Fixed stored credentials reset issues. Added check for stored token expiration. (#943)

Author: azaslonov

src/apim.runtime.module.ts

@@ -68,7 +68,7 @@ import { BalloonBindingHandler, ResizableBindingHandler } from "@paperbits/core/
 import { TagInput } from "./components/tag-input/tag-input";
 import { ViewStack } from "@paperbits/core/ko/ui/viewStack";
 import { OAuthService } from "./services/oauthService";
-import { DefaultSessionManager } from "./authentication/sessionManager";
+import { DefaultSessionManager } from "./authentication/defaultSessionManager";
 
 export class ApimRuntimeModule implements IInjectorModule {
     public register(injector: IInjector): void {

src/authentication/accessToken.ts

@@ -54,9 +54,7 @@ export class AccessToken {
 
     private static parseBearerToken(value: string): AccessToken {
         const decodedToken = Utils.parseJwt(value);
-        const exp = moment(decodedToken.exp).toDate();
-
-        return new AccessToken("Bearer", value, exp);
+        return new AccessToken("Bearer", value, decodedToken.exp);
     }
 
     public static parse(token: string): AccessToken {

src/authentication/defaultSessionManager.ts

@@ -1,14 +1,21 @@
-export interface SessionManager {
-    /**
-     * Returns stored value.
-     * @param key 
-     */
-    getItem<T>(key: string): Promise<T>;
-
-    /**
-     * Stores value with specified key.
-     * @param key {string} Stored value key.
-     * @param value {T} Stored value.
-     */
-    setItem<T>(key: string, value: T): Promise<void>;
+import { SessionManager } from "./sessionManager";
+
+export class DefaultSessionManager implements SessionManager {
+    public async getItem<T>(key: string): Promise<T> {
+        const value = sessionStorage.getItem(key);
+
+        if (!value) {
+            return null;
+        }
+
+        return JSON.parse(value);
+    }
+
+    public async setItem<T>(key: string, value: T): Promise<void> {
+        sessionStorage.setItem(key, JSON.stringify(value));
+    }
+
+    public async removeItem(key: string): Promise<void> {
+        sessionStorage.removeItem(key);
+    }
 }

src/authentication/sessionManager.ts

@@ -1,10 +1,20 @@
-export class DefaultSessionManager {
-    public async getItem<T>(key: string): Promise<T> {
-        const value = sessionStorage.getItem(key);
-        return JSON.parse(value);
-    }
+export interface SessionManager {
+    /**
+     * Returns stored value.
+     * @param key 
+     */
+    getItem<T>(key: string): Promise<T>;
 
-    public async setItem<T>(key: string, value: T): Promise<void> {
-        sessionStorage.setItem(key, JSON.stringify(value));
-    }
+    /**
+     * Stores value with specified key.
+     * @param key {string} Stored value key.
+     * @param value {T} Stored value.
+     */
+    setItem<T>(key: string, value: T): Promise<void>;
+
+    /**
+     * Removes value with specified key.
+     * @param key {string} Stored value key.
+     */
+    removeItem(key: string): Promise<void>;
 }

src/components/operations/operation-details/ko/runtime/oauthSession.ts

@@ -1,6 +1,8 @@
+export interface StoredCredentials {
+    grantType: string;
+    accessToken: string;
+}
+
 export interface OAuthSession {
-    [apiName: string]: {
-        grantType: string;
-        accessToken: string;
-    };
+    [apiName: string]: StoredCredentials;
 }

src/components/operations/operation-details/ko/runtime/operation-console.ts

@@ -25,8 +25,8 @@ import { RouteHelper } from "../../../../../routing/routeHelper";
 import { TemplatingService } from "../../../../../services/templatingService";
 import { OAuthService } from "../../../../../services/oauthService";
 import { AuthorizationServer } from "../../../../../models/authorizationServer";
-import { SessionManager } from "./../../../../../authentication/defaultSessionManager";
-import { OAuthSession } from "./oauthSession";
+import { SessionManager } from "../../../../../authentication/sessionManager";
+import { OAuthSession, StoredCredentials } from "./oauthSession";
 
 const oauthSessionKey = "oauthSession";
 
@@ -527,23 +527,34 @@ export class OperationConsole {
 
         const api = this.api();
         const scopeOverride = api.authenticationSettings?.oAuth2?.scope;
-        const recordKey = this.getSessionRecordKey(authorizationServer.name, scopeOverride);
-        const oauthSession = await this.sessionManager.getItem<OAuthSession>(oauthSessionKey);
-        const record = oauthSession?.[recordKey];
+        const storedCredentials = await this.getStoredCredentials(authorizationServer.name, scopeOverride);
 
-        if (record) {
-            this.selectedGrantType(record.grantType);
-            this.setAuthorizationHeader(record.accessToken);
+        if (storedCredentials) {
+            this.selectedGrantType(storedCredentials.grantType);
+            this.setAuthorizationHeader(storedCredentials.accessToken);
         }
     }
 
-    private async getStoredCredentials(serverName: string, scopeOverride: string): Promise<string> {
+    private async getStoredCredentials(serverName: string, scopeOverride: string): Promise<StoredCredentials> {
         const oauthSession = await this.sessionManager.getItem<OAuthSession>(oauthSessionKey);
         const recordKey = this.getSessionRecordKey(serverName, scopeOverride);
-        const record = oauthSession?.[recordKey];
-        const accessToken = record?.accessToken;
+        const storedCredentials = oauthSession?.[recordKey];
+
+        try {
+            /* Trying to check if it's a JWT token and, if yes, whether it got expired. */
+            const jwtToken = Utils.parseJwt(storedCredentials.accessToken.replace(/^bearer /i, ""));
+            const now = Utils.getUtcDateTime();
+
+            if (now > jwtToken.exp) {
+                await this.clearStoredCredentials();
+                return null;
+            }
+        }
+        catch (error) {
+            // do nothing
+        }
 
