✨(global) support silent login

Allow to enable silent login through envvar
`FRONTEND_SILENT_LOGIN_ENABLED`

Author: NielsCodes

docs/env.md

@@ -320,6 +320,13 @@ it can lead to memory exhaustion, increase at your own risk.
 | `IMAGE_PROXY_MAX_SIZE` | `5242880` (5MB) | Maximum size in bytes for external images | Optional |
 | `IMAGE_PROXY_CACHE_TTL` | `2592000` (30 days) | Cache TTL in seconds for external images | Optional |
 
+### Frontend
+
+| Variable | Default | Description | Required |
+|----------|---------|-------------|----------|
+| `FRONTEND_THEME` | `white-label` | Theme for the frontend | Optional |
+| `FRONTEND_SILENT_LOGIN_ENABLED` | `False` | Whether silent login is enabled | Optional |
+
 ### Third-party Services
 
 #### Drive

env.d/development/backend.defaults

@@ -56,6 +56,7 @@ OIDC_OP_JWKS_ENDPOINT=http://keycloak:8802/realms/messages/protocol/openid-conne
 OIDC_OP_AUTHORIZATION_ENDPOINT=http://localhost:8902/realms/messages/protocol/openid-connect/auth
 OIDC_OP_TOKEN_ENDPOINT=http://keycloak:8802/realms/messages/protocol/openid-connect/token
 OIDC_OP_USER_ENDPOINT=http://keycloak:8802/realms/messages/protocol/openid-connect/userinfo
+OIDC_OP_LOGOUT_ENDPOINT=http://localhost:8902/realms/messages/protocol/openid-connect/logout
 
 OIDC_RP_CLIENT_ID=messages
 OIDC_RP_CLIENT_SECRET=ThisIsAnExampleKeyForDevPurposeOnly

src/backend/core/api/openapi.json

@@ -257,6 +257,11 @@
                                             "type": "integer",
                                             "description": "Maximum age in seconds for a message to be eligible for manual retry of failed deliveries",
                                             "readOnly": true
+                                        },
+                                        "FRONTEND_SILENT_LOGIN_ENABLED": {
+                                            "type": "boolean",
+                                            "description": "Whether silent OIDC login is enabled",
+                                            "readOnly": true
                                         }
                                     },
                                     "required": [
@@ -277,7 +282,8 @@
                                         "IMAGE_PROXY_ENABLED",
                                         "FEATURE_MAILDOMAIN_CREATE",
                                         "FEATURE_MAILDOMAIN_MANAGE_ACCESSES",
-                                        "MESSAGES_MANUAL_RETRY_MAX_AGE"
+                                        "MESSAGES_MANUAL_RETRY_MAX_AGE",
+                                        "FRONTEND_SILENT_LOGIN_ENABLED"
                                     ]
                                 }
                             }
@@ -5661,6 +5667,9 @@
                             }
                         },
                         "description": ""
+                    },
+                    "401": {
+                        "description": "Authentication credentials were not provided or are invalid."
                     }
                 }
             }

src/backend/core/api/viewsets/config.py

@@ -127,6 +127,11 @@ class ConfigView(drf.views.APIView):
                             ),
                             "readOnly": True,
                         },
+                        "FRONTEND_SILENT_LOGIN_ENABLED": {
+                            "type": "boolean",
+                            "description": "Whether silent OIDC login is enabled",
+                            "readOnly": True,
+                        },
                     },
                     "required": [
                         "ENVIRONMENT",
@@ -147,6 +152,7 @@ class ConfigView(drf.views.APIView):
                         "FEATURE_MAILDOMAIN_CREATE",
                         "FEATURE_MAILDOMAIN_MANAGE_ACCESSES",
                         "MESSAGES_MANUAL_RETRY_MAX_AGE",
+                        "FRONTEND_SILENT_LOGIN_ENABLED",
                     ],
                 },
             )
@@ -174,6 +180,7 @@ def get(self, request):
             "MAX_OUTGOING_BODY_SIZE",
             "MAX_INCOMING_EMAIL_SIZE",
             "MAX_RECIPIENTS_PER_MESSAGE",
+            "FRONTEND_SILENT_LOGIN_ENABLED",
         ]
         dict_settings = {}
         for setting in array_settings:

src/backend/core/api/viewsets/user.py

@@ -5,6 +5,7 @@
 import rest_framework as drf
 from drf_spectacular.utils import (
     OpenApiParameter,
+    OpenApiResponse,
     OpenApiTypes,
     extend_schema,
 )
@@ -115,6 +116,15 @@ def list(self, request, *args, **kwargs):
         )
         return drf.response.Response(serializer.data)
 
