feat(admin-ui): change in process of accessing config-api endpoints in Admin UI #2570
Conversation
syntrydy
added
comp-admin-ui
📝 WalkthroughWalkthroughSwitches Admin UI from per-request access tokens to HttpOnly session cookies: adds Changes
Sequence Diagram(s)sequenceDiagram
participant Browser
participant AuthSaga as Admin UI Saga
participant ConfigAPI as Config API (/app/admin-ui/oauth2/session)
participant Redux as Redux Store
Browser->>AuthSaga: provide ujwt + apiProtectionToken (after userinfo)
AuthSaga->>ConfigAPI: POST /app/admin-ui/oauth2/session (withCredentials)
ConfigAPI-->>AuthSaga: 200 OK (session cookie set)
AuthSaga->>Redux: dispatch createAdminUiSessionResponse(success=true)
Redux-->>Browser: hasSession=true (queries/guards enabled)
Estimated code review effort🎯 4 (Complex) | ⏱️ ~50 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches
📜 Recent review detailsConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro 📒 Files selected for processing (2)
🧰 Additional context used🧠 Learnings (4)📓 Common learnings📚 Learning: 2025-11-07T12:55:26.241ZApplied to files:
📚 Learning: 2025-11-10T14:18:58.310ZApplied to files:
📚 Learning: 2026-01-06T13:45:19.278ZApplied to files:
🔇 Additional comments (8)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 22
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (14)
admin-ui/plugins/saml/redux/sagas/SamlSaga.ts (1)
204-204: Consider removing debug console.log statements.There are
console.log('Error: ', e)statements in several catch blocks (lines 204, 239, 304, 339). While helpful for debugging, these should ideally use structured logging or be removed for production code.🔧 Suggested fix
} catch (e) { - console.log('Error: ', e) yield put(toggleSavedFormFlag(false))Apply similarly to lines 239, 304, 339.
admin-ui/plugins/auth-server/components/Scopes/hooks/useScopeActions.ts (1)
9-12: Consider removing unusedtokentype fromAuthStateinterface.The
tokenproperty is defined in the interface but is no longer used anywhere in this hook. Since the PR removes token-based authentication, this type definition is now dead code and should be cleaned up for consistency.♻️ Suggested cleanup
interface AuthState { - token?: { - access_token: string - } config?: { clientId: string } userinfo?: { inum: string name: string } }admin-ui/app/redux/sagas/LockSaga.ts (1)
17-22: Unusedauditvariable.The
auditvariable is initialized viainitAudit()at line 18 but is never used within thegetLockMaufunction. Either the audit logging should be implemented (callpostUserAction(audit)on success) or the initialization should be removed.♻️ Option 1: Remove unused audit initialization
export function* getLockMau({ payload }) { - const audit = yield* initAudit() try { const lockapi = yield* newFunction() const data = yield call(lockapi.getLockMau, payload) yield put(getLockStatusResponse({ data })) } catch (e) {♻️ Option 2: Implement audit logging (if intended)
export function* getLockMau({ payload }) { const audit = yield* initAudit() try { const lockapi = yield* newFunction() const data = yield call(lockapi.getLockMau, payload) yield put(getLockStatusResponse({ data })) + yield call(postUserAction, audit) } catch (e) {Note: This would also require importing
postUserActionfromRedux/api/backend-api.admin-ui/plugins/admin/redux/sagas/ApiRoleSaga.js (1)
2-8: Missing import:getRoleResponseis used but not imported.The
getRolefunction usesgetRoleResponseat lines 50 and 53, but this action is not included in the imports fromapiRoleSlice. This will cause a runtime error.🐛 Proposed fix
import { getRoles as getRolesAction, getRolesResponse, + getRoleResponse, addRoleResponse, editRoleResponse, deleteRoleResponse, } from 'Plugins/admin/redux/features/apiRoleSlice'admin-ui/plugins/user-management/helper/userAuditHelpers.ts (1)
9-18: Remove the unused localAuditLoginterface andinitAudit()function; they are not used in any log function.This file defines a local
AuditLoginterface (lines 9-18) andinitAudit()function (lines 86-101) that are never called. Alllog*functions directly invokelogAuditUserActionfromUtils/AuditLoggerusing theLogAuditParamsinterface, which is the correct approach. The sharedAuditLogtype fromPlugins/admin/redux/sagas/types/audit.tsis properly imported and used withinAuditLogger.ts. Remove the local type definitions to avoid confusion and dead code.admin-ui/plugins/auth-server/components/AuthN/hooks/useAcrAudit.ts (1)
8-12: Consider removing unusedtokenproperty from the localAuthStateinterface.The
tokenproperty is defined but no longer used in this hook. Removing it would improve clarity and prevent confusion.♻️ Proposed cleanup
interface AuthState { - token?: { - access_token: string - } config?: { clientId: string }admin-ui/app/redux/sagas/HealthSaga.ts (1)
51-53: Inconsistent 401 handling between health check functions.
