Refresh authToken when it expires

Access tokens have lifetimes that might end before the user wants to end
their authenticated session. Hence, we need to refresh the user access token
after an expiry detection.

Resolves: #175

Signed-off-by: fenn-cs <[email protected]>

Author: nfebe

.env.example

@@ -40,3 +40,4 @@ PERMANENT_API_BASE_PATH=${LOCAL_TEMPORARY_AUTH_TOKEN}
 # See https://fusionauth.io/docs/v1/tech/apis/api-keys
 FUSION_AUTH_HOST=${FUSION_AUTH_HOST}
 FUSION_AUTH_KEY=${FUSION_AUTH_KEY}
+FUSION_AUTH_APP_ID=${FUSION_AUTH_APP_ID}

src/classes/AuthenticationSession.ts

@@ -15,10 +15,16 @@ enum FusionAuthStatusCode {
 export class AuthenticationSession {
   public authToken = '';
 
+  public refreshToken = '';
+
   public readonly authContext;
 
+  private authTokenExpiresAt = 0;
+
   private readonly fusionAuthClient;
 
+  private readonly fusionAuthAppId = process.env.FUSION_AUTH_APP_ID ?? '';
+
   private twoFactorId = '';
 
   private twoFactorMethods: TwoFactorMethod[] = [];
@@ -32,6 +38,32 @@ export class AuthenticationSession {
     this.promptForPassword();
   }
 
+  public obtainNewAuthTokenUsingRefreshToken(): void {
+    this.fusionAuthClient.exchangeRefreshTokenForAccessToken(this.refreshToken, '', '', '', '')
+      .then((clientResponse) => {
+        this.authToken = clientResponse.response.access_token ?? '';
+      })
+      .catch((clientResponse: unknown) => {
+        const message = isPartialClientResponse(clientResponse)
+          ? clientResponse.exception.message
+          : '';
+        logger.warn(`Error obtaining refresh token : ${message}`);
+        this.authContext.reject();
+      });
+  }
+
+  public tokenExpired(): boolean {
+    const expirationDate = new Date(this.authTokenExpiresAt);
+    return expirationDate <= new Date();
+  }
+
+  public tokenWouldExpireSoon(minutes = 5): boolean {
+    const expirationDate = new Date(this.authTokenExpiresAt);
+    const currentTime = new Date();
+    const timeDifferenceMinutes = (expirationDate.getTime() - currentTime.getTime()) / (1000 * 60);
+    return timeDifferenceMinutes <= minutes;
+  }
+
   private promptForPassword(): void {
     this.authContext.prompt(
       {
@@ -46,6 +78,7 @@ export class AuthenticationSession {
 
   private processPasswordResponse([password]: string[]): void {
     this.fusionAuthClient.login({
+      applicationId: this.fusionAuthAppId,
       loginId: this.authContext.username,
       password,
     }).then((clientResponse) => {
@@ -57,6 +90,8 @@ export class AuthenticationSession {
               username: this.authContext.username,
             });
             this.authToken = clientResponse.response.token;
+            this.authTokenExpiresAt = clientResponse.response.tokenExpirationInstant ?? 0;
+            this.refreshToken = clientResponse.response.refreshToken ?? '';
             this.authContext.accept();
             return;
           }

src/classes/SftpSessionHandler.ts

@@ -958,6 +958,12 @@ export class SftpSessionHandler {
   }
 
   private getCurrentPermanentFileSystem(): PermanentFileSystem {
+    if (
+      this.authenticationSession.tokenExpired()
+      || this.authenticationSession.tokenWouldExpireSoon()
+    ) {
+      this.authenticationSession.obtainNewAuthTokenUsingRefreshToken();
+    }
     return this.permanentFileSystemManager
       .getCurrentPermanentFileSystemForUser(
         this.authenticationSession.authContext.username,