+    @extend_schema(
+        tags=["users"],
+        responses={
+            200: serializers.UserWithAbilitiesSerializer,
+            401: OpenApiResponse(
+                description="Authentication credentials were not provided or are invalid.",
+            ),
+        },
+    )
     @drf.decorators.action(
         detail=False,
         methods=["get"],

src/backend/core/tests/api/test_config.py

@@ -34,6 +34,7 @@
     MAX_TEMPLATE_IMAGE_SIZE=2097152,  # 2MB
     IMAGE_PROXY_ENABLED=False,
     MESSAGES_MANUAL_RETRY_MAX_AGE=86400,  # 1 day in seconds
+    FRONTEND_SILENT_LOGIN_ENABLED=True,
 )
 @pytest.mark.parametrize("is_authenticated", [False, True])
 def test_api_config(is_authenticated):
@@ -65,6 +66,7 @@ def test_api_config(is_authenticated):
         "MAX_TEMPLATE_IMAGE_SIZE": 2097152,
         "IMAGE_PROXY_ENABLED": False,
         "MESSAGES_MANUAL_RETRY_MAX_AGE": 86400,
+        "FRONTEND_SILENT_LOGIN_ENABLED": True,
     }
 
 

src/backend/messages/settings.py

@@ -614,6 +614,9 @@ class Base(Configuration):
     FRONTEND_THEME = values.Value(
         None, environ_name="FRONTEND_THEME", environ_prefix=None
     )
+    FRONTEND_SILENT_LOGIN_ENABLED = values.BooleanValue(
+        default=False, environ_name="FRONTEND_SILENT_LOGIN_ENABLED", environ_prefix=None
+    )
 
     # Celery
     CELERY_BROKER_URL = values.Value(
@@ -698,6 +701,8 @@ class Base(Configuration):
     OIDC_RP_SCOPES = values.Value(
         "openid email", environ_name="OIDC_RP_SCOPES", environ_prefix=None
     )
+    OIDC_AUTHENTICATE_CLASS = "lasuite.oidc_login.views.OIDCAuthenticationRequestView"
+    OIDC_CALLBACK_CLASS = "lasuite.oidc_login.views.OIDCAuthenticationCallbackView"
     LOGIN_REDIRECT_URL = values.Value(
         None, environ_name="LOGIN_REDIRECT_URL", environ_prefix=None
     )

src/e2e/src/__tests__/login.spec.ts

@@ -1,6 +1,5 @@
-import { test, expect } from '@playwright/test';
+import { test, expect, Page, Route } from '@playwright/test';
 import { signInKeycloakIfNeeded } from '../utils-test';
-import { getStorageStatePath } from '../utils';
 
 test.describe('Authentication with empty storage state', () => {
   test.use({ storageState: { cookies: [], origins: [] } });
@@ -17,3 +16,155 @@ test.describe('Authentication with existing storage state', () => {
   });
 });
 
