STCOR-796 replace x-okapi-token credentials with RTR and cookies (#1410)

Move auth tokens into HTTP-only cookies and implement refresh token rotation (STCOR-671) by overriding global.fetch and global.XMLHttpRequest, disabling login when cookies are disabled (STCOR-762). This functionality is implemented behind an opt-in feature-flag (STCOR-763). Okapi and Keycloak do not handle the same situations in the same ways. Changes from the original implementation in PR #1376: * When a token is missing: * Okapi sends a 400 `text/plain` response * Keycloak sends a 401 `application/json` response * Keycloak authentication includes the extra step of exchanging the OTP for the AT/RT and that request needs the `credentials` and `mode` options * Some `loginServices` functions now retrieve the host the access from the `stripes-config` import instead of a function argument * always permit `/authn/token` requests to go through Refs STCOR-796, STCOR-671 (cherry picked from commit 0361353)
folio-org · Mar 28, 2024 · 5a42507 · 5a42507
1 parent 72d89d4
commit 5a42507
Show file tree

Hide file tree

Showing 14 changed files with 162 additions and 96 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -31,6 +31,7 @@
 * Add `idName` and `limit` as passable props to `useChunkedCQLFetch`. Refs STCOR-821.
 * Check for valid token before rotating during XHR send. Refs STCOR-817.
 * Remove `autoComplete` from `<ForgotPassword>`, `<ForgotUsername>` fields. Refs STCOR-742.
+* Use keycloak URLs in place of users-bl for tenant-switch. Refs US1153537.
 
 ## [10.0.3](https://github.com/folio-org/stripes-core/tree/v10.0.3) (2023-11-10)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.0.2...v10.0.3)
@@ -47,6 +48,8 @@
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.0.0...v10.0.1)
 
 * Export `validateUser`. Refs STCOR-749.
+* Opt-in: handle access-control via cookies. Refs STCOR-671.
+* Opt-in: disable login when cookies are disabled. Refs STCOR-762.
 
 ## [10.0.0](https://github.com/folio-org/stripes-core/tree/v10.0.0) (2023-10-11)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v9.0.0...v10.0.0)

diff --git a/src/components/Login/Login.js b/src/components/Login/Login.js
@@ -1,72 +1,45 @@
 import React, { Component } from 'react';
 import PropTypes from 'prop-types';
-import { connect as reduxConnect } from 'react-redux';
-import {
-  withRouter,
-  matchPath,
-} from 'react-router-dom';
-
-import { ConnectContext } from '@folio/stripes-connect';
-import {
-  requestLogin,
-  requestSSOLogin,
-} from '../../loginServices';
-import { setAuthError } from '../../okapiActions';
-
-class LoginCtrl extends Component {
-  static propTypes = {
-    authFailure: PropTypes.arrayOf(PropTypes.object),
-    ssoEnabled: PropTypes.bool,
-    autoLogin: PropTypes.shape({
-      username: PropTypes.string.isRequired,
-      password: PropTypes.string.isRequired,
-    }),
-    clearAuthErrors: PropTypes.func.isRequired,
-    history: PropTypes.shape({
-      push: PropTypes.func.isRequired,
-    }).isRequired,
-    location: PropTypes.shape({
-      pathname: PropTypes.string.isRequired,
-    }).isRequired,
-  };
+import { FormattedMessage } from 'react-intl';
+import { Field, Form } from 'react-final-form';
 
-  static contextType = ConnectContext;
+import { branding } from 'stripes-config';
 
-  constructor(props) {
-    super(props);
-    this.sys = require('stripes-config'); // eslint-disable-line global-require
-    this.authnUrl = this.sys.okapi.authnUrl;
-    this.okapiUrl = this.sys.okapi.url;
-    this.tenant = this.sys.okapi.tenant;
-    if (props.autoLogin && props.autoLogin.username) {
-      this.handleSubmit(props.autoLogin);
-    }
-  }
+import {
+  TextField,
+  Button,
+  Row,
+  Col,
+  Headline,
+} from '@folio/stripes-components';
 
