kerkmann/leptos_oidc
1
0
Fork 0
Code Issues 8 Pull requests 1 Projects Releases Packages Wiki Activity

Auth state wrong after tokens expired during notebook suspense #12

New issue
Open
opened 2024-06-16 09:21:01 +00:00 by michael-fuchs · 2 comments
michael-fuchs commented 2024-06-16 09:21:01 +00:00 (Migrated from gitlab.com)
Copy link

I have a leptos SSR/Hydrated app like from the leptos examples. I have integrated leptos_oidc following the example there using rauthy as auth server. Most of the stuff is working well now. I can log in and out via rauthy, can extract information from the tokens, display components just when authenticated etc. However there are issues in case of expired tokens:

I use the app on my notebook as client, without signing out usually. Instead I send the notebook into suspend over the night. After waking up and visiting the app it shows me that I'm still signed in. Using oidc just on the client side I can still use the app like signed in.

If I push the logout link rauthy shows it's home page. If I login in in rauthy I can go to my profile in rauthy or the admin panel, but it doesn't redirect me back to my app.

Since everything works when the computer was not suspended, my best guess it that the refresh mechanism obviously can't work during suspense and on coming back the refresh token has already expired. Since rauthy requires a valid token to log out it can't.

So somehow leptos_oidc would require some mechanism to detect token expiration and update the UI automatically (to logged out state). Some simpler thing would be to create an logout component around the logout link that checks the tokens before actually forwarding to rauthy log out. However, that would still not solve the problem that the application works in "logged in" mode even after the tokens have expired.

I have a leptos SSR/Hydrated app like from the leptos examples. I have integrated leptos_oidc following the example there using rauthy as auth server. Most of the stuff is working well now. I can log in and out via rauthy, can extract information from the tokens, display components just when authenticated etc. However there are issues in case of expired tokens: I use the app on my notebook as client, without signing out usually. Instead I send the notebook into suspend over the night. After waking up and visiting the app it shows me that I'm still signed in. Using oidc just on the client side I can still use the app like signed in. If I push the logout link rauthy shows it's home page. If I login in in rauthy I can go to my profile in rauthy or the admin panel, but it doesn't redirect me back to my app. Since everything works when the computer was not suspended, my best guess it that the refresh mechanism obviously can't work during suspense and on coming back the refresh token has already expired. Since rauthy requires a valid token to log out it can't. So somehow leptos_oidc would require some mechanism to detect token expiration and update the UI automatically (to logged out state). Some simpler thing would be to create an logout component around the logout link that checks the tokens before actually forwarding to rauthy log out. However, that would still not solve the problem that the application works in "logged in" mode even after the tokens have expired.
mh84 commented 2024-07-28 11:55:19 +00:00 (Migrated from gitlab.com)
Copy link

The responsible code should be this: https://gitlab.com/kerkmann/leptos_oidc/-/blob/main/src/lib.rs?ref_type=heads#L232

There is just a check for existence, not for validity of the access token.

Atleast there should be a check if the access token is expired, if so, do a refresh if the refresh_token is still valid, or remove the stored token if not and return not authenticated.

But this also doesn't cover if your tokens have been revoked in mean time, so it might be overall better to aquire a fresh one each time the Auth-Context is initialized.

Also storing the token in local storage should might be reconsidered, because it may make it vulnerable to XSS attacks, so it might be better to just store it in memory during lifetime of your application/auth context and aquire a new one (or atleast do a refresh) each time you're re-entering protected context.

The responsible code should be this: https://gitlab.com/kerkmann/leptos_oidc/-/blob/main/src/lib.rs?ref_type=heads#L232 There is just a check for existence, not for validity of the access token. Atleast there should be a check if the access token is expired, if so, do a refresh if the refresh_token is still valid, or remove the stored token if not and return not authenticated. But this also doesn't cover if your tokens have been revoked in mean time, so it might be overall better to aquire a fresh one each time the Auth-Context is initialized. Also storing the token in local storage should might be reconsidered, because it may make it vulnerable to XSS attacks, so it might be better to just store it in memory during lifetime of your application/auth context and aquire a new one (or atleast do a refresh) each time you're re-entering protected context.
erefes commented 2025-01-08 14:45:08 +00:00 (Migrated from gitlab.com)
Copy link

This could be as simple as the following:

    // leptos_oidc/src/lib.rs
    /// Checks if the user is authenticated.
    #[must_use]
    pub fn authenticated(&self) -> bool {
        let auth = self.resource.get().and_then(Result::ok).flatten();
        if let Some(token_storage) = auth {
            let now = chrono::Utc::now().naive_utc();
            now.lt(&token_storage.expires_in)
        } else {
            false
        }
    }

The same applies for retrieving the access token. Apart from that, the access token should be valid long enough to make a request to the backend. Therefore it may be useful to add some grace time.

This could be as simple as the following: ```rust // leptos_oidc/src/lib.rs /// Checks if the user is authenticated. #[must_use] pub fn authenticated(&self) -> bool { let auth = self.resource.get().and_then(Result::ok).flatten(); if let Some(token_storage) = auth { let now = chrono::Utc::now().naive_utc(); now.lt(&token_storage.expires_in) } else { false } } ``` The same applies for retrieving the access token. Apart from that, the access token should be valid long enough to make a request to the backend. Therefore it may be useful to add some grace time.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
v0.7.0
v0.6.1
v0.6.0
v0.5.0
v0.4.1
v0.4.0
v0.3.0
v0.2.2
v0.2.1
v0.2.0
v0.1.1
v0.1.0
Labels
Clear labels   
WIP
No labels
WIP
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
kerkmann/leptos_oidc#12
No description provided.