-        return accessToken;
+        return storedCredentials;
     }
 
     private async setStoredCredentials(serverName: string, scopeOverride: string, grantType: string, accessToken: string): Promise<void> {
@@ -558,12 +569,17 @@ export class OperationConsole {
         await this.sessionManager.setItem<object>(oauthSessionKey, oauthSession);
     }
 
+    private async clearStoredCredentials(): Promise<void> {
+        await this.sessionManager.removeItem(oauthSessionKey);
+        this.removeAuthorizationHeader();
+    }
+
     /**
      * Initiates specified authentication flow.
      * @param grantType OAuth grant type, e.g. "implicit" or "authorizationCode".
      */
     public async authenticateOAuth(grantType: string): Promise<void> {
-        this.removeAuthorizationHeader();
+        await this.clearStoredCredentials();
 
         if (!grantType) {
             return;
@@ -573,10 +589,10 @@ export class OperationConsole {
         const authorizationServer = this.authorizationServer();
         const scopeOverride = api.authenticationSettings?.oAuth2?.scope;
         const serverName = authorizationServer.name;
-        const storedAccessToken = await this.getStoredCredentials(serverName, scopeOverride);
+        const storedCredentials = await this.getStoredCredentials(serverName, scopeOverride);
 
-        if (storedAccessToken) {
-            this.setAuthorizationHeader(storedAccessToken);
+        if (storedCredentials) {
+            this.setAuthorizationHeader(storedCredentials.accessToken);
             return;
         }
 

src/contracts/jwtToken.ts

@@ -4,8 +4,6 @@ export interface JwtToken {
      */
     acr: string;
 
-    aio: string;
-
     /**
      * Authentication methods array
      */
@@ -16,19 +14,15 @@ export interface JwtToken {
      */
     appid: string;
 
-    appidacr: string;
-
     /**
      * Audience (who or what the token is intended for)
      */
     aud: string;
 
-    deviceid: string;
-
     /**
-     * Expiration time (seconds since Unix epoch)
+     * Expiration time (UTC)
      */
-    exp: number;
+    exp: Date;
 
     /**
      * Family name of the user
@@ -40,12 +34,10 @@ export interface JwtToken {
      */
     given_name: string;
 
-    hasgroups: string;
-
     /**
-     * Issued at (seconds since Unix epoch)
+     * Issued at (UTC)
      */
-    iat: number;
+    iat: Date;
 
     /**
      * IP address
@@ -56,30 +48,21 @@ export interface JwtToken {
      * Issuer (who created and signed this token)
      */
     iss: string;
-    name: string;
 
     /**
-     * Not valid before (seconds since Unix epoch)
+     * Not valid before (UTC).
      */
-    nbf: number;
+    nbf: Date;
 
     /**
      * Object ID.
      */
     oid: string;
-    onprem_sid: string;
-    puid: string;
-    scp: string;
 
     /**
      * Subject (whom the token refers to)
      */
     sub: string;
-    tid: string;
-    unique_name: string;
-    upn: string;
-    uti: string;
-    ver: string;
 
     /**
      * Email address.

src/services/oauthService.ts

@@ -9,7 +9,7 @@ import { PageContract } from "../contracts/page";
 import { OpenIdConnectProviderContract } from "../contracts/openIdConnectProvider";
 import { OpenIdConnectProvider } from "./../models/openIdConnectProvider";
 import { OpenIdConnectMetadata } from "./../contracts/openIdConnectMetadata";
-import { AppError } from "../errors";
+
 
 export class OAuthService {
     constructor(

src/utils.ts

@@ -2,6 +2,7 @@ import { ArmResource } from "./contracts/armResource";
 import { NameValuePair } from "request";
 import { JwtToken } from "./contracts/jwtToken";
 import { js } from "js-beautify";
+import { off } from "process";
 
 export class Utils {
     public static getResourceName(resource: string, fullId: string, resultType: string = "name"): string {
@@ -270,8 +271,24 @@ export class Utils {
     public static parseJwt(jwtToken: string): JwtToken {
         const base64Url = jwtToken.split(".")[1];
         const base64 = base64Url.replace("-", "+").replace("_", "/");
+        const decodedToken = JSON.parse(window.atob(base64));
 
-        return JSON.parse(window.atob(base64));
+        const now = new Date();
+        const offset = now.getTimezoneOffset() * 60000 * 1000;
+
+        if (decodedToken.exp) {
+            decodedToken.exp = new Date(decodedToken.exp + offset);
+        }
+
+        if (decodedToken.nfb) {
+            decodedToken.nfb = new Date(decodedToken.nfb + offset);
+        }
+
+        if (decodedToken.iat) {
+            decodedToken.iat = new Date(decodedToken.iat + offset);
+        }
+
+        return decodedToken;
     }
 
     public static scrollTo(id: string): void {
@@ -338,7 +355,7 @@ export class Utils {
 
         return utc;
     }
-    
+
     public static readFileAsByteArray(file: File): Promise<Uint8Array> {
         return new Promise<Uint8Array>(resolve => {
             const reader = new FileReader();