Also check session as part of /api/auth/v1/status and add a (sub-optimal) async session validation to TS client's constructor when initialized with tokens.

Author: ignatz

examples/blog/web/src/layouts/Base.astro

@@ -39,6 +39,9 @@ const description = "TrailBase Example Blog Application";
     <meta name="title" content={title} />
     <meta name="description" content={description} />
 
+    {/* Disable favicon */}
+    <link rel="icon" href="data:image/png;base64,iVBORw0KGgo=" />
+
     <title>{title}</title>
 
     <ClientRouter />

trailbase-assets/js/client/src/index.ts

@@ -385,9 +385,29 @@ export class Client {
     this._client = new ThinClient(baseUrl ? new URL(baseUrl) : undefined);
     this._authChange = opts?.onAuthChange;
 
+    const tokens = opts?.tokens;
     // Note: this is a double assignment to _tokenState to ensure the linter
     // that it's really initialized in the constructor.
-    this._tokenState = this.setTokenState(buildTokenState(opts?.tokens), true);
+    this._tokenState = this.setTokenState(buildTokenState(tokens), true);
+
+    if (tokens?.refresh_token !== undefined) {
+      // Validate session. This is currently async, which allows to initialize
+      // a Client synchronously from invalid tokens. We may want to consider
+      // offering a safer async initializer to avoid "racy" behavior. Especially,
+      // when the auth token is valid while the session has already been closed.
+      this.checkAuthStatus()
+        .then((tokens) => {
+          if (tokens === undefined) {
+            // In this case, the auth state has changed, so we should invoke the callback.
+            this.setTokenState(buildTokenState(undefined), false);
+          } else {
+            // In this case, the auth state has remained the same, we're merely
+            // updating the reminted auth token.
+            this.setTokenState(buildTokenState(tokens), true);
+          }
+        })
+        .catch(console.error);
+    }
   }
 
   public static init(site?: URL | string, opts?: ClientOptions): Client {
@@ -488,20 +508,31 @@ export class Client {
     });
   }
 
-  public async checkCookies(): Promise<Tokens | undefined> {
-    const response = await this.fetch(`${authApiBasePath}/status`);
-    const status: LoginStatusResponse = await response.json();
-
-    const authToken = status?.auth_token;
-    if (authToken) {
-      const newState = buildTokenState({
-        auth_token: authToken,
-        refresh_token: status.refresh_token,
-        csrf_token: status.csrf_token,
-      });
+  /// This will call the status endpoint, which validates any provided tokens
+  /// but also hoists any tokens provided as cookies into a JSON response.
+  private async checkAuthStatus(): Promise<Tokens | undefined> {
+    const response = await this.fetch(`${authApiBasePath}/status`, {
+      throwOnError: false,
+    });
+    if (response.ok) {
+      const status: LoginStatusResponse = await response.json();
+      const auth_token = status.auth_token;
+      if (auth_token) {
+        return {
+          auth_token,
+          refresh_token: status.refresh_token,
+          csrf_token: status.csrf_token,
+        };
+      }
+    }
+    return undefined;
+  }
 
+  public async checkCookies(): Promise<Tokens | undefined> {
+    const tokens = await this.checkAuthStatus();
+    if (tokens) {
+      const newState = buildTokenState(tokens);
       this.setTokenState(newState);
-
       return newState.state?.tokens;
     }
   }
@@ -579,7 +610,7 @@ export class Client {
       return response;
     } catch (err) {
       if (err instanceof TypeError) {
-        throw Error(`Connection refused ${err}. TrailBase down or CORS?`);
+        console.debug(`Connection refused ${err}. TrailBase down or CORS?`);
       }
       throw err;
     }

trailbase-core/src/auth/api/login.rs

@@ -13,7 +13,7 @@ use utoipa::{IntoParams, ToSchema};
 use crate::app_state::AppState;
 use crate::auth::AuthError;
 use crate::auth::password::check_user_password;
-use crate::auth::tokens::{Tokens, mint_new_tokens};
+use crate::auth::tokens::{Tokens, mint_new_tokens, reauth_with_refresh_token};
 use crate::auth::user::DbUser;
 use crate::auth::util::{
   new_cookie, remove_cookie, user_by_email, validate_and_normalize_email_address,
@@ -206,29 +206,59 @@ pub(crate) async fn login_status_handler(
   State(state): State<AppState>,
   tokens: Option<Tokens>,
 ) -> Result<Json<LoginStatusResponse>, AuthError> {
-  let Some(tokens) = tokens else {
+  let Some(Tokens {
+    auth_token_claims,
+    refresh_token,
+  }) = tokens
+  else {
+    // Return Ok but all Nones.
     return Ok(Json(LoginStatusResponse {
       auth_token: None,
       refresh_token: None,
       csrf_token: None,
     }));
   };
 
-  let Tokens {
-    auth_token_claims,
-    refresh_token,
-  } = tokens;
+  // Decoding the auth token into its claims, already validated the therein contained expiration
+  // time (exp). But rather than just re-encoding it, we refresh it. This ensures that the
+  // session is still alive.
+  if let Some(refresh_token) = refresh_token {
+    let (auth_token_ttl, refresh_token_ttl) = state.access_config(|c| c.auth.token_ttls());
+    let claims = reauth_with_refresh_token(
+      &state,
+      refresh_token.clone(),
+      refresh_token_ttl,
+      auth_token_ttl,
+    )
+    .await?;
 
-  let auth_token = state
-    .jwt()
-    .encode(&auth_token_claims)
-    .map_err(|err| AuthError::Internal(err.into()))?;
+    let auth_token = state
+      .jwt()
+      .encode(&claims)
+      .map_err(|err| AuthError::Internal(err.into()))?;
 
-  return Ok(Json(LoginStatusResponse {
-    auth_token: Some(auth_token),
-    refresh_token,
-    csrf_token: Some(auth_token_claims.csrf_token),
-  }));
+    return Ok(Json(LoginStatusResponse {
+      auth_token: Some(auth_token),
+      refresh_token: Some(refresh_token),
+      csrf_token: Some(claims.csrf_token),
+    }));
+  } else {
+    // Fall back case: we don't have a refresh token so we cannot validate if a session is still
+    // alive. We could look-up sessions by user id, however there can be more than one session
+    // per user. Right now we return an OK with the original, re-encoded token. It may also make
+    // sense to return an error here, i.e. consider this entire API more of a session status rather
+    // than a token status.
+    let auth_token = state
+      .jwt()
+      .encode(&auth_token_claims)
+      .map_err(|err| AuthError::Internal(err.into()))?;
+
+    return Ok(Json(LoginStatusResponse {
+      auth_token: Some(auth_token),
+      refresh_token: None,
+      csrf_token: Some(auth_token_claims.csrf_token),
+    }));
+  }
 }
 
 pub struct NewTokens {