+const SILENT_LOGIN_RETRY_KEY = 'messages_silent-login-retry';
+
+const mockConfigApi = async (page: Page, silentLoginEnabled: boolean) => {
+  await page.route('**/api/v1.0/config/', async (route: Route) => {
+    const response = await route.fetch();
+    const json = await response.json();
+    json.FRONTEND_SILENT_LOGIN_ENABLED = silentLoginEnabled;
+    await route.fulfill({ response, json });
+  });
+};
+
+const getSilentLoginRetryKey = async (page: Page): Promise<string | null> => {
+  return page.evaluate(
+    (key) => localStorage.getItem(key),
+    SILENT_LOGIN_RETRY_KEY,
+  );
+};
+
+const clearSilentLoginRetryKey = async (page: Page) => {
+  await page.evaluate(
+    (key) => localStorage.removeItem(key),
+    SILENT_LOGIN_RETRY_KEY,
+  );
+};
+
+// NOTE: Keycloak does not support silent login (prompt=none) when not running
+// behind HTTPS, so we cannot fully test the silent re-authentication flow in
+// this e2e environment. Instead, we verify that the correct requests are made
+// (redirect to /authenticate/?silent=true) and that the app handles the
+// outcome gracefully (showing the login page after a failed silent attempt).
+test.describe('Silent Login', () => {
+  test.use({ storageState: { cookies: [], origins: [] } });
+
+  test('should attempt silent login with active Keycloak session', async ({
+    page,
+    browserName,
+  }) => {
+    const username = `user.e2e.${browserName}`;
+
+    // Sign in normally to establish a Keycloak session
+    await signInKeycloakIfNeeded({ page, username });
+
+    // Clear app cookies but preserve Keycloak session cookies
+    const cookies = await page.context().cookies();
+    const keycloakCookies = cookies.filter((c) =>
+      c.domain.includes('keycloak'),
+    );
+    await page.context().clearCookies();
+    if (keycloakCookies.length > 0) {
+      await page.context().addCookies(keycloakCookies);
+    }
+
+    // Clear localStorage retry key to allow silent login
+    await clearSilentLoginRetryKey(page);
+
+    // Enable silent login by intercepting the config endpoint
+    await mockConfigApi(page, true);
+
+    // Track the silent login redirect
+    let silentLoginRequestMade = false;
+    page.on('request', (request) => {
+      const url = request.url();
+      if (url.includes('/authenticate/') && url.includes('silent=true')) {
+        silentLoginRequestMade = true;
+      }
+    });
+
+    // Navigate to the app - the silent login redirect should occur
+    await page.goto('/');
+
+    // The login page is eventually shown because Keycloak returns a
+    // "login_failed" error when not running behind HTTPS
+    await expect(page.locator('button.pro-connect-button')).toBeVisible({
+      timeout: 30000,
+    });
+
+    // Verify the silent login redirect occurred with the expected parameters
+    expect(silentLoginRequestMade).toBe(true);
+  });
+
+  test('should fail gracefully without Keycloak session', async ({
+    page,
+    context,
+  }) => {
+    // Ensure no session exists
+    await context.clearCookies();
+
+    // Enable silent login
+    await mockConfigApi(page, true);
+
+    // Track the silent login redirect
+    let silentLoginRequestMade = false;
+    page.on('request', (request) => {
+      const url = request.url();
+      if (url.includes('/authenticate/') && url.includes('silent=true')) {
+        silentLoginRequestMade = true;
+      }
+    });
+
+    // Navigate to the app
+    await page.goto('/');
+
+    // Verify the ProConnect login button is shown (silent login failed,
+    // retry key prevents re-attempt, login page displayed)
+    await expect(page.locator('button.pro-connect-button')).toBeVisible({
+      timeout: 30000,
+    });
+
+    // Verify the silent login redirect occurred
+    expect(silentLoginRequestMade).toBe(true);
+
+    // Verify localStorage has the retry key set (preventing immediate retry)
+    const retryKeyValue = await getSilentLoginRetryKey(page);
+    expect(retryKeyValue).not.toBeNull();
+  });
+
+  test('should show login page directly when silent login is disabled', async ({
+    page,
+    context,
+  }) => {
+    // Ensure no session exists
+    await context.clearCookies();
+
+    // Disable silent login
+    await mockConfigApi(page, false);
+
+    // Track to verify NO silent login redirect
+    let silentLoginRequestMade = false;
+    page.on('request', (request) => {
+      const url = request.url();
+      if (url.includes('/authenticate/') && url.includes('silent=true')) {
+        silentLoginRequestMade = true;
+      }
+    });
+
+    // Navigate to the app
+    await page.goto('/');
+
+    // Verify the ProConnect login button is shown directly (no silent login attempt)
+    await expect(page.locator('button.pro-connect-button')).toBeVisible({
+      timeout: 10000,
+    });
+
+    // Verify no silent login redirect was attempted
+    expect(silentLoginRequestMade).toBe(false);
+
+    // Verify no retry key in localStorage (silent login was never triggered)
+    const retryKeyValue = await getSilentLoginRetryKey(page);
+    expect(retryKeyValue).toBeNull();
+  });
+});
+

src/frontend/src/features/api/fetch-api.ts

@@ -15,7 +15,7 @@ export interface fetchAPIOptions {
 
 export const fetchAPI= async <T>(
   pathname: string,
-  { params, logoutOn401, ...requestInit }: RequestInit & fetchAPIOptions & { params?: Record<string, string> } = {},
+  { params, logoutOn401 = true, ...requestInit }: RequestInit & fetchAPIOptions & { params?: Record<string, string> } = {},
 ): Promise<T> => {
   const requestUrl = getRequestUrl(pathname, params);
   const isMultipartFormData = requestInit.body instanceof FormData;
@@ -26,7 +26,7 @@ export const fetchAPI= async <T>(
     headers: getHeaders(requestInit.headers, isMultipartFormData),
   });
 
-  if ((logoutOn401 ?? true) && response.status === 401) {
+  if (response.status === 401 && logoutOn401) {
     sessionStorage.setItem(SESSION_EXPIRED_KEY, 'true');
     logout();
   }

src/frontend/src/features/api/gen/models/config_retrieve200.ts

@@ -37,4 +37,6 @@ export type ConfigRetrieve200 = {
   readonly FEATURE_MAILDOMAIN_MANAGE_ACCESSES: boolean;
   /** Maximum age in seconds for a message to be eligible for manual retry of failed deliveries */
   readonly MESSAGES_MANUAL_RETRY_MAX_AGE: number;
+  /** Whether silent OIDC login is enabled */
+  readonly FRONTEND_SILENT_LOGIN_ENABLED: boolean;
 };