Handle token refresh and prevent duplicate extends#150
Open
amadulhaxxani wants to merge 2 commits into
Open
Conversation
Wait for token refresh when extending session and guard against rapid duplicate requests. Added an `extending` flag and changed extendSessionAndCloseModal to call authService.refreshAuthenticationToken(this.authService.getToken()) and subscribe with take(1) and finalize to reset the flag. On success the token is replaced before closing the modal; on error a LogOutAction is dispatched and the modal is closed. Updated unit tests to mock getToken/refresh/replaceToken, verify refresh is called with current token, ensure replaceToken happens before modal close, handle refresh failures, prevent duplicate refresh calls, and ensure the modal only closes after the refresh completes. Also added required RxJS/operator imports.
There was a problem hiding this comment.
Pull request overview
This PR updates the idle-session modal to ensure “Extend Session” actually refreshes the authentication token (instead of only clearing the idle flag), and adds a guard to prevent multiple rapid extension attempts. This aligns the UI session-extension flow with the app’s token refresh expectations, which is especially important for permission/role checks that depend on up-to-date token claims.
Changes:
- Add an
extendingguard to prevent duplicate “Extend Session” requests. - Trigger
AuthService.refreshAuthenticationToken(...)when extending the session and handle refresh failure by logging out. - Extend unit tests around refresh, failure handling, and double-click hardening.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
src/app/shared/idle-modal/idle-modal.component.ts |
Adds explicit token refresh on session extension and introduces duplicate-click prevention logic. |
src/app/shared/idle-modal/idle-modal.component.spec.ts |
Adds tests validating refresh behavior, failure handling, and rapid double-click prevention. |
…tion cleanup and use RefreshTokenSuccessAction
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem description
When a user clicks “Extend Session” in the idle modal, the frontend only cleared an idle flag – it did not refresh the authentication token. As a result, the token could expire while the user was still considered “active” by the frontend. A hard refresh after extending would then load a stale or expired token, causing role/permission checks (e.g.,
canSubmit) to fail. The “New” submission button would disappear, and the collection modal would show empty data.Analysis
The root cause is in
IdleModalComponent.extendSessionAndCloseModal(). The method only calledsetIdle(false)and closed the modal. No network call was made to refresh the token.Why this matters for Shibboleth users:
Shibboleth‑issued tokens rely on special groups (
sgclaim) derived from IdP headers. Without a fresh token after session extension, the user loses submit permissions when the token expires. This fix ensures the token is renewed on demand.(Note: An additional backend issue was discovered – the backend strips the
sgclaim when refreshing a Shibboleth‑issued token. That issue must be fixed separately in the backend. This PR ensures the frontend performs the refresh correctly.)Problems
No unexpected problems. The change is isolated to
idle-modal.component.tsand its spec file. The implementation follows existing patterns (same refresh logic used by the automatic token timer).Copilot review