Fix refresh token issue when using password flow (#1205)

* deprecate `/login` endpoint and add refresh token saving in `/auth/login`

* fix code formatting

* update API docs

* refactor `TokenDB` logic

Author: GalMunGral

backend/app/routers/authentication.py

@@ -8,6 +8,7 @@
 )
 from app.models.datasets import DatasetDBViewList
 from app.models.users import UserDB, UserIn, UserLogin, UserOut
+from app.routers.utils import save_refresh_token
 from beanie import PydanticObjectId
 from fastapi import APIRouter, Depends, HTTPException
 from keycloak.exceptions import (
@@ -69,6 +70,7 @@ async def save_user(userIn: UserIn):
 async def login(userIn: UserLogin):
     try:
         token = keycloak_openid.token(userIn.email, userIn.password)
+        await save_refresh_token(token["refresh_token"], userIn.email)
         return {"token": token["access_token"]}
     # bad credentials
     except KeycloakAuthenticationError as e:

backend/app/routers/keycloak.py

@@ -11,7 +11,8 @@
     retreive_refresh_token,
 )
 from app.models.tokens import TokenDB
-from app.models.users import UserDB, UserIn
+from app.models.users import UserDB, UserLogin
+from app.routers.utils import save_refresh_token
 from fastapi import APIRouter, HTTPException, Security
 from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
 from jose import ExpiredSignatureError, JWTError, jwt
@@ -80,10 +81,11 @@ async def logout(
 
 
 @router.post("/login")
-async def loginPost(userIn: UserIn):
+async def loginPost(userIn: UserLogin):
     """Client can use this to login when redirect is not available."""
     try:
         token = keycloak_openid.token(userIn.email, userIn.password)
+        await save_refresh_token(token["refresh_token"], userIn.email)
         return {"token": token["access_token"]}
     # bad credentials
     except KeycloakAuthenticationError as e:

backend/app/routers/utils.py

@@ -2,6 +2,7 @@
 from typing import Optional
 
 from app.models.files import ContentType
+from app.models.tokens import TokenDB
 
 
 def get_content_type(
@@ -23,3 +24,14 @@ def get_content_type(
             content_type = "application/octet-stream"
     type_main = content_type.split("/")[0] if type(content_type) is str else "N/A"
     return ContentType(content_type=content_type, main_type=type_main)
+
+
+async def save_refresh_token(refresh_token: str, email: str):
+    """Store/update refresh token and link to that userid."""
+    token_exist = await TokenDB.find_one(TokenDB.email == email)
+    if token_exist is not None:
+        token_exist.refresh_token = refresh_token
+        await token_exist.save()
+    else:
+        token_created = TokenDB(email=email, refresh_token=refresh_token)
+        await token_created.insert()

frontend/src/openapi/v2/services/AuthService.ts

@@ -1,7 +1,7 @@
 /* istanbul ignore file */
 /* tslint:disable */
 /* eslint-disable */
-import type { UserIn } from '../models/UserIn';
+import type { UserLogin } from '../models/UserLogin';
 import type { CancelablePromise } from '../core/CancelablePromise';
 import { request as __request } from '../core/request';
 
@@ -40,7 +40,7 @@ export class AuthService {
      * @throws ApiError
      */
     public static loginPostApiV2AuthLoginPost(
-        requestBody: UserIn,
+        requestBody: UserLogin,
     ): CancelablePromise<any> {
         return __request({
             method: 'POST',

openapi.json

@@ -11912,7 +11912,7 @@
           "content": {
             "application/json": {
               "schema": {
-                "$ref": "#/components/schemas/UserIn"
+                "$ref": "#/components/schemas/UserLogin"
               }
             }
           },