Remove oauth implicit code and old authentication flag (#479)

* Add type for settings
* Change to fetcher for settings
* pass functions to async
* remove code mode flag
* remove implicit flow hack

Author: Tristan-WorkGH

src/components/TopBar/TopBar.test.tsx

@@ -11,13 +11,13 @@ import { act } from 'react-dom/test-utils';
 import { IntlProvider } from 'react-intl';
 
 import TopBar, { LANG_ENGLISH } from './TopBar';
-import { top_bar_en } from '../../';
+import { CommonMetadata, top_bar_en } from '../../';
 
 import PowsyblLogo from '../images/powsybl_logo.svg?react';
 
 import { red } from '@mui/material/colors';
 import { createTheme, ThemeProvider } from '@mui/material';
-import { beforeEach, afterEach, it, expect } from '@jest/globals';
+import { afterEach, beforeEach, expect, it } from '@jest/globals';
 
 let container: Element;
 
@@ -32,19 +32,17 @@ afterEach(() => {
     container?.remove();
 });
 
-const apps = [
+const apps: CommonMetadata[] = [
     {
         name: 'App1',
         url: '/app1',
         appColor: 'blue',
         hiddenInAppsMenu: false,
-        resources: [],
     },
     {
         name: 'App2',
         url: '/app2',
         appColor: 'green',
-        resources: [],
         hiddenInAppsMenu: true,
     },
 ];

src/index.ts

@@ -80,6 +80,7 @@ export {
     dispatchUser,
     getPreLoginPath,
 } from './utils/AuthService';
+export type * from './utils/AuthService';
 
 export { getFileIcon } from './utils/ElementIcon';
 

src/utils/AuthService.ts

@@ -7,22 +7,32 @@
 import { Log, User, UserManager } from 'oidc-client';
 import { UserManagerMock } from './UserManagerMock';
 import {
+    resetAuthenticationRouterError,
     setLoggedUser,
+    setLogoutError,
+    setShowAuthenticationRouterLogin,
     setSignInCallbackError,
     setUnauthorizedUserInfo,
-    setLogoutError,
     setUserValidationError,
-    resetAuthenticationRouterError,
-    setShowAuthenticationRouterLogin,
 } from '../redux/actions';
 import { jwtDecode } from 'jwt-decode';
 import { Dispatch } from 'react';
 import { NavigateFunction } from 'react-router-dom';
 
 type UserValidationFunc = (user: User) => Promise<boolean>;
+type IdpSettingsGetter = () => Promise<IdpSettings>;
+
+export type IdpSettings = {
+    authority: string;
+    client_id: string;
+    redirect_uri: string;
+    post_logout_redirect_uri: string;
+    silent_redirect_uri: string;
+    scope: string;
+    maxExpiresIn?: number;
+};
 
 type CustomUserManager = UserManager & {
-    authorizationCodeFlowEnabled?: boolean;
     idpSettings?: {
         maxExpiresIn?: number;
     };
@@ -36,7 +46,7 @@ const hackAuthorityKey = 'oidc.hack.authority';
 const oidcHackReloadedKey = 'gridsuite-oidc-hack-reloaded';
 const pathKey = 'powsybl-gridsuite-current-path';
 
-function isIssuerErrorForCodeFlow(error: Error) {
+function isIssuerError(error: Error) {
     return error.message.includes('Invalid issuer in token');
 }
 
@@ -60,7 +70,6 @@ function reloadTimerOnExpiresIn(
     userManager: UserManager,
     expiresIn: number
 ) {
-    // TODO: Can we stop doing it in the hash for implicit flow ? To make it common for both flows
     // Not allowed by TS because expires_in is supposed to be readonly
     // @ts-ignore
     user.expires_in = expiresIn;
@@ -77,24 +86,16 @@ function handleSigninSilent(
         if (user == null || getIdTokenExpiresIn(user) < 0) {
             return userManager.signinSilent().catch((error: Error) => {
                 dispatch(setShowAuthenticationRouterLogin(true));
-                const errorIssuerCodeFlow = isIssuerErrorForCodeFlow(error);
-                const errorIssuerImplicitFlow =
-                    error.message ===
-                    'authority mismatch on settings vs. signin state';
-                if (errorIssuerCodeFlow) {
-                    // Replacing authority for code flow only because it's done in the hash for implicit flow
-                    // TODO: Can we stop doing it in the hash for implicit flow ? To make it common here for both flows
+                if (isIssuerError(error)) {
                     extractIssuerToSessionStorage(error);
-                }
-                if (errorIssuerCodeFlow || errorIssuerImplicitFlow) {
                     reload();
                 }
             });
         }
     });
 }
 
