Linting, fixes, and small cleanup

AaronPlave · AaronPlave · commit 7e56f90d623e · 2026-02-17T14:15:46.000-08:00
diff --git a/src/lib/server/oidc.ts b/src/lib/server/oidc.ts
@@ -1,4 +1,4 @@
-import { browser, dev } from '$app/environment';
+import { dev } from '$app/environment';
 import { env } from '$env/dynamic/private';
 import type { MaybeToken, Rule } from '$lib/types/oidc';
 import { type Cookies, type RequestEvent } from '@sveltejs/kit';
@@ -51,10 +51,18 @@ function getSupportedAlgorithms(): jwt.Algorithm[] {
  *   - Your IdP's token mapper configuration
  */
 export const CLAIMS_CONFIG = {
-  get namespace() { return env.OIDC_CLAIMS_NAMESPACE || 'https://hasura.io/jwt/claims'; },
-  get userId() { return env.OIDC_CLAIMS_USER_ID || 'x-hasura-user-id'; },
-  get allowedRoles() { return env.OIDC_CLAIMS_ALLOWED_ROLES || 'x-hasura-allowed-roles'; },
-  get defaultRole() { return env.OIDC_CLAIMS_DEFAULT_ROLE || 'x-hasura-default-role'; },
+  get allowedRoles() {
+    return env.OIDC_CLAIMS_ALLOWED_ROLES || 'x-hasura-allowed-roles';
+  },
+  get defaultRole() {
+    return env.OIDC_CLAIMS_DEFAULT_ROLE || 'x-hasura-default-role';
+  },
+  get namespace() {
+    return env.OIDC_CLAIMS_NAMESPACE || 'https://hasura.io/jwt/claims';
+  },
+  get userId() {
+    return env.OIDC_CLAIMS_USER_ID || 'x-hasura-user-id';
+  },
 };
 
 /**
@@ -66,9 +74,9 @@ export const CLAIMS_CONFIG = {
  * @throws Error if required claims are missing
  */
 export function extractClaims(token: jwt.JwtPayload): {
-  userId: string;
   allowedRoles: string[];
   defaultRole: string;
+  userId: string;
 } {
   const namespace = token[CLAIMS_CONFIG.namespace];
   if (!namespace || typeof namespace !== 'object') {
@@ -88,10 +96,12 @@ export function extractClaims(token: jwt.JwtPayload): {
     );
   }
   if (!defaultRole || typeof defaultRole !== 'string') {
-    throw new Error(`JWT missing or invalid default role claim: ${CLAIMS_CONFIG.namespace}.${CLAIMS_CONFIG.defaultRole}`);
+    throw new Error(
+      `JWT missing or invalid default role claim: ${CLAIMS_CONFIG.namespace}.${CLAIMS_CONFIG.defaultRole}`,
+    );
   }
 
-  return { userId, allowedRoles, defaultRole };
+  return { allowedRoles, defaultRole, userId };
 }
 
 /**
@@ -240,8 +250,8 @@ export function verifyNonce(idToken: string, expectedNonce: string): void {
  *
  */
 export class Client {
-  private static _instance: Client;
   private static _initPromise: Promise<Client>;
+  private static _instance: Client;
 
   private authorizationEndpoint!: string;
   private client!: arctic.OAuth2Client;
diff --git a/src/lib/stores/auth.ts b/src/lib/stores/auth.ts
diff --git a/src/routes/+layout.ts b/src/routes/+layout.ts
@@ -1,17 +1,6 @@
 import '../css/app.css';
 import type { LayoutLoad } from './$types';
 
-import { browser } from '$app/environment';
-import { createClient } from 'graphql-ws';
-import { gqlWsClient, userStore } from '../lib/stores/auth';
-import { getClientOptions } from '../stores/subscribable';
-
 export const load: LayoutLoad = async ({ data }) => {
-  if (browser) {
-    userStore.set(data.user);
-    gqlWsClient.set(createClient(getClientOptions()));
-  }
-
-  // no PageData should be used client-side. but if it is accessed in other +page.ts or +layout.ts files, that should be okay, for SSR purposes. but anywhere on client, userStore should be used.
   return { ...data };
 };
diff --git a/src/routes/auth/changeRole/+server.ts b/src/routes/auth/changeRole/+server.ts
@@ -1,9 +1,9 @@
-import { dev } from '$app/environment';
+import { base } from '$app/paths';
 import type { RequestHandler } from '@sveltejs/kit';
 import { json } from '@sveltejs/kit';
 import type { CookieSerializeOptions } from 'cookie';
-import { computeRolesFromJWT } from '../../../hooks.server';
 import type { ChangeUserRoleRequestBody } from '../../../types/auth';
+import { computeRolesFromJWT } from '../../../utilities/auth';
 
