OIDC server-side token refresh#2160
Merged
Merged
Conversation
✅ Deploy Preview for dashy-dev ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull request overview
Fixes a regression introduced by tighter server-side OIDC enforcement (v4.1.8) where clients could appear “logged in” client-side while the server rejected expired/invalid tokens, resulting in a stripped/empty config experience.
Changes:
- Add a server “bootstrap” marker to stripped
/conf.ymlresponses and allow/conf.ymlto fall back to bootstrap when Bearer verification fails (to trigger re-auth instead of hard-failing). - Require authentication for non-root
*.ymlfiles (e.g./sub.yml) and expand server tests accordingly. - Update Home/Minimal views + English strings to detect bootstrap state and show “session expired” messaging with a re-login action.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
services/auth-oidc.js |
Adds _bootstrap marker and introduces a permissive option to let specific routes fall through on token verification failure. |
services/app.js |
Uses permissive OIDC middleware for /*.yml so /conf.yml can bootstrap even with an invalid/expired Bearer, while sub-YAML files are gated. |
src/utils/auth/OidcAuth.js |
Detects bootstrap config and forces re-auth by clearing tokens and redirecting to the IdP. |
src/views/Home.vue |
Shows “session expired” UI (instead of “No Data Configured”) when bootstrap config is detected. |
src/views/Minimal.vue |
Same bootstrap/session-expired UI handling for Minimal view. |
src/assets/locales/en.json |
Adds English i18n strings for the session-expired messaging and button label. |
tests/server/conf-strip.test.js |
Extends coverage for _bootstrap fields and the new auth behavior for sub-YAML + invalid Bearer handling. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Category
Bugfix
Overview
In #2153 (v4.1.8) we hardened the auth, by adding server-side authorization permission checks, to strip the config of all sensetive data when not fully authenticated.
This broke partly-authenticated users, as the browser was marking them as authenticated, but the token was expired, so the server refused to serve the full config 😵
This PR fixes that. When the token is expired or otherwise invalid, it will initiate the reauthentication flow. This should happen in the background without user noticing anything, unless they've configured their OIDC provider to require explicit re-entry of credentials.
I also added small frontend change, so that the app notices when it's not properly authenticated, and shows appropriate messaging plus a re-login button.
Issue Number
Fixes #2159