getHealthStatusredirects to/logouton a 401 error, butgetHealthServerStatussilently ignores 401 errors. If the session expires during a server health check, the user won't be redirected to login, potentially causing confusing behavior.Consider adding consistent 401 handling:
Proposed fix
export function* getHealthServerStatus({ payload }) { const audit = yield* initAudit() try { payload = payload || { action: {} } addAdditionalData(audit, 'FETCH', 'Health', payload) const healthApi = yield* newStatusFunction() const data = yield call(healthApi.getHealthServerStatus, payload.action.action_data) yield put(getHealthServerStatusResponse({ data })) yield call(postUserAction, audit) } catch (e) { yield put(getHealthServerStatusResponse(null)) + if (isFourZeroOneError(e)) { + // Session expired - redirect to login + window.location.href = '/logout' + } } }admin-ui/plugins/auth-server/redux/sagas/JsonConfigSaga.js (1)
10-10: Remove empty import statement.This empty import serves no purpose and should be removed as a cleanup.
🧹 Proposed fix
-import {} from '../../common/Constants'admin-ui/app/routes/Dashboards/DashboardPage.tsx (1)
321-331: Fix incomplete logout handler logic.When
hasSessionis true, the handler only dispatchesauditLogoutLogswithout navigating to the logout route. Add auseEffectthat monitorslogoutAuditSucceeded(like in DropdownProfile and GluuSessionTimeout) to navigate toROUTES.LOGOUTafter the audit completes. Additionally, whenhasSessionis false, audit logging is skipped entirely—ensure both branches handle the full logout flow consistently.admin-ui/plugins/auth-server/redux/sagas/SsaSaga.js (1)
132-153: Memory leak: object URL not revoked before reassignment.The
URL.revokeObjectURL(link.href)on line 152 attempts to revokelink.href, but afterlink.click(), some browsers may have already cleared or modified the href. Store the object URL in a variable before assignment for reliable cleanup.Proposed fix
function createAndDownloadJSONFile(data) { const jsonData = JSON.stringify(data, null, 2) const blob = new Blob([jsonData], { type: 'application/json' }) + const objectUrl = URL.createObjectURL(blob) const link = document.createElement('a') - link.href = URL.createObjectURL(blob) + link.href = objectUrl link.download = 'file.json' document.body.appendChild(link) link.click() document.body.removeChild(link) - URL.revokeObjectURL(link.href) + URL.revokeObjectURL(objectUrl) }admin-ui/plugins/auth-server/components/Ssa/hooks/useSsaApi.ts (2)
161-167: Redundant null coalescing after explicit null check.Line 161-163 throws an error if
!token, sotokenis guaranteed to be non-null at line 167. The?? ''is unnecessary.Proposed fix
mutationFn: (payload: SsaCreatePayload) => { if (!token) { throw new Error('No authentication token available') } if (!authServerHost) { throw new Error('Auth server host not configured') } - return createSsa(payload, token ?? '', authServerHost) + return createSsa(payload, token, authServerHost) },
180-187: Same redundant null coalescing pattern.After the
if (!token)check on line 181,tokenis non-null, making?? ''at line 187 redundant.Proposed fix
- return getSsaJwt(jti, token ?? '', authServerHost) + return getSsaJwt(jti, token, authServerHost)admin-ui/app/components/App/PermissionsPolicyInitializer.tsx (1)
48-73: Double JSON.parse for string policy stores.For string inputs,
isValidPolicyStoreparses JSON (line 59) and thenpolicyStoreStringlogic parses again (line 93). Consider caching the parsed result to avoid redundant parsing.This is a minor optimization since parsing happens only once per initialization attempt, so the current implementation is acceptable.
