feat: Monadical SSO as replacement of Fief (#393)

* sso: first pass for integrating SSO still have issue on refreshing maybe customize the login page, or completely avoid it make 100% to understand how session server/client are working need to test with different configuration option (features flags and requireLogin) * sso: correctly handle refresh token, with pro-active refresh Going on interceptors make extra calls to reflector when 401. We need then to circle back with NextJS backend to update the jwt, session, then retry the failed request. I prefered to go pro-active, and ensure the session AND jwt are always up to date. A minute before the expiration, we'll try to refresh it. useEffect() of NextJS cannot be asynchronous, so we cannot wait for the token to be refreshed. Every 20s, a minute before the expiration (so 3x in total max) we'll try to renew. When the accessToken is renewed, the session is updated, and dispatching up to the client, which updates the useApi(). Therefore, no component will left without a incorrect token. * fixes: issue with missing key on react-select-search because the default value is undefined * sso: fixes login/logout button, and avoid seeing the login with authentik page when clicking * sso: ensure /transcripts/new is not behind protected page, and feature flags page are honored * sso: fixes user sub->id * fixes: remove old layout not used * fixes: set default NEXT_PUBLIC_SITE_URL as localhost * fixes: removing fief again due to merge with main * sso: ensure session is always ready before doing any action * sso: add migration from fief to jwt in server, only from transcripts list * fixes: user tests * fixes: compilation issues
2025-12-20 20:29:06 +00:00 · 2024-09-03 19:27:15 +02:00
parent 28fe6c11f7
commit 03561453c5
30 changed files with 707 additions and 280 deletions
--- a/www/app/lib/auth.ts
+++ b/www/app/lib/auth.ts
@@ -0,0 +1,101 @@
+import { AuthOptions } from "next-auth";
+import AuthentikProvider from "next-auth/providers/authentik";
+import { JWT } from "next-auth/jwt";
+import { JWTWithAccessToken, CustomSession } from "./types";
+
+const PRETIMEOUT = 60; // seconds before token expires to refresh it
+
+export const authOptions: AuthOptions = {
+  providers: [
+    AuthentikProvider({
+      clientId: process.env.AUTHENTIK_CLIENT_ID as string,
+      clientSecret: process.env.AUTHENTIK_CLIENT_SECRET as string,
+      issuer: process.env.AUTHENTIK_ISSUER,
+      authorization: {
+        params: {
+          scope: "openid email profile offline_access",
+        },
+      },
+    }),
+  ],
+  session: {
+    strategy: "jwt",
+  },
+  callbacks: {
+    async jwt({ token, account, user }) {
+      const extendedToken = token as JWTWithAccessToken;
+      if (account && user) {
+        // called only on first login
+        // XXX account.expires_in used in example is not defined for authentik backend, but expires_at is
+        const expiresAt = (account.expires_at as number) - PRETIMEOUT;
+
+        return {
+          ...extendedToken,
+          accessToken: account.access_token,
+          accessTokenExpires: expiresAt * 1000,
+          refreshToken: account.refresh_token,
+        };
+      }
+
+      if (Date.now() < extendedToken.accessTokenExpires) {
+        return token;
+      }
+
+      // access token has expired, try to update it
+      return await refreshAccessToken(token);
+    },
+    async session({ session, token }) {
+      const extendedToken = token as JWTWithAccessToken;
+      const customSession = session as CustomSession;
+      customSession.accessToken = extendedToken.accessToken;
+      customSession.accessTokenExpires = extendedToken.accessTokenExpires;
+      customSession.error = extendedToken.error;
+      customSession.user = {
+        id: extendedToken.sub,
+        name: extendedToken.name,
+        email: extendedToken.email,
+      };
+      return customSession;
+    },
+  },
+};
+
+async function refreshAccessToken(token: JWT) {
+  try {
+    const url = `${process.env.AUTHENTIK_REFRESH_TOKEN_URL}`;
+
+    const options = {
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      body: new URLSearchParams({
+        client_id: process.env.AUTHENTIK_CLIENT_ID as string,
+        client_secret: process.env.AUTHENTIK_CLIENT_SECRET as string,
+        grant_type: "refresh_token",
+        refresh_token: token.refreshToken as string,
+      }).toString(),
+      method: "POST",
+    };
+
+    const response = await fetch(url, options);
+    if (!response.ok) {
+      throw new Error(`Failed to refresh access token: ${response.statusText}`);
+    }
+
+    const refreshedTokens = await response.json();
+    return {
+      ...token,
+      accessToken: refreshedTokens.access_token,
+      accessTokenExpires:
+        Date.now() + (refreshedTokens.expires_in - PRETIMEOUT) * 1000,
+      refreshToken: refreshedTokens.refresh_token,
+    };
+  } catch (error) {
+    console.error("Error refreshing access token", error);
+
+    return {
+      ...token,
+      error: "RefreshAccessTokenError",
+    };
+  }
+}