Skip to content

feat(auth): handle refresh token #67

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 27 commits into from
Nov 21, 2025
Merged

feat(auth): handle refresh token #67

merged 27 commits into from
Nov 21, 2025

Conversation

@peppescg
Copy link
Collaborator

@peppescg peppescg commented Nov 20, 2025
edited
Loading

Authentication Implementation

Kapture.2025-11-20.at.18.32.32.mp4

Implemented OIDC authentication with Better Auth and custom token management:

  • OIDC Flow: OAuth2 Authorization Code Flow with Okta
  • Custom Token Storage: Encrypted HTTP-only cookies for access & refresh tokens
  • Automatic Token Refresh: Transparent refresh when access token expires
  • Server-Side API Client: Secure token handling via Next.js Server Actions
  • Session Management: 7-day sessions with Better Auth cookie cache
  • Security: AES-256-GCM encryption, SameSite protection, HTTP-only cookies

Key Features:

  • Access tokens automatically refreshed before API calls
  • Tokens saved on both initial login and re-login (signout/signin flow)
  • Dedicated /api/auth/refresh-token endpoint for token refresh
  • Comprehensive test coverage for auth flows

See src/lib/auth/README.md for detailed architecture and flow diagrams.

Refresh token

Screenshot 2025-11-20 at 18 40 44

Authentication flow

Screenshot 2025-11-20 at 18 41 19

@peppescg peppescg changed the title Issues/50 feat(auth): handle refresh token Nov 20, 2025
@peppescg peppescg self-assigned this Nov 20, 2025
@peppescg peppescg marked this pull request as ready for review November 20, 2025 17:43
Copilot AI review requested due to automatic review settings November 20, 2025 17:43
@peppescg peppescg linked an issue Nov 20, 2025 that may be closed by this pull request
[Task] support refreshToken #50
Closed
Copilot finished reviewing on behalf of peppescg November 20, 2025 17:47
Copilot AI reviewed Nov 20, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements comprehensive OIDC authentication with automatic token refresh functionality using Better Auth. The implementation adds encrypted token storage in HTTP-only cookies, automatic access token refresh when expired, and a dedicated refresh endpoint.

Key changes:

  • Custom token management with AES-256-GCM encryption for access and refresh tokens
  • Automatic token refresh flow via /api/auth/refresh-token endpoint
  • Server-side authenticated API client with transparent token handling
  • Database hooks to persist tokens on both initial login and re-login flows

Reviewed Changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated 14 comments.

Show a summary per file
File Description
src/lib/auth/types.ts New TypeScript interfaces for OIDC token data and responses
src/lib/auth/utils.ts Encryption/decryption utilities using JWE with type guards
src/lib/auth/constants.ts Centralized auth configuration and environment variables
src/lib/auth/auth.ts Core auth logic including Better Auth config, token refresh, and cookie management
src/lib/auth/token.ts Token retrieval and refresh orchestration server actions
src/lib/auth/README.md Comprehensive architecture documentation with flow diagrams
src/app/api/auth/refresh-token/route.ts API route handler for token refresh requests
src/lib/api-client.ts Authenticated API client factory with automatic token injection
src/app/catalog/actions.ts Updated to use authenticated client
src/app/layout.tsx Removed unnecessary api-client import
src/lib/auth/__tests__/auth.test.ts Updated tests for token management without cookie deletion
src/lib/auth/__tests__/token.test.ts Comprehensive test suite for token refresh flows
vitest.config.mts Added OIDC_PROVIDER_ID environment variable for tests
src/mocks/server.ts Removed biome-ignore comments (now handled by config)
src/mocks/mocker.ts Code formatting improvements for long strings
biome.json Updated schema version and disabled console warnings for mocks
dev-auth/README.md Updated environment variable documentation
CLAUDE.md Added detailed auth environment variable documentation
AGENTS.md Added auth configuration details for AI agents

@peppescg
fix: remove leftover catalogue page
c3a228a
@peppescg
fix: api-client new instance
04656fc
@peppescg
fix: raise console error in case of missing token or userId
b253e31
@peppescg
fix: redirect to sign in if refresh token is expired
19231fe
@peppescg
feat: implement OIDC authentication with automatic token refresh
b46fdd6 
- Add Better Auth with OIDC (OAuth2 Authorization Code Flow)
- Implement custom token storage in encrypted HTTP-only cookies
- Add automatic access token refresh when expired
- Create dedicated /api/auth/refresh-token endpoint
- Fix race condition by creating new client instance per request
- Add fail-fast validation for API_BASE_URL env var
- Add refresh token expiration check before API call
- Add warning when provider doesn't return new refresh token
- Add account.update.after hook for re-login flow
- Add comprehensive auth documentation in src/lib/auth/README.md
- Add 22 unit tests for auth flows

Security improvements:
- AES-256-GCM encryption for token storage
- Server-side only API client (no token exposure to client)
- HTTP-only cookies (not accessible via JavaScript)
- SameSite protection
- 7-day session management with Better Auth cookie cache

Fixes #50
@peppescg
refactor: move to util reusable account auth info
1daf0f3
@peppescg
fix: update env var
477661e
@peppescg
fix: remove throw error on better auth secret env var
07434cf
@peppescg
fix: remove throw error on api base url env var
4eb6f4a
@peppescg
refactor: comment
e33fca5
@peppescg
fix: types
2f6ee5d
@peppescg
leftover
1e04eac
@stacklok stacklok deleted a comment from claude bot Nov 20, 2025
@peppescg peppescg merged commit 9442bec into main Nov 21, 2025
14 of 15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kantord kantord kantord approved these changes

Assignees

@peppescg peppescg

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Task] support refreshToken

3 participants

@peppescg @kantord