Also applies to: 89-103
admin-ui/app/redux/api/base.ts (1)
33-62:getClientWithTokenduplicates logic fromgetClient.Both functions share nearly identical logic for setting
enableCookies,accessToken,basePath, and headers. Consider extracting shared logic into a helper to reduce duplication.The key differences are:
getClienttakesr_issueras parameter;getClientWithTokenreadsissuerfrom state- Parameter naming differs (
r_tokenvstoken)A unified helper could accept optional overrides for issuer and token.
🤖 Fix all issues with AI agents
In @admin-ui/app/redux/api/base.ts:
- Around line 15-21: When hasSession is false and r_token is falsy the
authentication state is left ambiguous; update the branch handling around
hasSession / r_token to explicitly set defaultClient.enableCookies = false and
jansauth.accessToken = undefined for that fallback path so defaultClient and
jansauth are always in a deterministic unauthenticated state (look for the block
referencing hasSession, r_token, defaultClient and jansauth).
In @admin-ui/app/redux/features/authSlice.ts:
- Line 33: The getOAuth2Config reducer is currently an empty no-op; mark it
explicitly as an intentional saga-trigger-only action by adding an inline
comment in the reducer definition (e.g., next to getOAuth2Config: (_state,
_action: PayloadAction<any>) => {}) stating that the reducer is intentionally
empty because it only exists to trigger a saga, so future readers know this is
deliberate.
In @admin-ui/app/redux/sagas/AttributesSaga.ts:
- Around line 35-38: The handler in AttributesSaga.ts checks
isFourZeroOneError(e) and sets window.location.href = '/logout' but doesn't
return, so subsequent code may run after initiating redirect; update the error
branch in the AttributesSaga error handling to immediately return after
performing the redirect (i.e., add a return statement right after the
window.location.href = '/logout' line) to prevent further saga logic from
executing.
In @admin-ui/app/redux/sagas/AuthSaga.ts:
- Around line 146-155: The getAPIAccessTokenWorker duplicates the session
creation code that is already handled (with proper success/failure flows) by
createAdminUiSessionWorker; refactor getAPIAccessTokenWorker to dispatch the
createAdminUiSession action (with the same payload shape: { ujwt,
apiProtectionToken }) instead of calling createAdminUiSession directly and
inlining its logic, so createAdminUiSessionWorker performs the actual call and
dispatches createAdminUiSessionResponse on success/failure; update any payload
construction in getAPIAccessTokenWorker to match what createAdminUiSessionWorker
expects and remove the duplicated try/catch/session logic from
getAPIAccessTokenWorker.
- Around line 114-125: When createAdminUiSession throws inside the saga (after
getApiTokenWithDefaultScopes returns a token), you currently rethrow the error
without dispatching a failure action, leaving state inconsistent; update the
try/catch around the call to createAdminUiSession (in the saga that uses
getApiTokenWithDefaultScopes) to dispatch createAdminUiSessionResponse({
success: false }) in the catch block (mirroring createAdminUiSessionWorker error
handling) and then rethrow or return as needed so hasSession/state stays
consistent; ensure you reference the existing functions
getApiTokenWithDefaultScopes, createAdminUiSession, and
createAdminUiSessionResponse when making the change.
- Around line 22-26: The file imports getAPIAccessToken but never uses it; the
saga watcher currently references the action by string literal
'auth/getAPIAccessToken'. Replace the string literal in the watcher (where
takeLatest/takeEvery is used) with the imported getAPIAccessToken action creator
so the import is actually referenced, or if you prefer to keep the string,
remove the unused getAPIAccessToken import; update the watcher to use
getAPIAccessToken to ensure the action creator symbol is used and no unused
imports remain.
In @admin-ui/app/redux/sagas/InitSaga.ts:
- Around line 50-53: The 401 handler currently does a hard redirect via
window.location.href = '/logout' after isFourZeroOneError(e); instead, route the
error through the app's normal logout pipeline: dispatch the existing logout
action (the same action triggered by DropdownProfile) so auditLogoutLogs and
other logout sagas run and then navigate to the LOGOUT route (which will render
ByeBye and perform final cleanup/OIDC redirect); replace or augment the direct
window.location.href assignment in InitSaga.ts with a call to dispatch the
logout action to ensure consistent session cleanup and auditing.
