Fixes for token refresh logic. (#1252)

Author: azaslonov

src/authentication/IAuthenticator.ts

@@ -1,10 +1,15 @@
 import { AccessToken } from "./accessToken";
 
 export interface IAuthenticator {
+    /**
+     * Returns access token as a string.
+     */
+    getAccessTokenAsString(): Promise<string>;
+
     /**
      * Returns access token for current session.
      */
-    getAccessToken(): Promise<string>;
+    getAccessToken(): Promise<AccessToken>;
 
     /**
      * Sets new token for the session.

src/authentication/accessTokenRefresher.ts

@@ -1,6 +1,5 @@
 import * as Constants from "./../constants";
 import { ISettingsProvider } from "@paperbits/common/configuration";
-import { EventManager } from "@paperbits/common/events";
 import { HttpClient } from "@paperbits/common/http";
 import { Logger } from "@paperbits/common/logging";
 import { KnownHttpHeaders } from "../models/knownHttpHeaders";
@@ -10,13 +9,13 @@ import { AccessToken, IAuthenticator } from "./../authentication";
 
 export class AccessTokenRefrsher {
     constructor(
-        eventManager: EventManager,
         private readonly settingsProvider: ISettingsProvider,
         private readonly authenticator: IAuthenticator,
         private readonly httpClient: HttpClient,
         private readonly logger: Logger
     ) {
-        eventManager.addEventListener("authenticated", this.refreshToken.bind(this));
+        this.refreshToken = this.refreshToken.bind(this);
+        setInterval(() => this.refreshToken(), 60 * 1000);
     }
 
     private async refreshToken(): Promise<void> {
@@ -37,10 +36,17 @@ export class AccessTokenRefrsher {
                 return;
             }
 
+            const expiresInMs = accessToken.expiresInMs();
+            const refreshBufferMs = 5 * 60 * 1000; // 5 min
+
+            if (expiresInMs > refreshBufferMs) {
+                return;
+            }
+
             const response = await this.httpClient.send({
                 method: "GET",
                 url: `${managementApiUrl}${Utils.ensureLeadingSlash("/identity")}?api-version=${Constants.managementApiVersion}`,
-                headers: [{ name: "Authorization", value: accessToken }]
+                headers: [{ name: "Authorization", value: accessToken.toString() }]
             });
 
             const accessTokenHeader = response.headers.find(x => x.name.toLowerCase() === KnownHttpHeaders.OcpApimSasToken.toLowerCase());

src/components/app/app.ts

@@ -31,7 +31,7 @@ export class App {
         }
 
         try {
-            const token = await this.authenticator.getAccessToken();
+            const token = await this.authenticator.getAccessTokenAsString();
 
             if (!token) {
                 const managementApiAccessToken = settings["managementApiAccessToken"];

src/components/content/content.ts

@@ -30,7 +30,7 @@ export class ContentWorkshop {
         }
 
         try {
-            const accessToken = await this.authenticator.getAccessToken();
+            const accessToken = await this.authenticator.getAccessTokenAsString();
 
             const publishRootUrl = await this.settingsProvider.getSetting<string>("backendUrl") || "";
 

src/components/defaultAuthenticator.ts

@@ -4,20 +4,44 @@ import { IAuthenticator, AccessToken } from "./../authentication";
 export class DefaultAuthenticator implements IAuthenticator {
     constructor(private readonly eventManager: EventManager) { }
 
-    public async getAccessToken(): Promise<string> {
-        const accessToken = sessionStorage.getItem("accessToken");
-
-        if (!accessToken && window.location.pathname.startsWith("/signin-sso")) {
+    private runSsoFlow(): Promise<void> {
+        return new Promise<void>(async () => {
             const url = new URL(location.href);
             const queryParams = new URLSearchParams(url.search);
             const tokenValue = queryParams.get("token");
-            const token = AccessToken.parse(`SharedAccessSignature ${tokenValue}`);
+            const tokenString = `SharedAccessSignature ${tokenValue}`;
+            const token = AccessToken.parse(tokenString);
+
             await this.setAccessToken(token);
 
             const returnUrl = queryParams.get("returnUrl") || "/";
+
+            // wait for redirect to happen, deliberatly not resolving the promise
             window.location.assign(returnUrl);
+        });
+    }
+
+    public async getAccessToken(): Promise<AccessToken> {
+        if (location.pathname.startsWith("/signin-sso")) {
+            await this.runSsoFlow();
+        }
+
+        const storedToken = sessionStorage.getItem("accessToken");
+
+        if (storedToken) {
+            const accessToken = AccessToken.parse(storedToken);
+
+            if (!accessToken.isExpired()) {
+                return accessToken;
+            }
         }
-        return accessToken;
+
+        return null;
+    }
+
+    public async getAccessTokenAsString(): Promise<string> {
+        const accessToken = await this.getAccessToken();
+        return accessToken?.toString();
     }
 