-  componentWillUnmount() {
-    this.props.clearAuthErrors();
-  }
+import SSOLogin from '../SSOLogin';
+import OrganizationLogo from '../OrganizationLogo';
+import AuthErrorsContainer from '../AuthErrorsContainer';
+import FieldLabel from '../CreateResetPassword/components/FieldLabel';
 
-  handleSuccessfulLogin = () => {
-    if (matchPath(this.props.location.pathname, '/login')) {
-      this.props.history.push('/');
-    }
-  }
+import styles from './Login.css';
 
-  handleSubmit = (data) => {
-    return requestLogin({ okapi: this.sys.okapi }, this.context.store, this.tenant, data)
-      .then(this.handleSuccessfulLogin)
-      .catch(e => {
-        console.error(e); // eslint-disable-line no-console
-      });
-  }
+class Login extends Component {
+  static propTypes = {
+    ssoActive: PropTypes.bool,
+    authErrors: PropTypes.arrayOf(PropTypes.object),
+    onSubmit: PropTypes.func.isRequired,
+    handleSSOLogin: PropTypes.func.isRequired,
+  };
 
-  handleSSOLogin = () => {
-    requestSSOLogin(this.okapiUrl, this.tenant);
-  }
+  static defaultProps = {
+    authErrors: [],
+    ssoActive: false,
+  };
 
   render() {
-    const { authFailure, ssoEnabled } = this.props;
+    const {
+      authErrors,
+      handleSSOLogin,
+      ssoActive,
+      onSubmit,
+    } = this.props;
 
     const cookieMessage = navigator.cookieEnabled ?
       '' :
@@ -83,7 +56,6 @@ class LoginCtrl extends Component {
         </Row>);
 
     return (
-<<<<<<< HEAD
       <Form
         onSubmit={onSubmit}
         subscription={{ values: true }}
@@ -268,12 +240,4 @@ class LoginCtrl extends Component {
   }
 }
 
-const mapStateToProps = state => ({
-  authFailure: state.okapi.authFailure,
-  ssoEnabled: state.okapi.ssoEnabled,
-});
-const mapDispatchToProps = dispatch => ({
-  clearAuthErrors: () => dispatch(setAuthError([])),
-});
-
-export default reduxConnect(mapStateToProps, mapDispatchToProps)(withRouter(LoginCtrl));
+export default Login;
diff --git a/src/components/Login/index.js b/src/components/Login/index.js
@@ -1 +1 @@
-export { default } from './Login';
+export { default } from './LoginCtrl';
diff --git a/src/components/MainNav/MainNav.js b/src/components/MainNav/MainNav.js
@@ -120,13 +120,8 @@ class MainNav extends Component {
   returnToLogin() {
     const { okapi } = this.store.getState();
 
-    return getLocale(okapi.url, this.store, okapi.tenant).then(() => {
-      this.store.dispatch(clearOkapiToken());
-      this.store.dispatch(clearCurrentUser());
-      this.store.dispatch(resetStore());
-    })
-      .then(localforage.removeItem('okapiSess'))
-      .then(localforage.removeItem('loginResponse'));
+    return getLocale(okapi.url, this.store, okapi.tenant)
+      .then(sessionLogout(okapi.url, this.store));
   }
 
   // return the user to the login screen, but after logging in they will be brought to the default screen.

diff --git a/src/components/OIDCLanding.js b/src/components/OIDCLanding.js
@@ -47,8 +47,7 @@ const OIDCLanding = () => {
   const otp = getOtp();
 
   /**
-   * Exchange the otp for an access token, then use it to retrieve
-   * the user
+   * Exchange the otp for AT/RT cookies, then retrieve the user.
    *
    * See https://ebscoinddev.atlassian.net/wiki/spaces/TEUR/pages/12419306/mod-login-keycloak#mod-login-keycloak-APIs
    * for additional details. May not be necessary for SAML-specific pages
@@ -58,12 +57,14 @@ const OIDCLanding = () => {
   useEffect(() => {
     if (otp) {
       fetch(`${okapi.url}/authn/token?code=${otp}&redirect-uri=${window.location.protocol}//${window.location.host}/oidc-landing`, {
+        credentials: 'include',
         headers: { 'X-Okapi-tenant': okapi.tenant, 'Content-Type': 'application/json' },
+        mode: 'cors',
       })
         .then((resp) => {
           if (resp.ok) {
             return resp.json().then((json) => {
-              return requestUserWithPermsDeb(okapi.url, store, okapi.tenant, json.okapiToken);
+              return requestUserWithPermsDeb(okapi.url, store, okapi.tenant);
             });
           } else {
             return resp.json().then((error) => {

