Added fallback to empty string for potentially undefined access_token
and refresh_token from NextAuth account object to satisfy
JWTWithAccessToken type requirements.
- Replace Redis/Redlock with in-memory cache for token management
- Remove @vercel/kv, ioredis, and redlock dependencies from package.json
- Implement simple lock mechanism for concurrent token refresh prevention
- Use Map-based cache with TTL for token storage
- Maintain same authentication flow without external dependencies
This simplifies the infrastructure requirements and removes the need for
Redis while maintaining the same functionality through in-memory caching.
With NextAuth, there is a race condition of the current implementation
of refreshToken using multiple tab. Because getSession() is broadcasted
(or triggered by another component, window focus or such), we may ask
for the jwt() to be refreshed at the same time.
The problem is the first time will go correctly, while all others calls
will be rejected as they are using a revoked token.
This redis lock is per-user, and will use redis lock as a source of
truth.
* sso: first pass for integrating SSO
still have issue on refreshing
maybe customize the login page, or completely avoid it
make 100% to understand how session server/client are working
need to test with different configuration option (features flags and
requireLogin)
* sso: correctly handle refresh token, with pro-active refresh
Going on interceptors make extra calls to reflector when 401.
We need then to circle back with NextJS backend to update the jwt,
session, then retry the failed request.
I prefered to go pro-active, and ensure the session AND jwt are always
up to date.
A minute before the expiration, we'll try to refresh it. useEffect() of
NextJS cannot be asynchronous, so we cannot wait for the token to be
refreshed.
Every 20s, a minute before the expiration (so 3x in total max) we'll try
to renew. When the accessToken is renewed, the session is updated, and
dispatching up to the client, which updates the useApi().
Therefore, no component will left without a incorrect token.
* fixes: issue with missing key on react-select-search because the default value is undefined
* sso: fixes login/logout button, and avoid seeing the login with authentik page when clicking
* sso: ensure /transcripts/new is not behind protected page, and feature flags page are honored
* sso: fixes user sub->id
* fixes: remove old layout not used
* fixes: set default NEXT_PUBLIC_SITE_URL as localhost
* fixes: removing fief again due to merge with main
* sso: ensure session is always ready before doing any action
* sso: add migration from fief to jwt in server, only from transcripts list
* fixes: user tests
* fixes: compilation issues
