Fix sse expiration token (#799)

* feat: enhance SSEManager to support token management and expiry handling

* test: add sse test

* fix conflicts

* refactor: add error handling for sse token refresh

Author: SalmaElsoly

backend/go.mod

@@ -5,6 +5,7 @@ go 1.25
 require (
 	github.com/cosmos/go-bip39 v1.0.0
 	github.com/gin-gonic/gin v1.11.0
+	github.com/golang/mock v1.6.0
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-retryablehttp v0.7.8

backend/go.sum

@@ -398,6 +398,7 @@ github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3i
 github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
@@ -448,6 +449,7 @@ golang.org/x/exp v0.0.0-20250911091902-df9299821621 h1:2id6c1/gto0kaHYyrixvknJ8t
 golang.org/x/exp v0.0.0-20250911091902-df9299821621/go.mod h1:TwQYMMnGpvZyc+JpB/UAuTNIsVJifOlSkrZkhcvpVUk=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
 golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
@@ -456,6 +458,7 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
@@ -474,6 +477,8 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -502,6 +507,7 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
 golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=

backend/internal/api/app/app_dependencies.go

@@ -108,7 +108,7 @@ func createAppDependencies(ctx context.Context, config cfg.Configuration) (appDe
 		return appDependencies{}, err
 	}
 
-	appCommunication, err := createAppCommunication(config, appCore.db, appCore.ewfEngine, appCore.metrics)
+	appCommunication, err := createAppCommunication(config, appCore.db, appCore.ewfEngine, appCore.metrics, appSecurity.tokenManager)
 	if err != nil {
 		return appDependencies{}, err
 	}
@@ -228,7 +228,7 @@ func createAppSecurity(ctx context.Context, config cfg.Configuration) (appSecuri
 	}, nil
 }
 
-func createAppCommunication(config cfg.Configuration, db models.DB, ewfEngine *ewf.Engine, metrics *metrics.Metrics) (appCommunication, error) {
+func createAppCommunication(config cfg.Configuration, db models.DB, ewfEngine *ewf.Engine, metrics *metrics.Metrics, tokenManager auth.TokenManager) (appCommunication, error) {
 	var mailSender mailsender.MailSender
 	var mailContentFormatter mailcontentformatter.MailContentFormatter
 
@@ -242,7 +242,7 @@ func createAppCommunication(config cfg.Configuration, db models.DB, ewfEngine *e
 		mailContentFormatter = mailcontentformatter.NewMailHTMLFormatter()
 	}
 	mailService := mailservice.NewMailService(mailSender, mailContentFormatter, config)
-	sseManager := realtime.NewSSEManager()
+	sseManager := realtime.NewSSEManager(tokenManager)
 
 	notificationRepo := corepersistence.NewGormNotificationRepository(db)
 	userRepo := corepersistence.NewGormUserRepository(db)

backend/internal/infrastructure/realtime/sse.go

@@ -4,13 +4,14 @@ import (
 	"context"
 	"encoding/json"
 	"io"
+	"kubecloud/internal/auth"
 	"kubecloud/internal/core/models"
+	"kubecloud/internal/infrastructure/logger"
 	"net/http"
+	"strings"
 	"sync"
 	"time"
 
-	"kubecloud/internal/infrastructure/logger"
-
 	"github.com/gin-gonic/gin"
 )
 
@@ -23,10 +24,11 @@ const (
 
 // SSEManager handles Server-Sent Events for real-time notifications
 type SSEManager struct {
-	clients map[int][]chan SSEMessage // userID -> client channels
-	mu      sync.RWMutex
-	ctx     context.Context
-	cancel  context.CancelFunc
+	clients      map[int][]chan SSEMessage // userID -> client channels
+	mu           sync.RWMutex
+	ctx          context.Context
+	cancel       context.CancelFunc
+	tokenManager auth.TokenManager
 }
 
 // SSEMessage represents a server-sent event message
@@ -40,12 +42,13 @@ type SSEMessage struct {
 }
 
