Skip to content

Re-authenticate instead of going blank when the session is lost#3042

Merged
dvdstelt merged 6 commits into
masterfrom
fix-auth-blank-on-token-expiry
Jun 29, 2026
Merged

Re-authenticate instead of going blank when the session is lost#3042
dvdstelt merged 6 commits into
masterfrom
fix-auth-blank-on-token-expiry

Conversation

@dvdstelt

@dvdstelt dvdstelt commented Jun 24, 2026
edited
Loading

Copy link
Copy Markdown
Member

Problem

When OIDC auth is enabled and the access token expires (and silent renewal does
not succeed), App.vue renders nothing and the user has to manually refresh the
browser to recover.

App.vue gates the entire app behind shouldShowApp (authEnabled,
isAuthenticated, isAnonymousRoute). On token expiry, oidc-client-ts clears
the token, isAuthenticated flips to false, and that v-if renders nothing.
Nothing re-triggers authentication, so the page stays blank until a refresh
re-runs the auth flow on mount.

Fix

Watch for the session being lost while the app is running and re-trigger
authentication via the existing useAuth().authenticate() flow:

  • With a live identity-provider session this is a silent redirect round-trip and
    the user keeps working.
  • Otherwise the user lands on the provider's login page.
  • Skipped on anonymous routes (e.g. the logged-out page) and while a sign-in is
    already in progress, to avoid loops.

Tests

  • App.spec.ts: re-authenticates on token loss; does not while already
    authenticating; does not on an anonymous route.
  • Existing authentication integration specs still pass; typecheck and lint clean.

Notes

  • this is a pre-existing auth/session bug, so it targets master directly.
  • Renewal reliability itself (so the token rarely lapses in the first place) is an
    identity-provider configuration concern (the provider must grant offline_access
    so a refresh token is issued); ServicePulse already requests it.

@dvdstelt dvdstelt requested a review from ramonsmits June 24, 2026 23:21
@dvdstelt dvdstelt changed the base branch from authorization to master June 25, 2026 00:15
@dvdstelt
🐛 Re-authenticate instead of going blank when the session is lost
a9b62fe 
App.vue renders the whole app behind shouldShowApp (authEnabled, isAuthenticated,
isAnonymousRoute). When the access token expired and silent renewal failed,
isAuthenticated flipped to false and the app rendered nothing, requiring a manual
browser refresh to recover.

Watch for the session being lost while running and re-trigger authentication: with
a live identity-provider session this is a silent redirect round-trip; otherwise the
user lands on the provider's login page. Skipped on anonymous routes and while a
sign-in is already in progress.
@dvdstelt dvdstelt force-pushed the fix-auth-blank-on-token-expiry branch from 5bdb083 to a9b62fe Compare June 25, 2026 00:21
@ramonsmits ramonsmits requested a review from PhilBastian June 25, 2026 08:56
@PhilBastian PhilBastian requested a review from johnsimons June 25, 2026 09:05
PhilBastian
PhilBastian reviewed Jun 26, 2026
View reviewed changes
Comment thread src/Frontend/src/App.vue Outdated
@dvdstelt
♻️ Recover lost sessions from OIDC events in useAuth, not an App.vue …
ee3d788 
…watch

Addresses review feedback on #3042: the re-authentication logic doesn't belong in
App.vue, and watching the isAuthenticated proxy state is indirect. Move recovery into
the auth domain: useAuth now reacts to the addAccessTokenExpired and addSilentRenewError
OIDC events directly and re-authenticates via signinRedirect, guarded against re-entrancy
and the logged-out route. This also distinguishes session loss from an intentional logout
(addUserUnloaded), which must not re-trigger authentication, and recovers proactively on a
silent-renewal error instead of waiting for the token to fully expire.

App.vue is now display-only. Its spec covers the layout gating; useAuth.spec covers the
event-driven recovery.
johnsimons
johnsimons reviewed Jun 26, 2026
View reviewed changes
Comment thread src/Frontend/src/App.spec.ts Outdated
Comment thread src/Frontend/src/App.vue
Comment thread src/Frontend/src/composables/useAuth.ts Outdated
Comment thread src/Frontend/src/composables/useAuth.ts Outdated
Comment thread src/Frontend/src/composables/useAuth.ts Outdated
PhilBastian
PhilBastian approved these changes Jun 28, 2026
View reviewed changes

@PhilBastian PhilBastian left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good with John's suggested changes

ramonsmits and others added 4 commits June 29, 2026 09:06
@ramonsmits @johnsimons
Apply suggestions from code review
d374411 
Co-authored-by: John Simons <john@thesimonshouse.com>
@ramonsmits
revert comment
6809363
@ramonsmits
♻️ Remove App.spec.ts — App.vue is untouched by this PR
23f5a90 
The recovery fix lives in useAuth.ts and is covered by useAuth.spec.ts.
App.spec.ts only exercised pre-existing App.vue layout gating that this
PR does not change, so it is out of scope.
@ramonsmits
🎨 Fix indentation of OIDC session-recovery event handlers
995c69d 
The addAccessTokenExpired/addSilentRenewError handlers were flush at
column 0 with mixed tabs/spaces. Indent them to match the surrounding
block (Prettier clean).
@dvdstelt dvdstelt merged commit faabd58 into master Jun 29, 2026
5 checks passed
@dvdstelt dvdstelt deleted the fix-auth-blank-on-token-expiry branch June 29, 2026 07:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@johnsimons johnsimons johnsimons left review comments
@warwickschroeder warwickschroeder warwickschroeder approved these changes
@PhilBastian PhilBastian PhilBastian approved these changes
@ramonsmits ramonsmits Awaiting requested review from ramonsmits

Assignees

@dvdstelt dvdstelt

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@dvdstelt @johnsimons @warwickschroeder @PhilBastian @ramonsmits