-function initializeAuthenticationDev(
+export async function initializeAuthenticationDev(
     dispatch: Dispatch<unknown>,
     isSilentRenew: boolean,
     validateUser: UserValidationFunc,
@@ -109,113 +110,49 @@ function initializeAuthenticationDev(
             handleSigninSilent(dispatch, userManager);
         }
     }
-    return Promise.resolve(userManager);
+    return userManager;
 }
 
 const accessTokenExpiringNotificationTime = 60; // seconds
 
-function initializeAuthenticationProd(
+export async function initializeAuthenticationProd(
     dispatch: Dispatch<unknown>,
     isSilentRenew: boolean,
-    idpSettings: Promise<Response>,
+    idpSettingsGetter: IdpSettingsGetter,
     validateUser: UserValidationFunc,
-    authorizationCodeFlowEnabled: boolean,
     isSigninCallback: boolean
 ) {
-    return idpSettings
-        .then((r) => r.json())
-        .then((idpSettings) => {
-            /* hack to ignore the iss check. XXX TODO to remove */
-            const regextoken = /id_token=[^&]*/;
-            const regexstate = /state=[^&]*/;
-            const regexexpires = /expires_in=[^&]*/;
-            let authority: string | undefined;
-            if (window.location.hash) {
-                const matched_id_token = window.location.hash.match(regextoken);
-                const matched_state = window.location.hash.match(regexstate);
-                if (matched_id_token != null && matched_state != null) {
-                    const id_token = matched_id_token[0].split('=')[1];
-                    const state = matched_state[0].split('=')[1];
-                    const strState = localStorage.getItem('oidc.' + state);
-                    if (strState != null) {
-                        const decoded = jwtDecode(id_token);
-                        authority = decoded.iss;
-                        const storedState = JSON.parse(strState);
-                        console.debug(
-                            'Replacing authority in storedState. Before: ',
-                            storedState.authority,
-                            'after: ',
-                            authority
-                        );
-                        storedState.authority = authority;
-                        localStorage.setItem(
-                            'oidc.' + state,
-                            JSON.stringify(storedState)
-                        );
-                        if (authority !== undefined) {
-                            sessionStorage.setItem(hackAuthorityKey, authority);
-                        }
-                        const matched_expires =
-                            window.location.hash.match(regexexpires);
-                        if (matched_expires != null) {
-                            const expires_in = parseInt(
-                                matched_expires[0].split('=')[1]
-                            );
-                            window.location.hash = window.location.hash.replace(
-                                matched_expires[0],
-                                'expires_in=' +
-                                    computeMinExpiresIn(
-                                        expires_in,
-                                        id_token,
-                                        idpSettings.maxExpiresIn
-                                    )
-                            );
-                        }
-                    }
-                }
-            }
-            authority =
-                authority ||
+    const idpSettings = await idpSettingsGetter();
+    try {
+        const settings = {
+            authority:
                 sessionStorage.getItem(hackAuthorityKey) ||
-                idpSettings.authority;
-
-            const responseSettings = authorizationCodeFlowEnabled
-                ? { response_type: 'code' }
-                : {
-                      response_type: 'id_token token',
-                      response_mode: 'fragment',
-                  };
-            const settings = {
-                authority,
-                client_id: idpSettings.client_id,
-                redirect_uri: idpSettings.redirect_uri,
-                post_logout_redirect_uri: idpSettings.post_logout_redirect_uri,
-                silent_redirect_uri: idpSettings.silent_redirect_uri,
-                scope: idpSettings.scope,
-                automaticSilentRenew: !isSilentRenew,
-                accessTokenExpiringNotificationTime:
-                    accessTokenExpiringNotificationTime,
-                ...responseSettings,
-            };
-            let userManager: CustomUserManager = new UserManager(settings);
-            // Hack to enrich UserManager object
-            userManager.idpSettings = idpSettings; //store our settings in there as well to use it later
-            // Hack to enrich UserManager object
-            userManager.authorizationCodeFlowEnabled =
-                authorizationCodeFlowEnabled;
-            if (!isSilentRenew) {
-                handleUser(dispatch, userManager, validateUser);
-                if (!isSigninCallback) {
-                    handleSigninSilent(dispatch, userManager);
-                }
+                idpSettings.authority,
+            client_id: idpSettings.client_id,
+            redirect_uri: idpSettings.redirect_uri,
+            post_logout_redirect_uri: idpSettings.post_logout_redirect_uri,
+            silent_redirect_uri: idpSettings.silent_redirect_uri,
+            scope: idpSettings.scope,
+            automaticSilentRenew: !isSilentRenew,
+            accessTokenExpiringNotificationTime:
+                accessTokenExpiringNotificationTime,
+            response_type: 'code',
+        };
+        let userManager: CustomUserManager = new UserManager(settings);
+        // Hack to enrich UserManager object
+        userManager.idpSettings = idpSettings; //store our settings in there as well to use it later
+        if (!isSilentRenew) {
+            handleUser(dispatch, userManager, validateUser);
+            if (!isSigninCallback) {
+                handleSigninSilent(dispatch, userManager);
             }
-            return userManager;
-        })
-        .catch((error) => {
-            console.debug('error when importing the idp settings', error);
-            dispatch(setShowAuthenticationRouterLogin(true));
-            throw error;
-        });
+        }
+        return userManager;
+    } catch (error: unknown) {
+        console.debug('error when importing the idp settings', error);
+        dispatch(setShowAuthenticationRouterLogin(true));
+        throw error;
+    }
 }
 
