matt/port-nimara-client-portal
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FEAT: Enhance authentication session management with configurable cookie domain and improved token refresh logic

Browse Source
This commit is contained in:
Matt
2025-06-16 17:53:43 +02:00
parent 3a83831a20
commit d436367ee6
11 changed files with 594 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

159
docs/authentication-session-fixes.md Normal file
View File

@@ -0,0 +1,159 @@
# Authentication Session Fixes Summary
## Problem Description
Users were experiencing frequent logouts (every 5 minutes) and 502 errors when trying to re-login through Keycloak SSO. The authentication system was not properly managing session lifetimes and token refresh.
## Root Causes Identified
1. **Short Session Duration**: Cookie lifetime was tied to access token expiry (5 minutes) instead of SSO session duration
2. **No Automatic Token Refresh**: Tokens expired without automatic refresh, forcing manual re-login
3. **Cookie Domain Issues**: Hardcoded cookie domain causing potential CORS issues
4. **Poor Error Handling**: 502 errors weren't handled gracefully with retry logic
## Solutions Implemented
### 1. Fixed Session Cookie Duration
**Files Modified:**
- `server/api/auth/keycloak/callback.ts`
- `server/api/auth/refresh.ts`
- `server/api/auth/session.ts`
**Changes:**
- Changed cookie `maxAge` from access token lifetime (5 minutes) to SSO session duration (8 hours)
- Made cookie domain configurable via `COOKIE_DOMAIN` environment variable
- Separated access token lifetime from session cookie lifetime
```typescript
// Before
maxAge: tokenResponse.expires_in, // 5 minutes
// After
const sessionDuration = 8 * 60 * 60; // 8 hours in seconds
const cookieDomain = process.env.COOKIE_DOMAIN || '.portnimara.dev';
maxAge: sessionDuration,
domain: cookieDomain,
```
### 2. Implemented Auto-Refresh System
**New File:**
- `plugins/01.auth-refresh.client.ts`
**Features:**
- Automatically refreshes tokens 2 minutes before expiry
- Monitors session expiration client-side
- Handles tab visibility changes to refresh when user returns
- Graceful fallback to login page on refresh failure
**Key Functions:**
- `scheduleTokenRefresh()`: Schedules automatic token refresh
- `checkAndScheduleRefresh()`: Checks current session and schedules refresh
- Event listeners for route changes and tab visibility
### 3. Enhanced Error Handling
**Files Modified:**
- `composables/useCustomAuth.ts`
**Improvements:**
- Added retry logic for network errors (502, 503, etc.)
- Better distinction between auth failures (401) and network issues (5xx)
- Exponential backoff for retries
- Maintains auth state during network issues vs clearing on auth failures
### 4. Environment Configuration
**Files Modified:**
- `.env.example`
**New Variables:**
```env
# Cookie Configuration
COOKIE_DOMAIN=.portnimara.dev
# Keycloak Configuration (used by custom auth)
KEYCLOAK_CLIENT_SECRET=your-keycloak-client-secret
```
## Keycloak Admin Console Settings
These settings were configured in Keycloak to support longer sessions:
### Realm Settings → Tokens
- **SSO Session Idle**: 8 hours
- **SSO Session Max**: 12 hours
- **Access Token Lifespan**: 5 minutes (kept short for security)
- **Client Session Idle**: 8 hours
- **Client Session Max**: 12 hours
### Client Settings
- **Use Refresh Tokens**: ON
- **Refresh Token Max Reuse**: 0 (unlimited)
## How It Works Now
1. **Initial Login**: User authenticates via Keycloak, gets 8-hour session cookie
2. **Token Refresh**: Access tokens refreshed automatically every ~3 minutes
3. **Session Management**: Session lasts 8 hours or until user explicitly logs out
4. **Error Recovery**: Network errors trigger retries; auth errors trigger re-login
5. **Tab Management**: Returning to tab triggers session check and refresh if needed
## Expected Behavior
- **Users stay logged in**: For up to 8 hours of activity
- **No manual re-login**: Unless session truly expires or refresh tokens become invalid
- **Graceful error handling**: 502 errors are retried; true auth failures redirect to login
- **Background refresh**: Tokens refresh automatically without user interaction
## Testing
### Manual Testing
1. Login and monitor console logs for refresh scheduling
2. Leave tab open for >5 minutes, verify no logout
3. Close/reopen tab, verify automatic session restoration
4. Test with network disconnection/reconnection
### Console Logs to Monitor
```
[AUTH_REFRESH] Scheduling token refresh in: X ms
[AUTH_REFRESH] Attempting automatic token refresh...
[AUTH_REFRESH] Token refresh successful, scheduling next refresh
[CUSTOM_AUTH] Session check result: { authenticated: true, userId: 'xxx' }
```
## Troubleshooting
### Users Still Getting Logged Out
1. Check Keycloak realm token settings
2. Verify `COOKIE_DOMAIN` environment variable
3. Check browser console for refresh errors
4. Verify Keycloak client refresh token settings
### 502 Errors Persist
1. Check nginx configuration and upstream health
2. Verify network connectivity between services
3. Monitor nginx error logs for backend issues
4. Check if retry logic is working in browser console
### Refresh Not Working
1. Verify refresh tokens are being issued by Keycloak
2. Check client secret configuration
3. Monitor network tab for refresh API calls
4. Ensure auto-refresh plugin is loading (check console)
## Security Considerations
- Access tokens remain short-lived (5 minutes) for security
- Refresh tokens enable long sessions without storing access tokens long-term
- Session cookies are httpOnly, secure, and sameSite protected
- Domain restrictions prevent cross-site cookie access
## Future Enhancements
- [ ] Add user notification before session expiry
- [ ] Implement sliding session extension on user activity
- [ ] Add session management UI for users
- [ ] Monitor and alert on high refresh failure rates
- [ ] Add metrics for session duration and refresh success rates

