UNPKG

@wristband/react-client-auth

Version:

A lightweight React SDK that pairs with your backend server auth to initialize and sync frontend sessions via secure session cookies.

wristband.dev

wristband-dev/react-client-auth

275 lines (272 loc) 11.7 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
import { jsx } from 'react/jsx-runtime'; import { useState, useRef, useMemo, useCallback, useEffect } from 'react'; import { WristbandAuthContext } from './wristband-auth-context.js'; import { AuthStatus } from '../types/auth-provider-types.js'; import apiClient from '../api/api-client.js'; import { validateAuthProviderLogoutUrl, validateAuthProviderSessionUrl, validateAuthProviderTokenUrl, resolveAuthProviderLoginUrl, isUnauthorizedError, is4xxError, delay } from '../utils/auth-provider-utils.js'; import { WristbandTokenError } from '../error/index.js'; const TOKEN_EXPIRATION_BUFFER_TIME_MS = 30000; const MAX_API_ATTEMPTS = 3; const API_RETRY_DELAY_MS = 100; /** * WristbandAuthProvider establishes an authenticated session with your backend server * by making a request to your session endpoint. It manages authentication state and * provides session data to all child components through React Context. * * This component should be placed near the root of your application to make authentication * state and session data available throughout your component tree. * * @example Basic usage * ```jsx * function App() { * return ( * <WristbandAuthProvider * loginUrl="/api/auth/login" * logoutUrl="/api/auth/logout" * sessionUrl="/api/auth/session" * > * <YourAppComponents /> * </WristbandAuthProvider> * ); * } * ``` * * * @example Using access tokens directly in React * ```jsx * function App() { * return ( * <WristbandAuthProvider * loginUrl="/api/auth/login" * logoutUrl="/api/auth/logout" * sessionUrl="/api/auth/session" * tokenUrl="/api/auth/token" * > * <YourAppComponents /> * </WristbandAuthProvider> * ); * } * ``` * * @example With custom session metadata handling * ```jsx * function App() { * const queryClient = useQueryClient(); * * return ( * <WristbandAuthProvider * loginUrl="/api/auth/login" * logoutUrl="/api/auth/logout" * sessionUrl="/api/auth/session" * transformSessionMetadata={(rawMetadata) => ({ * name: rawMetadata.displayName, * email: rawMetadata.email, * role: rawMetadata.userRole * })} * onSessionSuccess={(sessionData) => { * // Cache additional data in React Query * queryClient.setQueryData(['user-permissions'], sessionData.permissions); * }} * > * <YourAppComponents /> * </WristbandAuthProvider> * ); * } * ``` * * Once rendered, child components can access authentication state using the hooks: * - useWristbandAuth() - For authentication status (isAuthenticated, isLoading, authStatus, clearAuthData) * - useWristbandSession() - For session data (userId, tenantId, metadata) * - useWristbandToken() - For client-side token management, if applicable (getToken, clearToken) * * @template TSessionMetaData - Type for the transformed session metadata, if applicable. */ function WristbandAuthProvider({ children, csrfCookieName = 'CSRF-TOKEN', csrfHeaderName = 'X-CSRF-TOKEN', disableRedirectOnUnauthenticated = false, loginUrl, logoutUrl, onSessionSuccess, sessionUrl, tokenUrl = '', transformSessionMetadata, }) { // Internal State const [isAuthenticated, setIsAuthenticated] = useState(false); const [isLoading, setIsLoading] = useState(true); const [userId, setUserId] = useState(''); const [tenantId, setTenantId] = useState(''); const [metadata, setMetadata] = useState({}); const [accessToken, setAccessToken] = useState(''); const [accessTokenExpiresAt, setAccessTokenExpiresAt] = useState(0); // Tracks in-flight token requests to prevent duplicate API calls. const tokenRequestRef = useRef(null); // Convenience enum for users who don't want to check both isAuthenticated and isLoading const authStatus = isLoading ? AuthStatus.LOADING : isAuthenticated ? AuthStatus.AUTHENTICATED : AuthStatus.UNAUTHENTICATED; const { resolvedLoginUrl, validatedLogoutUrl, validatedSessionUrl, validatedTokenUrl } = useMemo(() => { // All validations happen first before any useEffect validateAuthProviderLogoutUrl(logoutUrl); validateAuthProviderSessionUrl(sessionUrl); if (tokenUrl) { validateAuthProviderTokenUrl(tokenUrl); } return { resolvedLoginUrl: resolveAuthProviderLoginUrl(loginUrl), validatedLogoutUrl: logoutUrl, validatedSessionUrl: sessionUrl, validatedTokenUrl: tokenUrl, }; }, [loginUrl, logoutUrl, sessionUrl, tokenUrl]); /** * Destroys all auth, session, and token data. */ const clearAuthData = useCallback(() => { clearToken(); setIsAuthenticated(false); setIsLoading(false); setTenantId(''); setUserId(''); setMetadata({}); }, []); /** * Allows