaseAppNavBar } from 'baseui/app-nav-bar';
 import { useSnackbar } from 'baseui/snackbar';
 import NextLink from 'next/link';
-import { useRouter } from 'next/navigation';
+import { usePathname, useRouter } from 'next/navigation';
 
 import useStyletronClasses from '@/hooks/use-styletron-classes';
 import useUserInfo from '@/hooks/use-user-info/use-user-info';
@@ -20,40 +26,52 @@ const LOGOUT_ITEM = 'logout';
 export default function AppNavBar() {
   const { cls } = useStyletronClasses(cssStyles);
   const router = useRouter();
+  const pathname = usePathname();
   const { enqueue } = useSnackbar();
   const [isModalOpen, setIsModalOpen] = useState(false);
 
   const { data: authInfo, isLoading: isAuthLoading, refetch } = useUserInfo();
+  const isRbacEnabled = authInfo?.rbacEnabled === true;
+  const isAuthenticated = authInfo?.isAuthenticated === true;
+  const isAdmin = authInfo?.isAdmin === true;
+  const expiresAtMs =
+    typeof authInfo?.expiresAtMs === 'number'
+      ? authInfo.expiresAtMs
+      : undefined;
+  const logoutInFlightRef = useRef(false);
+  const prevIsAuthenticatedRef = useRef<boolean | null>(null);
+  const logoutReasonRef = useRef<'manual' | 'expired' | null>(null);
+
   const userItems = useMemo(() => {
-    if (!authInfo?.rbacEnabled) return undefined;
-    if (!authInfo.isAuthenticated) {
+    if (!isRbacEnabled) return undefined;
+    if (!isAuthenticated) {
       return [{ label: 'Login with JWT', info: LOGIN_ITEM }];
     }
     return [
       { label: 'Switch token', info: LOGIN_ITEM },
       { label: 'Logout', info: LOGOUT_ITEM },
     ];
-  }, [authInfo]);
+  }, [isAuthenticated, isRbacEnabled]);
 
   const username = useMemo(() => {
-    if (!authInfo?.rbacEnabled) {
+    if (!isRbacEnabled) {
       return undefined;
     }
     if (isAuthLoading || !authInfo) {
       return 'Checking access...';
     }
-    return authInfo.isAuthenticated
-      ? authInfo.userName || 'Authenticated user'
+    return isAuthenticated
+      ? authInfo.userName || 'Authenticated user (unknown username)'
       : 'Authenticate';
-  }, [authInfo, isAuthLoading]);
+  }, [authInfo, isAuthLoading, isAuthenticated, isRbacEnabled]);
 
   const usernameSubtitle =
-    authInfo?.rbacEnabled && authInfo.isAuthenticated
-      ? authInfo.isAdmin
+    isRbacEnabled && isAuthenticated
+      ? isAdmin
         ? 'Admin'
-        : 'Authenticated'
-      : authInfo?.rbacEnabled
-        ? 'Paste a Cadence JWT'
+        : undefined
+      : isRbacEnabled
+        ? 'Provide a Cadence JWT'
         : undefined;
 
   const saveToken = async (token: string) => {
@@ -75,19 +93,74 @@ export default function AppNavBar() {
     }
   };
 
-  const logout = async () => {
-    try {
-      await request('/api/auth/token', { method: 'DELETE' });
-      enqueue({ message: 'Signed out' });
-    } catch (e) {
-      const message = e instanceof Error ? e.message : 'Failed to sign out';
-      enqueue({ message });
-    } finally {
-      setIsModalOpen(false);
-      await refetch();
-      router.refresh();
+  const logout = useCallback(
+    async (reason: 'manual' | 'expired') => {
+      if (logoutInFlightRef.current) return;
+      logoutInFlightRef.current = true;
+      logoutReasonRef.current = reason;
+      try {
+        await request('/api/auth/token', { method: 'DELETE' });
+      } catch (e) {
+        logoutReasonRef.current = null;
+        const message = e instanceof Error ? e.message : 'Failed to sign out';
+        enqueue({ message });
+      } finally {
+        setIsModalOpen(false);
+        await refetch();
+        router.refresh();
+        router.replace('/domains');
+        logoutInFlightRef.current = false;
+      }
+    },
+    [enqueue, refetch, router]
+  );
+
+  useEffect(() => {
+    if (!isRbacEnabled || isAuthLoading || !authInfo) return;
+    const prevIsAuthenticated = prevIsAuthenticatedRef.current;
+    prevIsAuthenticatedRef.current = isAuthenticated;
+
+    if (prevIsAuthenticated === true && !isAuthenticated) {
+      const reason = logoutReasonRef.current;
+      logoutReasonRef.current = null;
+      enqueue({
+        message:
+          reason === 'manual'
+            ? 'Signed out'
+            : 'Session expired. Please sign in again.',
+      });
+      if (pathname === '/domains') {
+        router.refresh();
+      } else {
+        router.replace('/domains');
+      }
     }
-  };
+  }, [
+    authInfo,
+    enqueue,
+    isAuthenticated,
+    isAuthLoading,
+    isRbacEnabled,
+    pathname,
+    router,
+  ]);
+
+  useEffect(() => {
+    if (!isRbacEnabled || !isAuthenticated || expiresAtMs === undefined) return;
+    const timeoutMs = expiresAtMs - Date.now();
+    if (timeoutMs <= 0) {
+      void logout('expired');
+      return;
+    }
+
+    const id = window.setTimeout(() => {
+      void logout('expired');
+    }, timeoutMs);
+
+    return () => {
+      window.clearTimeout(id);
+    };
+  }, [expiresAtMs, isAuthenticated, isRbacEnabled, logout]);
 