89
docs/date-formatting-fix-summary.md Normal file
View File

@@ -0,0 +1,89 @@
# Date Formatting Consistency Fix
## Problem Identified
Two different creation dates were being displayed for the same interest record:
1. **Card description (mobile view)**: Showed "Created: 15/05/2025 02:06" ✅ (correct)
2. **Interests table summary**: Showed "Created: Dec 15, 1920 (104 years ago)" ❌ (incorrect)
## Root Cause Analysis
The issue was caused by **inconsistent date formatting functions** across different components:
- **InterestDetailsModal.vue**: Had a robust `formatDate` function that correctly handled multiple date formats (ISO, DD-MM-YYYY, YYYY-MM-DD)
- **interest-list.vue**: Had a simpler `formatDate` function that incorrectly parsed dates, causing the 1920 vs 2025 issue
## Solution Implemented
### 1. Created Unified Date Utilities (`utils/dateUtils.ts`)
```typescript
/**
* Unified date formatting utilities for consistent date display across the application
*/
export const formatDate = (dateString: string | null | undefined): string => {
// Handles multiple input formats: ISO, DD-MM-YYYY, YYYY-MM-DD, DD/MM/YYYY
// Returns format: DD/MM/YYYY HH:mm or DD/MM/YYYY
}
export const getRelativeTime = (dateString: string | null | undefined): string => {
// Returns: "Today", "Yesterday", "2 days ago", "3 weeks ago", etc.
}
export const formatDateUS = (dateString: string | null | undefined): string => {
// Returns US format: "Month DD, YYYY" (e.g., "Dec 15, 2025")
}
```
### 2. Updated Components to Use Unified Utilities
**interest-list.vue changes:**
- ✅ Added import: `import { formatDate, formatDateUS, getRelativeTime } from "@/utils/dateUtils"`
- ✅ Removed duplicate `formatDate` function (39 lines removed)
- ✅ Removed duplicate `getRelativeTime` function (32 lines removed)
- ✅ Now uses unified utilities for consistent date formatting
**InterestDetailsModal.vue changes:**
- ✅ Added import: `import { formatDate } from "@/utils/dateUtils"`
- ✅ Removed duplicate `formatDate` function (45 lines removed)
- ✅ Now uses unified utility for consistent date formatting
### 3. Robust Date Parsing Logic
The unified `formatDate` function handles multiple input formats:
- ✅ ISO dates: `"2025-06-09T22:58:47.731Z"`
- ✅ DD-MM-YYYY: `"15-05-2025"`
- ✅ DD/MM/YYYY: `"15/05/2025"`
- ✅ YYYY-MM-DD: `"2025-05-15"`
- ✅ Includes time when not midnight: `"15/05/2025 02:06"`
- ✅ Graceful error handling and fallbacks
## Result
**Both views now show consistent, correctly formatted dates**
**No more 1920 date errors**
**Unified date formatting across the entire application**
**Reduced code duplication (116 lines of duplicate code removed)**
**More maintainable and reliable date handling**
## Files Modified
1. `utils/dateUtils.ts` - **NEW** unified date utilities
2. `pages/dashboard/interest-list.vue` - Updated to use unified utilities
3. `components/InterestDetailsModal.vue` - Updated to use unified utilities
## Testing
- ✅ Development server runs without compilation errors
- ✅ Components load successfully with unified date formatting
- ✅ Ready for user testing to verify date consistency
## Benefits
1. **Consistency**: All date displays use the same formatting logic
2. **Maintainability**: Single source of truth for date formatting
3. **Reliability**: Robust parsing handles multiple date formats
4. **Extensibility**: Easy to add new date formatting functions as needed
5. **Performance**: Removed duplicate code and processing