V16.1: Never reject a token response (#19651)

iOvergaard · web-flow · commit c9bef96c32d0 · 2025-07-02T16:10:30.000+01:00
* fix: never reject a token response

If a token response is rejected, then the pipeline will also fail because it does not understand that error. Let the API interceptors do their job instead and simply return the old, now-invalid token which will prompt the API interceptors to store the request states and retry them afterwards.

* chore: removes unused timeoutsignal

* chore: captures the stale token before potentially clearing it
diff --git a/src/Umbraco.Web.UI.Client/src/packages/core/auth/auth-flow.ts b/src/Umbraco.Web.UI.Client/src/packages/core/auth/auth-flow.ts
@@ -93,7 +93,6 @@ export class UmbAuthFlow {
 	readonly #postLogoutRedirectUri: string;
 	readonly #clientId: string;
 	readonly #scope: string;
-	readonly #timeoutSignal;
 
 	// tokens
 	#tokenResponse?: TokenResponse;
@@ -113,13 +112,11 @@ export class UmbAuthFlow {
 		openIdConnectUrl: string,
 		redirectUri: string,
 		postLogoutRedirectUri: string,
-		timeoutSignal: Subject<void>,
 		clientId = 'umbraco-back-office',
 		scope = 'offline_access',
 	) {
 		this.#redirectUri = redirectUri;
 		this.#postLogoutRedirectUri = postLogoutRedirectUri;
-		this.#timeoutSignal = timeoutSignal;
 		this.#clientId = clientId;
 		this.#scope = scope;
 
@@ -305,25 +302,25 @@ export class UmbAuthFlow {
 	/**
 	 * This method will check if the token needs to be refreshed and if so, it will refresh it and return the new access token.
 	 * If the token does not need to be refreshed, it will return the current access token.
-	 * @returns The access token for the user.
+	 * @returns {Promise<string>} The access token for the user.
 	 */
 	async performWithFreshTokens(): Promise<string> {
 		// if the access token is valid, return it
 		if (this.#tokenResponse?.isValid()) {
 			return Promise.resolve(this.#tokenResponse.accessToken);
 		}
 
+		// if the access token is not valid, try to refresh it
 		const success = await this.makeRefreshTokenRequest();
+		const newToken = this.#tokenResponse?.accessToken ?? '';
 
 		if (!success) {
+			// if the refresh token request failed, we need to clear the token state
 			this.clearTokenStorage();
-			this.#timeoutSignal.next();
-			return Promise.reject('Missing tokenResponse.');
 		}
 
-		return this.#tokenResponse
-			? Promise.resolve(this.#tokenResponse.accessToken)
-			: Promise.reject('Missing tokenResponse.');
+		// if the refresh token request was successful, return the new access token
+		return Promise.resolve(newToken);
 	}
 
 	/**
diff --git a/src/Umbraco.Web.UI.Client/src/packages/core/auth/auth.context.ts b/src/Umbraco.Web.UI.Client/src/packages/core/auth/auth.context.ts
@@ -73,12 +73,7 @@ export class UmbAuthContext extends UmbContextBase {
 		this.#serverUrl = serverUrl;
 		this.#backofficePath = backofficePath;
 
-		this.#authFlow = new UmbAuthFlow(
-			serverUrl,
-			this.getRedirectUrl(),
-			this.getPostLogoutRedirectUrl(),
-			this.#isTimeout,
-		);
+		this.#authFlow = new UmbAuthFlow(serverUrl, this.getRedirectUrl(), this.getPostLogoutRedirectUrl());
 
 		// Observe the authorization signal and close the auth window
 		this.observe(
