STCOR-796 replace x-okapi-token credentials with RTR and cookies (#1410)

Move auth tokens into HTTP-only cookies and implement refresh token rotation (STCOR-671) by overriding global.fetch and global.XMLHttpRequest, disabling login when cookies are disabled (STCOR-762). This functionality is implemented behind an opt-in feature-flag (STCOR-763). Okapi and Keycloak do not handle the same situations in the same ways. Changes from the original implementation in PR #1376: * When a token is missing: * Okapi sends a 400 `text/plain` response * Keycloak sends a 401 `application/json` response * Keycloak authentication includes the extra step of exchanging the OTP for the AT/RT and that request needs the `credentials` and `mode` options * Some `loginServices` functions now retrieve the host the access from the `stripes-config` import instead of a function argument * always permit `/authn/token` requests to go through Refs STCOR-796, STCOR-671 (cherry picked from commit 0361353)
folio-org · Jan 31, 2024 · 2d21aa0 · 2d21aa0
1 parent a7fe503
commit 2d21aa0
Show file tree

Hide file tree

Showing 44 changed files with 2,085 additions and 227 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,8 @@
 * Allow console to be preserved on logout. STCOR-761.
 * Export `unregisterServiceWorker` to eliminate zombie service workers. Refs FOLIO-3627.
 * Use keycloak URLs in place of users-bl for tenant-switch. Refs US1153537.
+* Opt-in: handle access-control via cookies. Refs STCOR-671.
+* Opt-in: disable login when cookies are disabled. Refs STCOR-762.
 
 ## [10.0.0](https://github.com/folio-org/stripes-core/tree/v10.0.0) (2023-10-11)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v9.0.0...v10.0.0)

diff --git a/index.js b/index.js
@@ -46,4 +46,7 @@ export * from './src/consortiaServices';
 export { default as queryLimit } from './src/queryLimit';
 export { default as init } from './src/init';
 
+/* localforage wrappers hide the session key */
+export { getOkapiSession, getTokenExpiry, setTokenExpiry } from './src/loginServices';
+
 export { registerServiceWorker, unregisterServiceWorker } from './src/serviceWorkerRegistration';
diff --git a/package.json b/package.json
@@ -54,6 +54,7 @@
     "@formatjs/cli": "^6.1.3",
     "chai": "^4.1.2",
     "eslint": "^7.32.0",
+    "jest-fetch-mock": "^3.0.3",
     "miragejs": "^0.1.32",
     "moment": "^2.29.0",
     "react": "^18.2.0",

diff --git a/src/App.js b/src/App.js
@@ -9,7 +9,6 @@ import configureLogger from './configureLogger';
 import configureStore from './configureStore';
 import gatherActions from './gatherActions';
 import { destroyStore } from './mainActions';
-import { unregisterServiceWorker } from './serviceWorkerRegistration';
 
 import Root from './components/Root';
 
@@ -34,10 +33,6 @@ export default class StripesCore extends Component {
     this.epics = configureEpics(connectErrorEpic);
     this.store = configureStore(initialState, this.logger, this.epics);
     this.actionNames = gatherActions();
-
-    // unregister any zombie service workers left over from RTR work
-    // prior to disabling RTR in PR #1371
-    unregisterServiceWorker();
   }
 
   componentWillUnmount() {

diff --git a/src/RootWithIntl.js b/src/RootWithIntl.js
@@ -89,12 +89,14 @@ class RootWithIntl extends React.Component {
       store: PropTypes.object.isRequired
     }).isRequired,
     token: PropTypes.string,
+    isAuthenticated: PropTypes.bool,
     disableAuth: PropTypes.bool.isRequired,
     history: PropTypes.shape({}),
   };
 
   static defaultProps = {
     token: '',
+    isAuthenticated: false,
     history: {},
   };
 
@@ -109,6 +111,7 @@ class RootWithIntl extends React.Component {
   render() {
     const {
       token,
+      isAuthenticated,
       disableAuth,
       history,
     } = this.props;
@@ -127,7 +130,7 @@ class RootWithIntl extends React.Component {
               >
                 <Provider store={stripes.store}>
                   <Router history={history}>
-                    { token || disableAuth ?
+                    { isAuthenticated || token || disableAuth ?
                       <>
                         <MainContainer>
                           <AppCtxMenuProvider>

diff --git a/src/Stripes.js b/src/Stripes.js
@@ -50,13 +50,15 @@ export const stripesShape = PropTypes.shape({
     okapiReady: PropTypes.bool,
     tenant: PropTypes.string.isRequired,
     token: PropTypes.string,
+    isAuthenticated: PropTypes.bool,
     translations: PropTypes.object,
     url: PropTypes.string.isRequired,
     withoutOkapi: PropTypes.bool,
   }).isRequired,
   plugins: PropTypes.object,
   setBindings: PropTypes.func.isRequired,
   setCurrency: PropTypes.func.isRequired,
+  setIsAuthenticated: PropTypes.func.isRequired,
   setLocale: PropTypes.func.isRequired,
   setSinglePlugin: PropTypes.func.isRequired,
   setTimezone: PropTypes.func.isRequired,