auth-react: handle missing cookie auth endpoint

Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
2024-04-23 14:29:56 +02:00
parent 1d02904ffd
commit c297afd968
3 changed files with 47 additions and 0 deletions
@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-auth-react': patch
+---
+
+When using `CookieAuthRefreshProvider` or `useCookieAuthRefresh`, a 404 response from the cookie endpoint will now be treated as if cookie auth is disabled and is not needed.
@@ -217,6 +217,39 @@ describe('useCookieAuthRefresh', () => {
    );
  });

+  it('should handle 404 as disabled cookie auth', async () => {
+    const { result } = renderHook(
+      () => useCookieAuthRefresh({ pluginId: 'techdocs' }),
+      {
+        wrapper: ({ children }) => (
+          <TestApiProvider
+            apis={[
+              [
+                fetchApiRef,
+                {
+                  fetch: jest.fn().mockResolvedValue({
+                    ok: false,
+                    status: 404,
+                  }),
+                },
+              ],
+              [discoveryApiRef, discoveryApiMock],
+            ]}
+          >
+            {children}
+          </TestApiProvider>
+        ),
+      },
+    );
+
+    await waitFor(() =>
+      expect(result.current).toEqual({
+        status: 'success',
+        data: { expiresAt: expect.any(Date) },
+      }),
+    );
+  });
+
  it('should call the api to get the cookie and use it', async () => {
    const { result } = renderHook(
      () => useCookieAuthRefresh({ pluginId: 'techdocs' }),
@@ -24,6 +24,7 @@ import { useAsync, useMountEffect } from '@react-hookz/web';
 import { ResponseError } from '@backstage/errors';

 const COOKIE_PATH = '/.backstage/auth/v1/cookie';
+const ONE_YEAR_MS = 365 * 24 * 3600_000;

 /**
 * @public
@@ -54,6 +55,14 @@ export function useCookieAuthRefresh(options: {
      credentials: 'include',
    });
    if (!response.ok) {
+      // If we get a 404 from the cookie endpoint we assume that it does not
+      // exist and cookie auth is not needed. For all active tabs we don't
+      // schedule another refresh for the forseeable future, but new tabs will
+      // still check if cookie auth has been added to the deployment.
+      // TODO(Rugvip): Once the legacy backend system is no longer supported we should remove this check
+      if (response.status === 404) {
+        return { expiresAt: new Date(Date.now() + ONE_YEAR_MS) };
+      }
      throw await ResponseError.fromResponse(response);
    }
    const data = await response.json();