   return (
     <>
@@ -113,11 +186,11 @@ export default function AppNavBar() {
           if (item.info === LOGIN_ITEM) {
             setIsModalOpen(true);
           } else if (item.info === LOGOUT_ITEM) {
-            void logout();
+            void logout('manual');
           }
         }}
       />
-      {authInfo?.rbacEnabled && (
+      {isRbacEnabled && (
         <AuthTokenModal
           isOpen={isModalOpen}
           onClose={() => setIsModalOpen(false)}

src/components/snackbar-provider/snackbar-provider.tsx

@@ -13,7 +13,7 @@ export default function SnackbarProvider({ children }: Props) {
     <BaseSnackbarProvider
       placement={PLACEMENT.bottom}
       overrides={overrides.snackbar}
-      defaultDuration={DURATION.infinite}
+      defaultDuration={DURATION.medium}
     >
       {children}
     </BaseSnackbarProvider>

src/config/dynamic/dynamic.config.ts

@@ -27,7 +27,6 @@ const dynamicConfigs: {
   CADENCE_WEB_PORT: ConfigEnvDefinition;
   ADMIN_SECURITY_TOKEN: ConfigEnvDefinition;
   CADENCE_WEB_RBAC_ENABLED: ConfigEnvDefinition;
-  CADENCE_WEB_JWT_TOKEN: ConfigEnvDefinition;
   CLUSTERS: ConfigSyncResolverDefinition<
     undefined,
     ClustersConfigs,
@@ -95,10 +94,6 @@ const dynamicConfigs: {
     env: 'CADENCE_WEB_RBAC_ENABLED',
     default: 'false',
   },
-  CADENCE_WEB_JWT_TOKEN: {
-    env: 'CADENCE_WEB_JWT_TOKEN',
-    default: process.env.CADENCE_WEB_RBAC_TOKEN || '',
-  },
   CLUSTERS: {
     resolver: clusters,
     evaluateOn: 'serverStart',

src/utils/auth/__tests__/auth-context.test.ts

@@ -52,7 +52,6 @@ describe('auth-context utilities', () => {
       });
       mockGetConfigValue.mockImplementation(async (key: string) => {
         if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'true';
-        if (key === 'CADENCE_WEB_JWT_TOKEN') return 'env-token';
         return '';
       });
 
@@ -65,20 +64,14 @@ describe('auth-context utilities', () => {
         rbacEnabled: true,
         isAdmin: true,
         token,
-        tokenSource: 'cookie',
         groups: ['worker'],
         userName: 'cookie-user',
       });
     });
 
-    it('falls back to env token when cookie is missing', async () => {
-      const envToken = buildToken({
-        sub: 'env-user',
-        groups: ['reader'],
-      });
+    it('returns unauthenticated context when cookie is missing', async () => {
       mockGetConfigValue.mockImplementation(async (key: string) => {
         if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'true';
-        if (key === 'CADENCE_WEB_JWT_TOKEN') return envToken;
         return '';
       });
 
