Skip to content

fix(session): Centralize signout and tokens#1774

Open
GMishx wants to merge 3 commits into
eclipse-sw360:mainfrom
siemens:fix/session/signout
Open

fix(session): Centralize signout and tokens#1774
GMishx wants to merge 3 commits into
eclipse-sw360:mainfrom
siemens:fix/session/signout

Conversation

@GMishx
Copy link
Copy Markdown
Member

@GMishx GMishx commented Jun 5, 2026

Summary

This PR contains 2 focused commits to stabilize auth/session behavior and reduce auth-related code duplication.

1) Centralized signout/session-expiry handling

  • Added SessionStatusHandler at app provider level (src/app/provider.tsx).
  • Introduced dispatchSessionExpiredEvent flow (src/utils/sessionExpiry.utils.ts) and routed session-expiry handling through one place.
  • Result: signout/redirect behavior is centralized and consistent across pages/components.
  • The SessionProvider can now be configured to have a session refresh interval with SW360_SESSION_REFETCH_INTERVAL_SECONDS with a fallback of 5 minutes.

2) API client split for authenticated vs unauthenticated calls

  • Added:
    • AuthenticatedApiUtils (src/utils/api/authenticatedApi.util.ts)
    • UnauthenticatedApiUtils (core transport in src/utils/api/api.util.ts)
  • Kept compatibility alias:
    • ApiUtils in src/utils/index.ts to minimize broad import churn in this PR.
  • Added docs in src/utils/index.ts clarifying intended usage.

Why this change

  • Avoid scattered, duplicated session-expiry/signout logic in many components.
  • Make API call intent explicit:
    • authenticated endpoints should trigger session-expiry flow on 401,
    • unauthenticated endpoints (e.g. version/footer-style) should not force signout behavior.
  • Keep this PR low-risk by avoiding mass import migration.

Important note on ApiUtils alias

ApiUtils alias was intentionally retained to keep this PR small and minimize broad refactoring risk.
Moving forward, new/modified code should import explicitly:

  • AuthenticatedApiUtils for protected endpoints
  • UnauthenticatedApiUtils for public endpoints

Maintainer question

@amritkv — would you prefer I do the explicit import migration (ApiUtils -> AuthenticatedApiUtils/UnauthenticatedApiUtils) in this PR now, or keep it as a separate follow-up refactor?

Testing done (local)

  • Verified session-expiry event flow and centralized redirect handling via SessionStatusHandler.
  • Verified authenticated API path dispatches session-expiry event on 401.
  • Verified unauthenticated transport path remains available for public endpoints.

GMishx added 3 commits June 5, 2026 17:54
@GMishx
fix(signout): Handle signOut centrally
faa0af2 
Use `dispatchSessionExpiredEvent` to hange the session expiry events
centrally. This prevents from each page to check the session
individually for expiry.

Signed-off-by: Gaurav Mishra <mishra.gaurav@siemens.com>
@GMishx
feat(auth): Centralized session fetch and check
b729882 
No more need of fetching raw session before making API calls. This
leaves lots of room for mistakes like not checking unauthenticated user,
API error 401, etc. Thus, the API calls are now divided into
`AuthenticatedApiUtils` which fetches the session and token for you and
`UnauthenticatedApiUtils` for APIs where authentication is not required.
Also, refresh the session every 5 minutes to make sure user does not get
kicked off while working on long tasks.

Signed-off-by: Gaurav Mishra <mishra.gaurav@siemens.com>
@GMishx
feat(interval): Make refresh interval configurable
466ecfc 
Make the session refresh interval configurable as ENV
SW360_SESSION_REFETCH_INTERVAL_SECONDS

Signed-off-by: Gaurav Mishra <mishra.gaurav@siemens.com>
@GMishx GMishx requested review from amritkv and deo002 as code owners June 5, 2026 14:55
@amritkv
Copy link
Copy Markdown
Member

amritkv commented Jun 5, 2026

Hey @GMishx ! Awesome PR !
Now to your question. This PR itself has huge changes. So, it would be great if we put the AuthenticatedApiUtils and UnauthenticatedApiUtils in a separate PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amritkv amritkv Awaiting requested review from amritkv amritkv is a code owner

@deo002 deo002 Awaiting requested review from deo002 deo002 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GMishx @amritkv