In @admin-ui/app/redux/sagas/MauSaga.ts:
- Around line 29-34: In the catch block where isFourZeroOneError(e) is checked
(in MauSaga.ts), add an explicit return immediately after setting
window.location.href = '/logout' so execution exits the generator before
reaching the later return e; locate the isFourZeroOneError check and replace the
current flow with an early return (e.g., return; or return undefined) right
after the redirect to prevent further code from running.
In @admin-ui/app/redux/sagas/ProfileDetailsSaga.ts:
- Around line 49-54: The catch block in ProfileDetailsSaga uses a direct
window.location.href = '/logout' which duplicates logout redirect logic; extract
this into a shared utility (e.g., export function redirectToLogout()) and
replace the inline redirect with a call to redirectToLogout() in the catch of
the saga that currently calls setUserProfileDetails(null) and checks
isFourZeroOneError(e). Update other sagas with the same pattern to call the new
redirectToLogout() so logout behavior is centralized for future changes.
In @admin-ui/app/redux/sagas/SagaUtils.ts:
- Around line 6-7: The AuditLog object in initAudit() is being initialized as {}
but the AuditLog interface requires a headers field; either initialize auditlog
with a valid headers value or make headers optional in the AuditLog type. Update
the AuditLog definition in types/audit.ts to change headers: AuditLogHeaders to
headers?: AuditLogHeaders (or provide a default AuditLogHeaders when creating
auditlog inside initAudit), and keep in mind postUserAction in backend-api.ts
removes headers before sending so making headers optional is safe.
In @admin-ui/app/redux/sagas/types/audit.ts:
- Around line 36-37: Rename the PascalCase field JwtToken to camelCase jwtToken
across the codebase to match existing AuthState naming conventions; update the
AuthState interface declaration in audit.ts, then update all usages including
the Redux slice (reducers/selectors/actions) and any hooks/components that
access AuthState.jwtToken, adjust type imports/exports and tests accordingly,
and run TypeScript to fix remaining type errors and import paths to ensure no
references to JwtToken remain.
In @admin-ui/app/routes/Pages/ByeBye.tsx:
- Around line 31-36: The logout flow in ByeBye.tsx currently only redirects when
config is present, so if config is falsy/empty the user remains stuck; update
the performLogout (or the code block that builds sessionEndpoint) to handle the
fallback by still dispatching logoutUser() and then redirecting to a safe
default (e.g., home or login) when config is missing or
Object.keys(config).length === 0; use the same dispatch(logoutUser()) call and
set window.location.href to the fallback URL (or perform a timed redirect) so
the user is never left on the goodbye page without navigation.
- Around line 22-29: The dispatch(deleteAdminUiSession()) is likely redundant
because deleteSession() removes the backend session and the page immediately
redirects; verify whether any other components rely on Redux session state
before the redirect completes and if not, remove the dispatch call from the
ByeBye component (leave the await deleteSession() and its try/catch around it
and keep the redirect flow); if other parts need the client-side state cleared
before navigation, keep the dispatch but ensure it runs only after a successful
deleteSession() call and before initiating the redirect.
In @admin-ui/app/utils/AppAuthProvider.tsx:
- Around line 178-181: The current then-block calls
fetchPolicyStore(tokenResponse?.access_token) which treats a -1 error from
fetchApiAccessToken as undefined; update the then callback to explicitly check
tokenResponse for the error sentinel (tokenResponse === -1 or falsy response)
and reject/throw or return a rejected Promise when that occurs (mirroring the if
(response && response !== -1) pattern in AuthSaga.ts) so fetchPolicyStore is
only called with a valid access token; reference tokenResponse,
fetchApiAccessToken, and fetchPolicyStore when making this change.
In @admin-ui/plugins/admin/redux/sagas/AssetSaga.ts:
- Around line 123-127: The call inside AssetSaga.ts is passing an extraneous
null to assetApi.createJansAsset; update the redux-saga yield call so it only
invokes createJansAsset with the payload.action.action_data (i.e., remove the
trailing null) to match the AssetApi.createJansAsset(body: AssetFormData)
signature; keep using the same call effect form ({ context: assetApi, fn:
assetApi.createJansAsset }, payload.action.action_data) and ensure the returned
type Document is preserved.