 export const POST: RequestHandler = async event => {
   const body: ChangeUserRoleRequestBody = await event.request.json();
diff --git a/src/routes/login/+page.svelte b/src/routes/login/+page.svelte
@@ -8,19 +8,21 @@
   import { Button, Input, Label } from '@nasa-jpl/stellar-svelte';
   import AlertError from '../../components/ui/AlertError.svelte';
   import { SearchParameters } from '../../enums/searchParameters';
-  import { userStore } from '../../lib/stores/auth';
+  import { getUserStore } from '../../stores/user';
   import type { LoginResponseBody } from '../../types/auth';
   import { EXPIRED_JWT, hasNoAuthorization } from '../../utilities/permissions';
   import { removeQueryParam } from '../../utilities/url';
 
+  const user = getUserStore();
+
   let error: string | null = null;
   let fullError: string | null = null;
   let loginButtonText = 'Login';
   let password = '';
   let reason = $page.url.searchParams.get(SearchParameters.REASON);
   let username = '';
 
-  $: if ($userStore?.permissibleQueries && hasNoAuthorization($userStore)) {
+  $: if ($user?.permissibleQueries && hasNoAuthorization($user)) {
     error = 'You are not authorized';
     fullError =
       'You are not authorized to access the page that you attempted to view. Please contact a tool administrator to request access.';
@@ -85,9 +87,7 @@
 
     {#if isOidcEnabled()}
       <fieldset class="pt-4">
-        <div>
-          <Button type="button" on:click={() => goto(`${base}/oidc/login`)}>Login Using OIDC</Button>
-        </div>
+        <Button size="lg" type="button" on:click={() => goto(`${base}/oidc/login`)}>Login Using OIDC</Button>
       </fieldset>
     {:else}
       <fieldset>
diff --git a/src/routes/workspaces/[workspaceId]/actions/+page.svelte b/src/routes/workspaces/[workspaceId]/actions/+page.svelte
@@ -3,14 +3,16 @@
 <script lang="ts">
   import PageTitle from '../../../../components/app/PageTitle.svelte';
   import Actions from '../../../../components/sequencing/actions/Actions.svelte';
-  import { userStore } from '../../../../lib/stores/auth';
+  import { getUserStore } from '../../../../stores/user';
   import type { PageData } from './$types';
 
+  const user = getUserStore();
+
   export let data: PageData;
 
   const { initialWorkspace } = data;
 </script>
 
 <PageTitle title="Workspace: {initialWorkspace?.name} - Actions" />
 
-<Actions user={$userStore} workspace={initialWorkspace} />
+<Actions user={$user} workspace={initialWorkspace} />
diff --git a/src/utilities/requests.ts b/src/utilities/requests.ts
@@ -4,8 +4,8 @@ import type { BaseUser, User } from '../types/app';
 import type { BaseError, LogMessage } from '../types/errors';
 import type { ExtensionPayload, ExtensionResponse } from '../types/extension';
 import type { QueryVariables } from '../types/subscribable';
-import { INVALID_JWT } from '../utilities/permissions';
 import { ErrorTypes } from './errors';
+import { INVALID_JWT } from './permissions';
 
 /**
  * Used to make calls to application external to Aerie.
@@ -239,8 +239,16 @@ export async function reqHasura<T = any>(
           }
         }
       } else if (code === INVALID_JWT) {
-        // awaiting here only works if SSR is disabled
-        logout(error?.message);
+        // This should never be triggered in the OIDC case, because we have refreshes.
+        // In any case, we do the following:
+        //   * Display an error message.
+        //   * Tell the user they need to log in again
+        //   * Provide a way to do so.
+        // Don't automatically initiate logout.
+        console.error('Expired JWT in reqHasura for query:', query);
+        throw new Error(
+          `JWT Expired in reqHasura.\nCited Reason: ${json.errors[0]?.message ?? error?.message}\nFor query: ${query}.`,
+        );
       } else {
         errors.push({
           ...defaultError,