diff --git a/src/components/Root/FFetch.js b/src/components/Root/FFetch.js
@@ -165,9 +165,32 @@ export class FFetch {
   passThroughWithAT = (resource, options) => {
     return this.nativeFetch.apply(global, [resource, options && { ...options, ...OKAPI_FETCH_OPTIONS }])
       .then(response => {
-        // if the request failed due to a missing token, attempt RTR (which
-        // will then replay the original fetch if it succeeds), or die softly
-        // if it fails. return any other response as-is.
+        // certain 4xx responses indicate RTR problems (that need to be
+        // handled here) rather than application-specific problems (that need
+        // to bubble up to the applications themselves). Duplicate logic here
+        // is due to needing to parse different kinds of responses. Maybe it's
+        // JSON, maybe text. Srsly, Okapi??? :|
+        //
+        // 401/UnauthorizedException: from keycloak when the AT is missing
+        // 400/Token missing: from Okapi when the AT is missing
+        if (response.status === 401) {
+          const res = response.clone();
+          return res.json()
+            .then(message => {
+              if (Array.isArray(message.errors) && message.errors.length === 1) {
+                const error = message.errors[0];
+                if (error.type === 'UnauthorizedException' && error.code === 'authorization_error') {
+                  this.logger.log('rtr', '   (whoops, invalid AT; retrying)');
+                  return this.passThroughWithRT(resource, options);
+                }
+              }
+
+              // yes, it was a 401 but not a Keycloak 401:
+              // hand it back to the application to handle
+              return response;
+            });
+        }
+
         if (response.status === 400 && response.headers.get('content-type') === 'text/plain') {
           const res = response.clone();
           return res.text()

diff --git a/src/components/Root/FFetch.test.js b/src/components/Root/FFetch.test.js
@@ -102,6 +102,80 @@ describe('FFetch class', () => {
       expect(mockFetch.mock.calls[1][0]).toEqual('okapiUrl/authn/refresh');
       expect(response).toEqual('success');
     });
+
+    it('400 NOT token missing: bubbles failure up to the application', async () => {
+      mockFetch.mockResolvedValue(
+        new Response(
+          'Tolkien missing, send Frodo?',
+          {
+            status: 400,
+            headers: {
+              'content-type': 'text/plain',
+            },
+          }
+        ));
+      const testFfetch = new FFetch({ logger: { log } });
+      const response = await global.fetch('okapiUrl', { testOption: 'test' });
+      expect(mockFetch.mock.calls).toHaveLength(1);
+      expect(response.status).toEqual(400);
+    });
+
+    it('401 UnauthorizedException: triggers rtr...calls fetch 3 times, failed call, token call, successful call', async () => {
+      mockFetch.mockResolvedValue('success')
+        .mockResolvedValueOnce(new Response(
+          JSON.stringify({
+            'errors': [
+              {
+                'type': 'UnauthorizedException',
+                'code': 'authorization_error',
+                'message': 'Unauthorized'
+              }
+            ],
+            'total_records': 1
+          }),
+          {
+            status: 401,
+            headers: {
+              'content-type': 'application/json',
+            },
+          }
+        ))
+        .mockResolvedValueOnce(new Response(JSON.stringify({
+          accessTokenExpiration: new Date().getTime() + 1000,
+          refreshTokenExpiration: new Date().getTime() + 2000,
+        }), { ok: true }));
+      const testFfetch = new FFetch({ logger: { log } });
+      const response = await global.fetch('okapiUrl', { testOption: 'test' });
+      expect(mockFetch.mock.calls).toHaveLength(3);
+      expect(mockFetch.mock.calls[1][0]).toEqual('okapiUrl/authn/refresh');
+      expect(response).toEqual('success');
+    });
+
+    it('401 NOT UnauthorizedException: bubbles failure up to the application', async () => {
+      mockFetch.mockResolvedValue(
+        new Response(
+          JSON.stringify({
+            'errors': [
+              {
+                'type': 'AuthorizedException',
+                'code': 'chuck_brown',
+                'message': 'Gong!'
+              }
+            ],
+            'total_records': 1
+          }),
+          {
+            status: 401,
+            headers: {
+              'content-type': 'application/json',
+            },
+          }
+        ));
+      const testFfetch = new FFetch({ logger: { log } });
+      const response = (await global.fetch('okapiUrl', { testOption: 'test' }));
+      expect(mockFetch.mock.calls).toHaveLength(1);
+      expect(response.status).toEqual(401);
+    });
   });
 