 // NewSSEManager creates a new SSE manager
-func NewSSEManager() *SSEManager {
+func NewSSEManager(tokenManager auth.TokenManager) *SSEManager {
 	ctx, cancel := context.WithCancel(context.Background())
 	manager := &SSEManager{
-		clients: make(map[int][]chan SSEMessage),
-		ctx:     ctx,
-		cancel:  cancel,
+		clients:      make(map[int][]chan SSEMessage),
+		ctx:          ctx,
+		cancel:       cancel,
+		tokenManager: tokenManager,
 	}
 
 	return manager
@@ -69,7 +72,7 @@ func (s *SSEManager) Stop() {
 }
 
 // AddClient adds a new client channel for a user
-func (s *SSEManager) AddClient(userID int) chan SSEMessage {
+func (s *SSEManager) addClient(userID int) chan SSEMessage {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 
@@ -80,7 +83,7 @@ func (s *SSEManager) AddClient(userID int) chan SSEMessage {
 }
 
 // RemoveClient removes a client channel for a user
-func (s *SSEManager) RemoveClient(userID int, clientChan chan SSEMessage) {
+func (s *SSEManager) removeClient(userID int, clientChan chan SSEMessage) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 
@@ -124,14 +127,23 @@ func (s *SSEManager) Notify(userID int, msgType string, severity models.Notifica
 			// Message sent successfully
 		case <-time.After(2 * time.Second):
 			// Client not responding, remove it
-			go s.RemoveClient(userID, ch)
+			go s.removeClient(userID, ch)
 		case <-s.ctx.Done():
 			return
 		}
 	}
 
 }
 
+// setupExpiryTimer creates a timer that fires when the token expires
+func (s *SSEManager) setupExpiryTimer(claims *auth.TokenClaims) *time.Timer {
+	if claims == nil || claims.ExpiresAt == nil {
+		return nil
+	}
+
+	return time.NewTimer(time.Until(claims.ExpiresAt.Time))
+}
+
 // HandleSSE handles SSE HTTP connections
 func (s *SSEManager) HandleSSE(c *gin.Context) {
 	userID := c.GetInt("user_id")
@@ -140,20 +152,48 @@ func (s *SSEManager) HandleSSE(c *gin.Context) {
 		return
 	}
 
+	// Extract token from query or Authorization header
+	tokenStr := c.Query("token")
+	if tokenStr == "" {
+		authHeader := c.GetHeader("Authorization")
+		if authHeader == "" || !strings.HasPrefix(authHeader, "Bearer ") {
+			c.JSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
+			return
+		}
+		tokenStr = strings.TrimPrefix(authHeader, "Bearer ")
+	}
+
+	claims, err := s.tokenManager.VerifyToken(tokenStr)
+	if err != nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid token"})
+		return
+	}
+
+	// Setup token expiry enforcement timer using claims
+	expiryTimer := s.setupExpiryTimer(claims)
+	if expiryTimer != nil {
+		defer expiryTimer.Stop()
+	}
+
 	// Set SSE headers
 	c.Header("Content-Type", "text/event-stream")
 	c.Header("Cache-Control", "no-cache")
 	c.Header("Connection", "keep-alive")
 
 	// Add client and get channel
-	clientChan := s.AddClient(userID)
-	defer s.RemoveClient(userID, clientChan)
+	clientChan := s.addClient(userID)
+	defer s.removeClient(userID, clientChan)
 
 	log := logger.ForOperation("sse", "handle_connection").With().Int("user_id", userID).Logger()
 
 	// Send initial connection message
 	s.Notify(userID, "connected", models.NotificationSeverityInfo, map[string]string{"status": "connected"}, "")
 
+	var expiryC <-chan time.Time
+	if expiryTimer != nil {
+		expiryC = expiryTimer.C
+	}
+
 	// Stream messages to client
 	c.Stream(func(w io.Writer) bool {
 		select {
@@ -171,6 +211,10 @@ func (s *SSEManager) HandleSSE(c *gin.Context) {
 			c.SSEvent("message", string(data))
 			return true
 
