|
| 1 | +# WS auth-expiry handling (bd-3o8zmz46) |
| 2 | + |
| 3 | +## Overview |
| 4 | + |
| 5 | +Diagnosed 2026-06-10: when the Google ID token (1 h `exp`) expires and GIS One |
| 6 | +Tap renewal is unavailable (observed `accounts.google.com/gsi/status` 403 in |
| 7 | +dev), the auth cookie is evicted by the browser and every Automerge WS upgrade |
| 8 | +gets 401 from the hub. The SPA never notices: |
| 9 | + |
| 10 | +- Browsers hide the HTTP status of a failed WS upgrade from JS, and nothing |
| 11 | + probes `/auth/me` out-of-band when sync drops. |
| 12 | +- `useAuth`'s visibilitychange handler resets `cookieSetAt = Date.now()` on |
| 13 | + every refocus where `/auth/me` still returns 200, drifting the assumed |
| 14 | + expiry up to an hour past the real one, so the `cookieExpired()` guards and |
| 15 | + the App's auth-lost effect never fire. |
| 16 | + |
| 17 | +Net effect: UI stays "logged in", shows "Connection lost — working offline", |
| 18 | +and the WS adapter retries forever. |
| 19 | + |
| 20 | +Evidence record (end-to-end): probed `ws://localhost:5173/ws` (Vite proxy) |
| 21 | +and `http://127.0.0.1:3000/ws` directly → both 401; user's DevTools showed |
| 22 | +the failing upgrades carry **no Cookie header** (cookie evicted at expiry); |
| 23 | +`fetch('/auth/me')` → 401 while the editor remained open; page reload landed |
| 24 | +on the login screen. |
| 25 | + |
| 26 | +**Offline-mode invariant (drives all fixes):** only a definitive 401/403 from |
| 27 | +a reachable hub may clear auth. Network errors, timeouts, and 5xx must never |
| 28 | +log the user out — offline editing is a feature. Logout on evidence, not on |
| 29 | +schedule. |
| 30 | + |
| 31 | +Related: bd-ey6jg70f (hub-minted sliding sessions, out of scope here). |
| 32 | + |
| 33 | +## Phase 1 — server: expose token expiry on /auth/me |
| 34 | + |
| 35 | +- [x] Failing test: `/auth/me` response includes `exp` (epoch seconds) equal |
| 36 | + to the token's `exp` claim |
| 37 | +- [x] Surface `exp` in `OidcClaims` (if not already deserialized) and add it |
| 38 | + to `AuthMeResponse` in `crates/quarto-hub/src/server.rs` |
| 39 | +- [x] Targeted tests pass (`cargo nextest run -p quarto-hub`) |
| 40 | + |
| 41 | +## Phase 2 — client: schedule from real expiry; offline-safe catches |
| 42 | + |
| 43 | +- [x] Failing tests (vitest, fake timers) for `useAuth`: |
| 44 | + - schedules silent refresh at `exp − 15 min` and hard re-check at `exp`, |
| 45 | + from the server-reported `exp` (not a local 1 h assumption) |
| 46 | + - refocus `/auth/me` 200 does NOT extend assumed expiry beyond server `exp` |
| 47 | + (the drift bug) |
| 48 | + - refocus `/auth/me` network error keeps auth (today: logs out) |
| 49 | + - expiry-time `/auth/me` network error keeps auth and reschedules a |
| 50 | + re-check (today: logs out) |
| 51 | + - expiry-time `/auth/me` 401 with failed renewal → auth cleared with |
| 52 | + `sessionExpired` flag |
| 53 | +- [x] Implement: `AuthState.expiresAt` (from `exp`, fallback +1 h if absent), |
| 54 | + remove `cookieSetAt` drift resets, offline-safe catch branches, |
| 55 | + `sessionExpired` state exposed from the hook |
| 56 | +- [x] Targeted vitest run green |
| 57 | + |
| 58 | +## Phase 3 — client: WS-failure auth probe + session-expired UX |
| 59 | + |
| 60 | +- [x] Failing tests for new `useAuthProbe` hook: |
| 61 | + - while sync is disconnected (and authed, project open): probes |
| 62 | + `/auth/me` immediately and then on an interval |
| 63 | + - probe 200 → no action; probe network error → no action (offline mode) |
| 64 | + - first 401/403 → `triggerRefresh()` only (renewal gets a chance) |
| 65 | + - second consecutive 401/403 → `onAuthRejected()` (clears auth) |
| 66 | + - reconnect / 200 resets the strike counter; probing stops when online |
| 67 | +- [x] Implement `useAuthProbe`, wire in `App.tsx` off `isOnline` |
| 68 | +- [x] LoginScreen shows "Session expired — please sign in again" when auth |
| 69 | + was cleared by evidence (distinct from the generic offline banner and |
| 70 | + from ordinary logout) |
| 71 | +- [x] Targeted vitest run green |
| 72 | + |
| 73 | +## Phase 4 — verification & bookkeeping |
| 74 | + |
| 75 | +- [x] `npm run build:all` from hub-client (production build is stricter) |
| 76 | +- [x] `npm run test:ci` from hub-client |
| 77 | +- [x] `cargo xtask verify` (full: quarto-hub Rust change + hub-client change) |
| 78 | +- [x] Commits (hub-client two-commit changelog dance), strand comment + close |
| 79 | +- [x] Honest E2E note: real-expiry flow needs a browser with a live Google |
| 80 | + session; record what was and wasn't exercised end-to-end |
| 81 | + |
| 82 | +## Design details |
| 83 | + |
| 84 | +- Probe three-way split maps directly onto `fetchAuthMe()`'s contract: |
| 85 | + `AuthState` = valid, `null` = definitive 401/403, throw = network/5xx. |
| 86 | +- Strike-2 semantics: first 401 triggers renewal; only a second 401 on the |
| 87 | + next probe cycle (~30 s later) clears auth. Avoids racing One Tap and |
| 88 | + avoids relying on One Tap callbacks ever firing (they may not when GIS is |
| 89 | + blocked — the coalesced `isRefreshing` flag would otherwise wedge). |
| 90 | +- Cold-starting the app while fully offline still lands on login (mount-time |
| 91 | + probe can't succeed; HttpOnly cookie unreadable client-side). Known |
| 92 | + limitation, unchanged by this strand; belongs to bd-ey6jg70f territory. |
| 93 | + |
| 94 | +## Verification record (2026-06-10) |
| 95 | + |
| 96 | +- `cargo xtask verify` (full): 9648 Rust tests passed; hub-client 574 unit + |
| 97 | + 66 integration + 81 wasm tests passed; WASM + production builds green. |
| 98 | +- New tests: `auth_me_returns_token_exp` (Rust); 5 expiry/offline tests in |
| 99 | + `useAuth.test.tsx`; 6 tests in `useAuthProbe.test.tsx`; 2 LoginScreen tests. |
| 100 | +- Commits: `465de01f` (fix), `329e3702` (changelog). |
| 101 | +- **E2E honesty note**: the real expiry flow (Google token aging past 1 h with |
| 102 | + One Tap blocked) was NOT exercised end-to-end in a browser — it needs a live |
| 103 | + Google session. Manual recipe: sign in, delete the `quarto_hub_token` cookie |
| 104 | + in DevTools → Application, restart the hub (drops the established WS); the |
| 105 | + client should attempt renewal within ~30 s and land on the login screen with |
| 106 | + the "session expired" message within ~60 s, instead of retrying forever. |
0 commit comments