   describe('Calling an okapi fetch with expired AT...', () => {

diff --git a/src/loginServices.js b/src/loginServices.js
@@ -292,8 +292,8 @@ export function getUserLocale(okapiUrl, store, tenant, userId) {
  */
 export function getPlugins(okapiUrl, store, tenant) {
   return fetch(`${okapiUrl}/configurations/entries?query=(module==PLUGINS)`, {
-    headers: getHeaders(tenant, store.getState().okapi.token),
     credentials: 'include',
+    headers: getHeaders(tenant, store.getState().okapi.token),
     mode: 'cors',
   })
     .then((response) => {
@@ -385,7 +385,7 @@ function loadResources(store, tenant, userId) {
 
 /**
  * spreadUserWithPerms
- * return an object { user, perms } based on response from bl-users/self.
+ * return an object { user, perms } based on response from .../_self.
  *
  * @param {object} userWithPerms
  *
@@ -455,9 +455,9 @@ export async function logout(okapiUrl, store) {
  * Dispatch the session object, then return a Promise that fetches
  * and dispatches tenant resources.
  *
- * @param {object} store
- * @param {string} tenant
- * @param {string} token
+ * @param {object} store redux store
+ * @param {string} tenant tenant name
+ * @param {string} token access token [deprecated; prefer folioAccessToken cookie]
  * @param {*} data
  *
  * @returns {Promise}
@@ -476,7 +476,7 @@ export function createOkapiSession(store, tenant, token, data) {
 
   store.dispatch(setCurrentPerms(perms));
 
-  // if we can't parse tokenExpiration data, e.g. because data comes from `/bl-users/_self`
+  // if we can't parse tokenExpiration data, e.g. because data comes from `.../_self`
   // which doesn't provide it, then set an invalid AT value and a near-future (+10 minutes) RT value.
   // the invalid AT will prompt an RTR cycle which will either give us new AT/RT values
   // (if the RT was valid) or throw an RTR_ERROR (if the RT was not valid).
@@ -625,7 +625,7 @@ export function handleLoginError(dispatch, resp) {
 /**
  * processOkapiSession
  * create a new okapi session with the response from either a username/password
- * authentication request or a bl-users/_self request.
+ * authentication request or a .../_self request.
  * response body is shaped like
  * {
     'access_token': 'SOME_STRING',
@@ -665,7 +665,7 @@ export function processOkapiSession(store, tenant, resp, ssoToken) {
 
 /**
  * validateUser
- * return a promise that fetches from bl-users/self.
+ * return a promise that fetches from .../_self.
  * if successful, dispatch the result to create a session
  * if not, clear the session and token.
  *
@@ -678,7 +678,9 @@ export function processOkapiSession(store, tenant, resp, ssoToken) {
  */
 export function validateUser(okapiUrl, store, tenant, session) {
   const { token, user, perms, tenant: sessionTenant = tenant } = session;
-  return fetch(`${okapiUrl}/bl-users/_self`, {
+  const usersPath = okapi.authnUrl ? 'users-keycloak' : 'bl-users';
+
+  return fetch(`${okapiUrl}/${usersPath}/_self`, {
     headers: getHeaders(sessionTenant, token),
     credentials: 'include',
     mode: 'cors',
@@ -707,7 +709,7 @@ export function validateUser(okapiUrl, store, tenant, session) {
           token,
           tokenExpiration,
         }));
-        return loadResources(okapiUrl, store, sessionTenant, user.id);
+        return loadResources(store, sessionTenant, user.id);
       });
     } else {
       return logout(okapiUrl, store);
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		export { default } from './Login';
		export { default } from './LoginCtrl';