From 05576ebb80214891257790bfa794369f280dbe14 Mon Sep 17 00:00:00 2001
From: Casey Dyer <dyersituations@gmail.com>
Date: Tue, 21 May 2024 11:04:26 -0700
Subject: [PATCH 1/2] fix: add check for new access_denied error

---
 server/auth-router.js | 4 ++--
 src/util/KvAuth0.js   | 7 +++++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/server/auth-router.js b/server/auth-router.js
index 28a9384885..e49b9b5737 100644
--- a/server/auth-router.js
+++ b/server/auth-router.js
@@ -165,8 +165,8 @@ module.exports = function authRouter(config = {}) {
 
 			// Handle errors
 			if (req.query.error && !silentAuth) {
-				// Re-attempt login with the login form forced to display if unauthorized error happened
-				if (req.query.error === 'unauthorized') {
+				// Re-attempt login with the login form forced to display if unauthorized/access_denied error happened
+				if (req.query.error === 'unauthorized' || req.query.error === 'access_denied') {
 					req.query = {}; // Remove query params from previous auth attempt
 					return passport.authenticate('auth0', {
 						audience: config.auth0.apiAudience,
diff --git a/src/util/KvAuth0.js b/src/util/KvAuth0.js
index 7c010d9875..7b1bede14a 100644
--- a/src/util/KvAuth0.js
+++ b/src/util/KvAuth0.js
@@ -288,7 +288,10 @@ export default class KvAuth0 {
 				this.webAuth.checkSession({}, (err, result) => {
 					if (err) {
 						this[setAuthData]();
-						if (err.error === 'login_required' || err.error === 'unauthorized') {
+						if (err.error === 'login_required'
+							|| err.error === 'unauthorized'
+							|| err.error === 'access_denied'
+						) {
 							// User is not logged in, so continue without authentication
 							this[noteLoggedOut]();
 							resolve();
@@ -364,5 +367,5 @@ export const MockKvAuth0 = {
 	checkSession: () => Promise.resolve({}),
 	popupLogin: () => Promise.resolve({}),
 	popupCallback: () => Promise.resolve({}),
-	onError: () => {},
+	onError: () => { },
 };

From 5573ca64e2151665abacf2b1421e4b174ae1411e Mon Sep 17 00:00:00 2001
From: Casey Dyer <dyersituations@gmail.com>
Date: Tue, 21 May 2024 12:57:34 -0700
Subject: [PATCH 2/2] fix: use desc instead

---
 server/auth-router.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/server/auth-router.js b/server/auth-router.js
index e49b9b5737..822080a6bc 100644
--- a/server/auth-router.js
+++ b/server/auth-router.js
@@ -165,8 +165,10 @@ module.exports = function authRouter(config = {}) {
 
 			// Handle errors
 			if (req.query.error && !silentAuth) {
-				// Re-attempt login with the login form forced to display if unauthorized/access_denied error happened
-				if (req.query.error === 'unauthorized' || req.query.error === 'access_denied') {
+				// Re-attempt login with the login form forced to display if unauthorized error happened
+				if (req.query.error === 'unauthorized'
+					|| req.query.error_description?.toLowerCase() === 'session too old, login required'
+				) {
 					req.query = {}; // Remove query params from previous auth attempt
 					return passport.authenticate('auth0', {
 						audience: config.auth0.apiAudience,