researchequals/api
1
0
Fork 0
Code Issues 29 Pull requests Projects Releases Packages Activity

fix(auth): upgrade cookie flows to upgrade access tokens, refresh tokens #92

New issue
Closed
opened 2025-10-14 14:40:45 +00:00 by chartgerink · 1 comment
chartgerink commented 2025-10-14 14:40:45 +00:00
Owner
Copy link

Currently, the upgrade to using solely HttpOnly cookies for auth has left elements kaputt. Primarily, the refresh flow no longer works as expected, which needs to be fixed in the middleware.

In short:

  1. We want requests with valid access tokens to be handled, and the access token automatically refreshed if almost expired (TBD what "almost" means)
  2. Requests with expired access tokens but valid refresh tokens are honored, and refresh the access token
  3. Requests with expired access and refresh tokens are automatically cleared, equivalent to being logged out.

This issue tracks the work to upgrade this.

  • Logout - ensure credentials are included
Currently, the upgrade to using solely HttpOnly cookies for auth has left elements kaputt. Primarily, the refresh flow no longer works as expected, which needs to be fixed in the middleware. In short: 1. We want requests with valid access tokens to be handled, and the access token automatically refreshed if almost expired (TBD what "almost" means) 2. Requests with expired access tokens but valid refresh tokens are honored, and refresh the access token 3. Requests with expired access and refresh tokens are automatically cleared, equivalent to being logged out. This issue tracks the work to upgrade this. - [x] Logout - ensure credentials are included
chartgerink commented 2025-10-16 12:49:01 +00:00
Author
Owner
Copy link

I tried managing all of this from within the middleware, but it was getting very messy.

My alternative approach is as follows:

  1. Middleware checks for access token
  2. If expired, 307 (tmp) redirect to /auth/refresh?redirect_uri=.... to refresh the access token
  3. Upon refresh it provides another redirect back to the original request, which is now with a fresh access token

This isolates the refresh process and allows optimization (see also researchequals/frontend#12) to be done there.

Tasks:

  • Implement refresh endpoint
  • Implement redirect from middleware when access token is expired
  • Implement redirect from refresh endpoint to redirect uri (if present)
I tried managing all of this from within the middleware, but it was getting very messy. My alternative approach is as follows: 1. Middleware checks for access token 2. If expired, 307 (tmp) redirect to `/auth/refresh?redirect_uri=....` to refresh the access token 3. Upon refresh it provides another redirect back to the original request, which is now with a fresh access token This isolates the refresh process and allows optimization (see also https://git.libscie.org/researchequals/frontend/issues/12) to be done there. Tasks: - [ ] Implement refresh endpoint - [ ] Implement redirect from middleware when access token is expired - [ ] Implement redirect from refresh endpoint to redirect uri (if present)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix/92
add/frontend
No results found.
Labels
Clear labels   
bug

Something is not working

  
critical

issues that are blocking other work, high importance + urgent

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
future

Not on the docket right now. Keeping the issue for future work.

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No labels
bug
critical
duplicate
enhancement
future
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
researchequals/api#92
No description provided.