fix: #exui-112: rediect to link expired login link page of state or nonce is stale

src/auth/auth.constants.ts

@@ -12,5 +12,6 @@ export const AUTH = {
         KEEPALIVE_ROUTE: '/auth/keepalive',
         OAUTH_CALLBACK: '/oauth2/callback',
         LOGOUT: '/auth/logout',
+        EXPIRED_LOGIN_LINK: '/expired-login-link',
     },
 }

src/auth/models/strategy.class.ts

@@ -280,6 +280,12 @@ export abstract class Strategy extends events.EventEmitter {
             this.emit(AUTH.EVENT.AUTHENTICATE_FAILURE, req, res, next)
         }
 
+        const redirectWithFailure = (errorMessages: string[], INVALID_STATE_ERROR: string, uri: string) => {
+            errorMessages.push(INVALID_STATE_ERROR)
+            emitAuthenticationFailure(errorMessages)
+            return res.redirect(uri)
+        }
+
         passport.authenticate(
             this.strategyName,
             {
@@ -303,19 +309,21 @@ export abstract class Strategy extends events.EventEmitter {
                 }
 
                 if (info) {
-                    if (info.message === INVALID_STATE_ERROR) {
-                        errorMessages.push(INVALID_STATE_ERROR)
-                    }
                     this.logger.info('Authenticate callback info', info)
                 }
 
                 if (!user) {
-                    const message = 'No user details returned by the authentication service, redirecting to login'
-                    errorMessages.push(message)
-                    this.logger.log(message)
-
-                    emitAuthenticationFailure(errorMessages)
-                    return res.redirect(AUTH.ROUTE.LOGIN)
+                    const MISMATCH_NONCE = 'nonce mismatch'
+                    const MISMATCH_STATE = 'state mismatch'
+                    if (info?.message === INVALID_STATE_ERROR) {
+                        return redirectWithFailure(errorMessages, INVALID_STATE_ERROR, AUTH.ROUTE.EXPIRED_LOGIN_LINK)
+                    } else if (info?.message.includes(MISMATCH_NONCE) || info?.message.includes(MISMATCH_STATE)) {
+                        return redirectWithFailure(errorMessages, info.message, AUTH.ROUTE.EXPIRED_LOGIN_LINK)
+                    } else {
+                        const message = 'No user details returned by the authentication service, redirecting to login'
+                        this.logger.log(message)
+                        return redirectWithFailure(errorMessages, message, AUTH.ROUTE.LOGIN)
+                    }
                 }
                 emitAuthenticationFailure(errorMessages)
                 this.verifyLogin(req, user, next, res)

src/auth/oauth2/models/oauth2.class.spec.ts

@@ -4,6 +4,7 @@ import { createMock } from 'ts-auto-mock'
 import { Request, Response, Router } from 'express'
 import { AuthOptions } from '../../models'
 import { XuiLogger } from '../../../common'
+import { AUTH } from '../../auth.constants'
 
 describe('OAUTH2 Auth', () => {
     const mockRequestRequired = {
@@ -207,4 +208,82 @@ describe('OAUTH2 Auth', () => {
         expect(mockRequest.headers.Authorization).toEqual(authToken)
         expect(next).toHaveBeenCalled()
     })
+
+    test('should handle INVALID_STATE_ERROR in info', () => {
+        const info = { message: 'Invalid authorization request state.' }
+        jest.spyOn(passport, 'authenticate').mockImplementation((strategy, options, callback) => {
+            if (callback) {
+                callback(null, null, info)
+            }
+            return jest.fn()
+        })
+
+        const mockRouter = createMock<Router>()
+        const logger = {
+            log: jest.fn(),
+            error: jest.fn(),
+            info: jest.fn(),
+        } as unknown as XuiLogger
+        const oAuth2 = new OAuth2(mockRouter, logger)
+        const mockRequest = createMock<Request>()
+        const mockResponse = createMock<Response>()
+        const next = jest.fn()
+
+        oAuth2.callbackHandler(mockRequest, mockResponse, next)
+
+        expect(mockResponse.redirect).toHaveBeenCalledWith(AUTH.ROUTE.EXPIRED_LOGIN_LINK)
+    })
+
+    test('should handle MISMATCH_NONCE or MISMATCH_STATE in info', () => {
+        const info = { message: 'nonce mismatch' }
+        jest.spyOn(passport, 'authenticate').mockImplementation((strategy, options, callback) => {
+            if (callback) {
+                callback(null, null, info)
+            }
+            return jest.fn()
+        })
+
+        const mockRouter = createMock<Router>()
+        const logger = {
+            log: jest.fn(),
+            error: jest.fn(),
+            info: jest.fn(),
+        } as unknown as XuiLogger
+        const oAuth2 = new OAuth2(mockRouter, logger)
+        const mockRequest = createMock<Request>()
+        const mockResponse = createMock<Response>()
+        const next = jest.fn()
+
+        oAuth2.callbackHandler(mockRequest, mockResponse, next)
+
+        expect(mockResponse.redirect).toHaveBeenCalledWith(AUTH.ROUTE.EXPIRED_LOGIN_LINK)
+    })
+
+    test('should handle no user returned', () => {
+        const info = { message: 'Some other error' }
+        jest.spyOn(passport, 'authenticate').mockImplementation((strategy, options, callback) => {
+            if (callback) {
+                callback(null, null, info)
+            }
+            return jest.fn()
+        })
+
+        const mockRouter = createMock<Router>()
+        const logger = {
+            log: jest.fn(),
+            error: jest.fn(),
+            info: jest.fn(),
+        } as unknown as XuiLogger
+        const oAuth2 = new OAuth2(mockRouter, logger)
+        const mockRequest = createMock<Request>()
+        const mockResponse = createMock<Response>()
+        const next = jest.fn()
+
+        oAuth2.callbackHandler(mockRequest, mockResponse, next)
+
+        expect(logger.log).toHaveBeenCalledWith(
+            'No user details returned by the authentication service, redirecting to login',
+        )
+        expect(mockResponse.redirect).toHaveBeenCalledWith(AUTH.ROUTE.LOGIN)
+    })
 })