     public async setAccessToken(accessToken: AccessToken): Promise<void> {
@@ -27,27 +51,14 @@ export class DefaultAuthenticator implements IAuthenticator {
         }
 
         sessionStorage.setItem("accessToken", accessToken.toString());
-
-        const expiresInMs = accessToken.expiresInMs();
-        const refreshBufferMs = 5 * 60 * 1000; // 5 min
-        const nextRefreshInMs = expiresInMs - refreshBufferMs;
-
-        if (expiresInMs < refreshBufferMs) {
-            // Refresh immediately
-            this.eventManager.dispatchEvent("authenticated"); 
-        }
-        else {
-            // Schedule refresh 5 min before expiration.
-            setTimeout(() => this.eventManager.dispatchEvent("authenticated"), nextRefreshInMs);
-        }
     }
 
     public clearAccessToken(): void {
         sessionStorage.removeItem("accessToken");
     }
 
     public async isAuthenticated(): Promise<boolean> {
-        const accessToken = await this.getAccessToken();
+        const accessToken = await this.getAccessTokenAsString();
 
         if (!accessToken) {
             return false;

src/components/staticAuthenticator.ts

@@ -1,22 +1,26 @@
 import { IAuthenticator, AccessToken } from "../authentication";
 
 export class StaticAuthenticator implements IAuthenticator {
-    private accessToken: string;
+    private accessToken: AccessToken;
 
-    public async getAccessToken(): Promise<string> {
+    public async getAccessToken(): Promise<AccessToken> {
         return this.accessToken;
     }
 
+    public async getAccessTokenAsString(): Promise<string> {
+        return this.accessToken.toString();
+    }
+
     public async setAccessToken(accessToken: AccessToken): Promise<void> {
-        this.accessToken = accessToken.toString();
+        this.accessToken = accessToken;
     }
 
     public clearAccessToken(): void {
         this.accessToken = undefined;
     }
 
     public async isAuthenticated(): Promise<boolean> {
-        const accessToken = await this.getAccessToken();
+        const accessToken = await this.getAccessTokenAsString();
         return !!accessToken;
     }
 }

src/routing/signOutRouteGuard.ts

@@ -23,7 +23,7 @@ export class SignOutRouteGuard implements RouteGuard {
         const isDelegationEnabled = await this.tenantService.isDelegationEnabled();
 
         if (isDelegationEnabled) {
-            const token = await this.authenticator.getAccessToken();
+            const token = await this.authenticator.getAccessTokenAsString();
 
             if (token) {
                 try {

src/services/backendService.ts

@@ -70,7 +70,7 @@ export class BackendService {
     }
 
     public async sendChangePassword(changePasswordRequest: ChangePasswordRequest): Promise<void> {
-        const authToken = await this.authenticator.getAccessToken();
+        const authToken = await this.authenticator.getAccessTokenAsString();
 
         if (!authToken) {
             throw Error("Auth token not found");
@@ -94,7 +94,7 @@ export class BackendService {
     }
 
     public async getDelegationUrl(action: DelegationAction, delegationParameters: {}): Promise<string> {
-        const authToken = await this.authenticator.getAccessToken();
+        const authToken = await this.authenticator.getAccessTokenAsString();
 
         if (!authToken) {
             throw Error("Auth token not found");

src/services/mapiClient.ts

@@ -116,7 +116,7 @@ export class MapiClient {
         const portalHeader = httpRequest.headers.find(header => header.name === Constants.portalHeaderName);
 
         if (!authHeader?.value) {
-            const accessToken = await this.authenticator.getAccessToken();
+            const accessToken = await this.authenticator.getAccessTokenAsString();
 
             if (accessToken) {
                 httpRequest.headers.push({ name: KnownHttpHeaders.Authorization, value: `${accessToken}` });

src/services/provisioningService.ts

@@ -40,7 +40,7 @@ export class ProvisionService {
         try {
             const dataObj = await this.fetchData(dataUrl);
             const keys = Object.keys(dataObj);
-            const accessToken = await this.authenticator.getAccessToken();
+            const accessToken = await this.authenticator.getAccessTokenAsString();
 
             if (!accessToken) {
                 this.viewManager.notifyError(`Unable to setup website`, `Management API access token is empty or invald.`);
@@ -79,7 +79,7 @@ export class ProvisionService {
 
     private async cleanupContent(): Promise<void> {
         const managementApiUrl = await this.getManagementUrl();
-        const accessToken = await this.authenticator.getAccessToken();
+        const accessToken = await this.authenticator.getAccessTokenAsString();
 
         try {
             const request: HttpRequest = {