- Around line 173-177: The call to assetApi.updateJansAsset in AssetSaga.ts
passes an extraneous null token argument causing a signature mismatch; remove
the trailing null so the call uses only payload.action.action_data as
AssetFormData (same fix applied earlier for createJansAsset), i.e., invoke the
call effect with { context: assetApi, fn: assetApi.updateJansAsset } and a
single argument payload.action.action_data.
In @admin-ui/plugins/admin/redux/sagas/CustomScriptSaga.ts:
- Around line 67-70: The repeated 401 handling should be centralized: replace
the duplicated blocks that check isFourZeroOneError(e) and set
window.location.href = '/logout' with a single helper (e.g.,
handleSessionExpiry) or dispatch a Redux action (e.g., yield put(logoutUser()))
from CustomScriptSaga; implement the helper or action to perform the redirect or
logout side-effect and call it from each catch so the logic is maintained in one
place (use the existing isFourZeroOneError check and ensure all existing catch
sites call handleSessionExpiry or yield put(logoutUser())).
In @admin-ui/plugins/admin/redux/sagas/WebhookSaga.ts:
- Around line 79-82: The repeated 401 handling (if (isFourZeroOneError(error)) {
window.location.href = '/logout' }) should be extracted into a single utility
function — e.g., add export function handleSessionExpiry(): void { /* redirect
to logout */ } in TokenController or a shared utils module and replace each
inline block in WebhookSaga (and other sagas) with a call to
handleSessionExpiry(); ensure imports are updated to reference the new function
so all 401 → logout behavior is centralized and consistent.
In @admin-ui/plugins/auth-server/redux/sagas/OIDCSaga.js:
- Around line 51-55: The 401 handling blocks call window.location.href =
'/logout' but lack an explicit early return, so add a return immediately after
each logout redirect to stop further execution; locate each
isFourZeroOneError(e) { window.location.href = '/logout' } block in OIDCSaga.js
(all occurrences around the shown handlers) and change them to set
window.location.href = '/logout' followed by return (e.g., return;), applying
this to every 401 handling site (lines noted in the review).
In @admin-ui/plugins/auth-server/redux/sagas/SessionSaga.js:
- Around line 39-42: The repeated inline 401 logout redirect
(window.location.href = '/logout') should be extracted to a shared helper so
calls are consistent and easy to update; add a new exported function (e.g.,
redirectToLogout) in a utility module (e.g., TokenController or Utils) that
performs window.location.href = '/logout', replace inline occurrences in
SessionSaga.js and other sagas that check isFourZeroOneError(e) to call
redirectToLogout(), and update imports in files that previously used the literal
redirect to import the new utility function.
In @admin-ui/plugins/auth-server/redux/sagas/SsaSaga.js:
- Around line 31-32: Three SsaApi methods (getAllSsa, createSsa, getSsaJwt)
build an Authorization header even when called with token: null, producing
"Authorization: Bearer null"; update those methods to follow the session-aware
pattern used by removeSsaConfig (createSsaApi()/getClient(null)) or, if using
fetch, add credentials: 'include' and skip adding the Authorization header when
token is null so the HttpOnly session cookie is used; locate SsaApi.getAllSsa,
SsaApi.createSsa, and SsaApi.getSsaJwt and either switch them to use
createSsaApi().getClient(null) or conditionally omit the Authorization header
when token === null.
In @admin-ui/plugins/saml/redux/sagas/SamlSaga.ts:
- Line 82: SamlRootState’s authReducer includes an unused token field; remove
the token property from the SamlRootState/authReducer type in types/state.ts and
update any related type imports so code like the selector in SamlSaga (selecting
state.authReducer.issuer) and API calls that pass token: null remain
type-correct; ensure no remaining references to authReducer.token exist and run
type checks to confirm compilation.
