fix(ui): harden SSO token validation and re-auth guard (#2045)

Address review feedback on PR #2051:
- jwt: treat a missing `exp` claim as expired instead of valid-forever, so a
  non-compliant/garbled id_token forces re-auth rather than being trusted.
- AuthContext: widen REAUTH_GUARD_WINDOW_MS 10s -> 60s so a slow IdP round-trip
  isn't misread as a failed redirect loop.
- Add jwt unit tests covering decode (valid/malformed) and isTokenExpired
  (future/past/missing exp).

Signed-off-by: Dmytro Rashko <dmitriy.rashko@amdocs.com>

Author: dimetron

ui/src/contexts/AuthContext.tsx

@@ -10,7 +10,9 @@ import { getCurrentUser, type CurrentUser, type AuthStatus } from "@/app/actions
 const SSO_REDIRECT_PATH = process.env.NEXT_PUBLIC_SSO_REDIRECT_PATH || "/oauth2/start";
 // Guards against redirect loops if re-auth keeps returning a stale token.
 const REAUTH_GUARD_KEY = "kagent_reauth_attempt";
-const REAUTH_GUARD_WINDOW_MS = 10_000;
+// Wide enough to cover a slow IdP round-trip so a genuinely in-flight re-auth
+// isn't misread as a failed loop, while still catching a fast redirect loop.
+const REAUTH_GUARD_WINDOW_MS = 60_000;
 
 interface AuthContextValue {
   user: CurrentUser | null;

ui/src/lib/__tests__/jwt.test.ts

@@ -0,0 +1,48 @@
+// `jose` is ESM-only and next/jest doesn't transform it, so mock decodeJwt with
+// a base64url payload parser that mirrors jose's behavior (decode-only, throws
+// on malformed input). isTokenExpired is pure and exercises the real code.
+jest.mock("jose", () => ({
+  decodeJwt: (token: string) => {
+    const parts = token.split(".");
+    if (parts.length < 2 || !parts[1]) {
+      throw new Error("Invalid JWT");
+    }
+    return JSON.parse(Buffer.from(parts[1], "base64url").toString("utf8"));
+  },
+}));
+
+import { decodeJWT, isTokenExpired } from "@/lib/jwt";
+
+function makeToken(payload: Record<string, unknown>): string {
+  const b64 = (obj: unknown) =>
+    Buffer.from(JSON.stringify(obj)).toString("base64url");
+  return `${b64({ alg: "none", typ: "JWT" })}.${b64(payload)}.`;
+}
+
+describe("decodeJWT", () => {
+  it("decodes a well-formed token's claims", () => {
+    const claims = decodeJWT(makeToken({ sub: "user-1", exp: 9999999999 }));
+    expect(claims).toMatchObject({ sub: "user-1", exp: 9999999999 });
+  });
+
+  it("returns null for a malformed token", () => {
+    expect(decodeJWT("not-a-jwt")).toBeNull();
+    expect(decodeJWT("")).toBeNull();
+  });
+});
+
+describe("isTokenExpired", () => {
+  it("is false for a token expiring in the future", () => {
+    const future = Math.floor(Date.now() / 1000) + 3600;
+    expect(isTokenExpired({ exp: future })).toBe(false);
+  });
+
+  it("is true for a token whose exp is in the past", () => {
+    const past = Math.floor(Date.now() / 1000) - 3600;
+    expect(isTokenExpired({ exp: past })).toBe(true);
+  });
+
+  it("is true when exp is missing (treated as expired, not valid-forever)", () => {
+    expect(isTokenExpired({})).toBe(true);
+  });
+});

ui/src/lib/jwt.ts

@@ -9,6 +9,9 @@ export function decodeJWT(token: string): JWTPayload | null {
 }
 
 export function isTokenExpired(claims: JWTPayload): boolean {
-  if (!claims.exp) return false;
+  // OIDC id_tokens are required to carry `exp`. Treat a missing `exp` as expired
+  // rather than valid-forever, so a non-compliant/garbled token triggers re-auth
+  // instead of being trusted indefinitely.
+  if (!claims.exp) return true;
   return Date.now() >= claims.exp * 1000;
 }