+		case <-expiryC:
+			// Token expired (nil channel never fires)
+			return false
+
 		case <-c.Request.Context().Done():
 			log.Debug().Msg("Client disconnected")
 			return false

backend/internal/infrastructure/realtime/sse_test.go

@@ -10,7 +10,7 @@ import (
 )
 
 func TestNewSSEManager(t *testing.T) {
-	manager := NewSSEManager()
+	manager := NewSSEManager(nil)
 	if manager.clients == nil {
 		t.Error("clients map not initialized")
 	}
@@ -23,11 +23,11 @@ func TestNewSSEManager(t *testing.T) {
 }
 
 func TestSSEManager_AddClient(t *testing.T) {
-	manager := NewSSEManager()
+	manager := NewSSEManager(nil)
 	defer manager.Stop()
 
 	userID := 1
-	clientChan := manager.AddClient(userID)
+	clientChan := manager.addClient(userID)
 
 	if clientChan == nil {
 		t.Error("AddClient returned nil channel")
@@ -50,11 +50,11 @@ func TestSSEManager_AddClient(t *testing.T) {
 }
 
 func TestSSEManager_RemoveClient(t *testing.T) {
-	manager := NewSSEManager()
+	manager := NewSSEManager(nil)
 	defer manager.Stop()
 
 	userID := 1
-	clientChan := manager.AddClient(userID)
+	clientChan := manager.addClient(userID)
 
 	// Verify client exists
 	manager.mu.RLock()
@@ -66,7 +66,7 @@ func TestSSEManager_RemoveClient(t *testing.T) {
 	}
 
 	// Remove client
-	manager.RemoveClient(userID, clientChan)
+	manager.removeClient(userID, clientChan)
 
 	// Verify client was removed
 	manager.mu.RLock()
@@ -79,12 +79,12 @@ func TestSSEManager_RemoveClient(t *testing.T) {
 }
 
 func TestSSEManager_RemoveClient_MultipleClients(t *testing.T) {
-	manager := NewSSEManager()
+	manager := NewSSEManager(nil)
 	defer manager.Stop()
 
 	userID := 1
-	clientChan1 := manager.AddClient(userID)
-	clientChan2 := manager.AddClient(userID)
+	clientChan1 := manager.addClient(userID)
+	clientChan2 := manager.addClient(userID)
 
 	// Verify both clients exist
 	manager.mu.RLock()
@@ -96,7 +96,7 @@ func TestSSEManager_RemoveClient_MultipleClients(t *testing.T) {
 	}
 
 	// Remove first client
-	manager.RemoveClient(userID, clientChan1)
+	manager.removeClient(userID, clientChan1)
 
 	// Verify only second client remains
 	manager.mu.RLock()
@@ -112,11 +112,11 @@ func TestSSEManager_RemoveClient_MultipleClients(t *testing.T) {
 }
 
 func TestSSEManager_Notify(t *testing.T) {
-	manager := NewSSEManager()
+	manager := NewSSEManager(nil)
 	defer manager.Stop()
 
 	userID := 1
-	clientChan := manager.AddClient(userID)
+	clientChan := manager.addClient(userID)
 
 	data := map[string]string{"message": "test message", "status": "success"}
 
@@ -147,12 +147,12 @@ func TestSSEManager_Notify(t *testing.T) {
 }
 
 func TestSSEManager_Notify_MultipleClients(t *testing.T) {
-	manager := NewSSEManager()
+	manager := NewSSEManager(nil)
 	defer manager.Stop()
 
 	userID := 1
-	clientChan1 := manager.AddClient(userID)
-	clientChan2 := manager.AddClient(userID)
+	clientChan1 := manager.addClient(userID)
+	clientChan2 := manager.addClient(userID)
 
 	message := SSEMessage{
 		Type:     "test",
@@ -192,10 +192,10 @@ func TestSSEManager_Notify_MultipleClients(t *testing.T) {
 }
 
 func TestSSEManager_Stop(t *testing.T) {
-	manager := NewSSEManager()
+	manager := NewSSEManager(nil)
 
 	userID := 1
-	manager.AddClient(userID)
+	manager.addClient(userID)
 
 	// Stop the manager
 	manager.Stop()
@@ -250,11 +250,11 @@ func TestSSEMessage_JSONMarshal(t *testing.T) {
 }
 
 func TestSSEManager_Notify_WithTaskID(t *testing.T) {
-	manager := NewSSEManager()
+	manager := NewSSEManager(nil)
 	defer manager.Stop()
 
 	userID := 1
-	clientChan := manager.AddClient(userID)
+	clientChan := manager.addClient(userID)
 
 	taskID := "task-123"