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (64)
admin-ui/api-client.tsadmin-ui/app/components/App/PermissionsPolicyInitializer.tsxadmin-ui/app/redux/api/backend-api.tsadmin-ui/app/redux/api/base.tsadmin-ui/app/redux/features/authSlice.tsadmin-ui/app/redux/features/types/authTypes.tsadmin-ui/app/redux/sagas/AppInitSaga.tsadmin-ui/app/redux/sagas/AttributesSaga.tsadmin-ui/app/redux/sagas/AuthSaga.tsadmin-ui/app/redux/sagas/HealthSaga.tsadmin-ui/app/redux/sagas/InitSaga.tsadmin-ui/app/redux/sagas/LicenseDetailsSaga.tsadmin-ui/app/redux/sagas/LockSaga.tsadmin-ui/app/redux/sagas/MauSaga.tsadmin-ui/app/redux/sagas/OidcDiscoverySaga.tsadmin-ui/app/redux/sagas/ProfileDetailsSaga.tsadmin-ui/app/redux/sagas/SagaUtils.tsadmin-ui/app/redux/sagas/types/audit.tsadmin-ui/app/routes/Dashboards/DashboardPage.tsxadmin-ui/app/routes/Dashboards/Reports/Reports.tsxadmin-ui/app/routes/Dashboards/hooks/useDashboardClients.tsadmin-ui/app/routes/Dashboards/hooks/useDashboardLicense.tsadmin-ui/app/routes/Dashboards/hooks/useDashboardLockStats.tsadmin-ui/app/routes/Pages/ByeBye.tsxadmin-ui/app/utils/AppAuthProvider.tsxadmin-ui/app/utils/AuditLogger.tsadmin-ui/app/utils/TokenController.tsadmin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsxadmin-ui/plugins/admin/components/CustomScripts/hooks/auditUtils.tsadmin-ui/plugins/admin/components/CustomScripts/hooks/useCustomScriptApi.tsadmin-ui/plugins/admin/components/Health/hooks/useHealthStatus.tsadmin-ui/plugins/admin/components/MAU/hooks/useMauStats.tsadmin-ui/plugins/admin/components/Settings/SettingsPage.tsxadmin-ui/plugins/admin/components/Webhook/hooks/useWebhookAudit.tsadmin-ui/plugins/admin/redux/api/AssetApi.tsadmin-ui/plugins/admin/redux/sagas/ApiPermissionSaga.jsadmin-ui/plugins/admin/redux/sagas/ApiRoleSaga.jsadmin-ui/plugins/admin/redux/sagas/AssetSaga.tsadmin-ui/plugins/admin/redux/sagas/CustomScriptSaga.tsadmin-ui/plugins/admin/redux/sagas/MappingSaga.jsadmin-ui/plugins/admin/redux/sagas/WebhookSaga.tsadmin-ui/plugins/auth-server/components/Agama/hooks/useAgamaActions.tsadmin-ui/plugins/auth-server/components/AuthN/hooks/useAcrAudit.tsadmin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/utils/useConfigApiActions.tsadmin-ui/plugins/auth-server/components/Configuration/Defaults/hooks/useLoggingApi.tsadmin-ui/plugins/auth-server/components/Scopes/hooks/useScopeActions.tsadmin-ui/plugins/auth-server/components/Sessions/SessionListPage.tsxadmin-ui/plugins/auth-server/components/Ssa/hooks/useSsaApi.tsadmin-ui/plugins/auth-server/components/Ssa/hooks/useSsaAuditLogger.tsadmin-ui/plugins/auth-server/redux/sagas/JsonConfigSaga.jsadmin-ui/plugins/auth-server/redux/sagas/MessageSaga.jsadmin-ui/plugins/auth-server/redux/sagas/OAuthScopeSaga.jsadmin-ui/plugins/auth-server/redux/sagas/OIDCSaga.jsadmin-ui/plugins/auth-server/redux/sagas/SessionSaga.jsadmin-ui/plugins/auth-server/redux/sagas/SsaSaga.jsadmin-ui/plugins/auth-server/redux/sagas/UMAResourceSaga.jsadmin-ui/plugins/fido/components/Fido.tsxadmin-ui/plugins/saml/redux/api/SamlApi.tsadmin-ui/plugins/saml/redux/sagas/SamlSaga.tsadmin-ui/plugins/schema/hooks/useSchemaAuditLogger.tsadmin-ui/plugins/scim/components/ScimPage.tsxadmin-ui/plugins/services/Components/Configuration/hooks/index.tsadmin-ui/plugins/smtp-management/components/SmtpManagement/SmtpEditPage.tsxadmin-ui/plugins/user-management/helper/userAuditHelpers.ts
💤 Files with no reviewable changes (7)
- admin-ui/plugins/schema/hooks/useSchemaAuditLogger.ts
- admin-ui/plugins/smtp-management/components/SmtpManagement/SmtpEditPage.tsx
- admin-ui/plugins/admin/components/Settings/SettingsPage.tsx
- admin-ui/plugins/auth-server/components/Ssa/hooks/useSsaAuditLogger.ts
- admin-ui/plugins/fido/components/Fido.tsx
- admin-ui/app/utils/TokenController.ts
- admin-ui/plugins/scim/components/ScimPage.tsx
🧰 Additional context used
🧠 Learnings (6)
📓 Common learnings
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:43-149
Timestamp: 2025-11-07T12:17:39.857Z
Learning: In the Cedarling configuration UI PR (#2378), the `configApiPolicyStoreUrl` field is intentionally out of scope. It relates to config API configuration and will be covered in a separate PR. The current PR focuses on the Admin UI policy store URL (`auiPolicyStoreUrl`).