 function computeMinExpiresIn(
@@ -257,14 +194,17 @@ function computeMinExpiresIn(
     return newExpiresIn;
 }
 
-function login(location: Location, userManagerInstance: UserManager) {
+export function login(location: Location, userManagerInstance: UserManager) {
     sessionStorage.setItem(pathKey, location.pathname + location.search);
     return userManagerInstance
         .signinRedirect()
         .then(() => console.debug('login'));
 }
 
-function logout(dispatch: Dispatch<unknown>, userManagerInstance: UserManager) {
+export function logout(
+    dispatch: Dispatch<unknown>,
+    userManagerInstance: UserManager
+) {
     sessionStorage.removeItem(hackAuthorityKey); //To remove when hack is removed
     return userManagerInstance.getUser().then((user) => {
         if (user) {
@@ -301,7 +241,7 @@ function getIdTokenExpiresIn(user: User) {
     return exp - now;
 }
 
-function dispatchUser(
+export function dispatchUser(
     dispatch: Dispatch<unknown>,
     userManagerInstance: CustomUserManager,
     validateUser: UserValidationFunc
@@ -333,20 +273,17 @@ function dispatchUser(
                     console.debug(
                         'User has been successfully loaded from store.'
                     );
-
                     // In authorization code flow we have to make the oidc-client lib re-evaluate the date of the token renewal timers
                     // because it is not hacked at page loading on the fragment before oidc-client lib initialization
-                    if (userManagerInstance.authorizationCodeFlowEnabled) {
-                        reloadTimerOnExpiresIn(
-                            user,
-                            userManagerInstance,
-                            computeMinExpiresIn(
-                                user.expires_in,
-                                user.id_token,
-                                userManagerInstance.idpSettings?.maxExpiresIn
-                            )
-                        );
-                    }
+                    reloadTimerOnExpiresIn(
+                        user,
+                        userManagerInstance,
+                        computeMinExpiresIn(
+                            user.expires_in,
+                            user.id_token,
+                            userManagerInstance.idpSettings?.maxExpiresIn
+                        )
+                    );
                     return dispatch(setLoggedUser(user));
                 })
                 .catch((e) => {
@@ -363,7 +300,7 @@ function dispatchUser(
     });
 }
 
-function getPreLoginPath() {
+export function getPreLoginPath() {
     return sessionStorage.getItem(pathKey);
 }
 
@@ -374,7 +311,7 @@ function navigateToPreLoginPath(navigate: NavigateFunction) {
     }
 }
 
-function handleSigninCallback(
+export function handleSigninCallback(
     dispatch: Dispatch<unknown>,
     navigate: NavigateFunction,
     userManagerInstance: UserManager
@@ -383,9 +320,7 @@ function handleSigninCallback(
     userManagerInstance
         .signinRedirectCallback()
         .catch(function (e) {
-            if (isIssuerErrorForCodeFlow(e)) {
-                // Replacing authority for code flow only because it's done in the hash for implicit flow
-                // TODO: Can we also do it here for the implicit flow ? To make it common here for both flows
+            if (isIssuerError(e)) {
                 extractIssuerToSessionStorage(e);
                 // After navigate, location will be out of a redirection route (sign-in-silent or sign-in-callback) so reloading the page will attempt a silent signin
                 // It will reload the user manager based on hacked authority at initialization with the new authority
@@ -409,7 +344,7 @@ function handleSigninCallback(
         });
 }
 
-function handleSilentRenewCallback(userManagerInstance: UserManager) {
+export function handleSilentRenewCallback(userManagerInstance: UserManager) {
     userManagerInstance.signinSilentCallback();
 }
 
@@ -507,14 +442,3 @@ function handleUser(
     console.debug('dispatch user');
     dispatchUser(dispatch, userManager, validateUser);
 }
-
-export {
-    initializeAuthenticationDev,
-    initializeAuthenticationProd,
-    handleSilentRenewCallback,
-    login,
-    logout,
-    dispatchUser,
-    handleSigninCallback,
-    getPreLoginPath,
-};