setting of session metadata even after initial fetchSession() occurs. */ const updateMetadata = useCallback((newMetadata) => { setMetadata((prevData) => ({ ...prevData, ...newMetadata })); }, []); /** * Clear token cache and any in-flight token request. */ const clearToken = useCallback(() => { setAccessToken(''); setAccessTokenExpiresAt(0); tokenRequestRef.current = null; }, []); /** * Token management with deduplication and caching. Server handles token refresh using session * cookie, so client only needs to cache and deduplicate. */ const getToken = useCallback(async () => { if (!validatedTokenUrl || !validatedTokenUrl.trim()) { throw new WristbandTokenError('TOKEN_URL_NOT_CONFIGURED', 'Token URL not configured'); } if (!isAuthenticated) { throw new WristbandTokenError('UNAUTHENTICATED', 'User is not authenticated'); } // Check if we have a valid cached token (with 30 second buffer) if (accessToken && accessTokenExpiresAt > Date.now() + TOKEN_EXPIRATION_BUFFER_TIME_MS) { return accessToken; } // If there's already a token request in flight, return that promise if (tokenRequestRef.current) { return tokenRequestRef.current; } // Create new token request; server will handle refresh using session cookie const tokenRequest = (async () => { let lastError; try { for (let attempt = 1; attempt <= MAX_API_ATTEMPTS; attempt++) { try { const response = await apiClient.get(validatedTokenUrl, { csrfCookieName, csrfHeaderName }); const { accessToken: newToken, expiresAt } = response.data; setAccessToken(newToken); setAccessTokenExpiresAt(expiresAt); return newToken; } catch (error) { lastError = error; // If token fetch fails due to auth error, clear token state. if (isUnauthorizedError(error)) { setAccessToken(''); setAccessTokenExpiresAt(0); throw new WristbandTokenError('UNAUTHENTICATED', 'Token request unauthorized', error); } // If it's any other 4xx error, bail early (don't retry client errors). if (is4xxError(error)) { throw new WristbandTokenError('TOKEN_FETCH_FAILED', 'Failed to fetch token', error); } // If this is the last attempt, throw the last error if (attempt === MAX_API_ATTEMPTS) { break; } // Wait before retrying (only for 5xx errors and network issues) await delay(API_RETRY_DELAY_MS); } } // All attempts failed, so throw an error throw new WristbandTokenError('TOKEN_FETCH_FAILED', 'Failed to fetch token', lastError); } finally { // Clear the in-flight request tokenRequestRef.current = null; } })(); // Store the promise to prevent duplicate requests tokenRequestRef.current = tokenRequest; return tokenRequest; }, [isAuthenticated, accessToken, accessTokenExpiresAt]); /** * Bootstrap the application with the authenticated user's session data via session cookie. */ useEffect(() => { const fetchSession = async () => { let lastError; for (let attempt = 1; attempt <= MAX_API_ATTEMPTS; attempt++) { try { // The session API will let React know if the user has a previously authenticated session. // If so, it will initialize session data. const response = await apiClient.get(validatedSessionUrl, { csrfCookieName, csrfHeaderName, }); const { userId, tenantId, metadata: rawMetadata } = response.data; // Execute side effects callback before updating state if provided if (onSessionSuccess) { await Promise.resolve(onSessionSuccess(response.data)); } // Apply transformation if provided if (rawMetadata) { setMetadata(transformSessionMetadata ? transformSessionMetadata(rawMetadata) : rawMetadata); } // Update remaining context state last setTenantId(tenantId || ''); setUserId(userId || ''); setIsAuthenticated(true); setIsLoading(false); return; } catch (error) { lastError = error; // If it's a 4xx error, bail early (don't retry client errors) if (is4xxError(error)) { break; // Exit retry loop for client errors } // If this is the last attempt, don't delay if (attempt === MAX_API_ATTEMPTS) { break; } // Wait before retrying (only for 5xx errors and network issues) await delay(API_RETRY_DELAY_MS); } } console.log(lastError); if (disableRedirectOnUnauthenticated) { setIsAuthenticated(false); setIsLoading(false); } else { // Don't call logout on 401 to preserve the current page for when the user returns after re-authentication. window.location.href = isUnauthorizedError(lastError) ? resolvedLoginUrl : validatedLogoutUrl; } }; fetchSession(); // eslint-disable-next-line react-hooks/exhaustive-deps }, []); return (jsx(WristbandAuthContext.Provider, { value: { authStatus, clearAuthData, clearToken, getToken, isAuthenticated, isLoading, metadata, tenantId, updateMetadata, userId, }, children: children })); } export { WristbandAuthProvider };