@@ -88,12 +81,64 @@ describe('auth-context utilities', () => {
 
       expect(authContext).toMatchObject({
         rbacEnabled: true,
-        token: envToken,
-        tokenSource: 'env',
-        groups: ['reader'],
+        token: undefined,
+      });
+    });
+
+    it('treats expired tokens as unauthenticated', async () => {
+      const nowMs = 1_700_000_000_000;
+      const dateNowSpy = jest.spyOn(Date, 'now').mockReturnValue(nowMs);
+
+      const token = buildToken({
+        sub: 'expired-user',
+        groups: ['worker'],
+        Admin: true,
+        exp: Math.floor(nowMs / 1000) - 10,
+      });
+      mockGetConfigValue.mockImplementation(async (key: string) => {
+        if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'true';
+        return '';
+      });
+
+      const authContext = await resolveAuthContext({
+        get: (name: string) =>
+          name === CADENCE_AUTH_COOKIE_NAME ? { value: token } : undefined,
+      });
+
+      expect(authContext).toMatchObject({
+        rbacEnabled: true,
+        token: undefined,
         isAdmin: false,
-        userName: 'env-user',
+        groups: [],
+        userName: undefined,
+        expiresAtMs: undefined,
+      });
+
+      dateNowSpy.mockRestore();
+    });
+
+    it('exposes expiresAtMs for valid tokens', async () => {
+      const nowMs = 1_700_000_000_000;
+      const dateNowSpy = jest.spyOn(Date, 'now').mockReturnValue(nowMs);
+      const expSeconds = Math.floor(nowMs / 1000) + 60;
+
+      const token = buildToken({
+        sub: 'exp-user',
+        exp: expSeconds,
       });
+      mockGetConfigValue.mockImplementation(async (key: string) => {
+        if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'true';
+        return '';
+      });
+
+      const authContext = await resolveAuthContext({
+        get: (name: string) =>
+          name === CADENCE_AUTH_COOKIE_NAME ? { value: token } : undefined,
+      });
+
+      expect(authContext.expiresAtMs).toBe(expSeconds * 1000);
+
+      dateNowSpy.mockRestore();
     });
 
     it('handles capitalized Groups claim with comma-separated string', async () => {
@@ -104,12 +149,12 @@ describe('auth-context utilities', () => {
       });
       mockGetConfigValue.mockImplementation(async (key: string) => {
         if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'true';
-        if (key === 'CADENCE_WEB_JWT_TOKEN') return token;
         return '';
       });
 
       const authContext = await resolveAuthContext({
-        get: () => undefined,
+        get: (name: string) =>
+          name === CADENCE_AUTH_COOKIE_NAME ? { value: token } : undefined,
       });
 
       expect(authContext.groups).toEqual(['readers', 'auditors']);
@@ -124,31 +169,31 @@ describe('auth-context utilities', () => {
       });
       mockGetConfigValue.mockImplementation(async (key: string) => {
         if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'true';
-        if (key === 'CADENCE_WEB_JWT_TOKEN') return token;
         return '';
       });
 
       const authContext = await resolveAuthContext({
-        get: () => undefined,
+        get: (name: string) =>
+          name === CADENCE_AUTH_COOKIE_NAME ? { value: token } : undefined,
       });
 
       expect(authContext.groups).toEqual(['readers', 'auditors']);
       expect(authContext.isAdmin).toBe(false);
     });
 
-    it('still forwards env token when RBAC is disabled', async () => {
+    it('still forwards cookie token when RBAC is disabled', async () => {
       const token = buildToken({
         sub: 'legacy-admin',
         Admin: true,
       });
       mockGetConfigValue.mockImplementation(async (key: string) => {
         if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'false';
-        if (key === 'CADENCE_WEB_JWT_TOKEN') return token;
         return '';
       });
 
       const authContext = await resolveAuthContext({
-        get: () => undefined,
+        get: (name: string) =>
+          name === CADENCE_AUTH_COOKIE_NAME ? { value: token } : undefined,
       });
 
       expect(authContext.token).toBe(token);
@@ -398,12 +443,10 @@ describe('auth-context utilities', () => {
   });
 
   describe(getPublicAuthContext.name, () => {
-    it('omits the token but preserves flags', () => {
+    it('omits private fields but preserves flags', () => {
       const authContext = {
         rbacEnabled: true,
         token: 'secret',
-        tokenSource: 'cookie' as const,
-        claims: { Admin: true },
         groups: ['worker'],
         isAdmin: true,
         userName: 'worker',
@@ -412,8 +455,6 @@ describe('auth-context utilities', () => {
 
       expect(getPublicAuthContext(authContext)).toEqual({
         rbacEnabled: true,
-        tokenSource: 'cookie',
-        claims: { Admin: true },
         groups: ['worker'],
         isAdmin: true,
         userName: 'worker',