📚 Learning: 2026-01-06T13:45:19.278Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2561
File: admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts:4-101
Timestamp: 2026-01-06T13:45:19.278Z
Learning: In admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts, ensure Yup schema marks fields as nullable when the backend DTOs permit nulls and do not mark them as required. Align frontend validation with backend validation to prevent conflicts when editing existing configurations with null values; apply this pattern consistently to other Admin UI validation files where the backend is the source of truth.
Applied to files:
admin-ui/plugins/admin/components/CustomScripts/hooks/useCustomScriptApi.tsadmin-ui/app/redux/sagas/MauSaga.tsadmin-ui/plugins/auth-server/components/Configuration/Defaults/hooks/useLoggingApi.tsadmin-ui/plugins/auth-server/components/Agama/hooks/useAgamaActions.tsadmin-ui/app/routes/Dashboards/hooks/useDashboardLicense.tsadmin-ui/app/utils/AuditLogger.tsadmin-ui/plugins/admin/redux/sagas/CustomScriptSaga.tsadmin-ui/plugins/auth-server/components/AuthN/hooks/useAcrAudit.tsadmin-ui/plugins/auth-server/components/Scopes/hooks/useScopeActions.tsadmin-ui/plugins/admin/components/MAU/hooks/useMauStats.tsadmin-ui/plugins/admin/redux/api/AssetApi.tsadmin-ui/plugins/services/Components/Configuration/hooks/index.tsadmin-ui/plugins/admin/components/CustomScripts/hooks/auditUtils.tsadmin-ui/plugins/saml/redux/sagas/SamlSaga.tsadmin-ui/app/redux/sagas/InitSaga.tsadmin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/utils/useConfigApiActions.tsadmin-ui/app/routes/Dashboards/hooks/useDashboardClients.tsadmin-ui/app/redux/sagas/ProfileDetailsSaga.tsadmin-ui/app/redux/api/base.tsadmin-ui/plugins/admin/redux/sagas/WebhookSaga.tsadmin-ui/app/redux/sagas/AppInitSaga.tsadmin-ui/app/redux/sagas/OidcDiscoverySaga.tsadmin-ui/app/redux/api/backend-api.tsadmin-ui/plugins/user-management/helper/userAuditHelpers.tsadmin-ui/app/redux/features/types/authTypes.tsadmin-ui/plugins/admin/components/Health/hooks/useHealthStatus.tsadmin-ui/app/redux/sagas/AttributesSaga.tsadmin-ui/plugins/admin/redux/sagas/AssetSaga.tsadmin-ui/plugins/admin/components/Webhook/hooks/useWebhookAudit.tsadmin-ui/app/redux/sagas/HealthSaga.tsadmin-ui/app/redux/sagas/types/audit.tsadmin-ui/plugins/saml/redux/api/SamlApi.tsadmin-ui/app/redux/sagas/SagaUtils.tsadmin-ui/api-client.tsadmin-ui/app/routes/Dashboards/hooks/useDashboardLockStats.tsadmin-ui/app/redux/sagas/LicenseDetailsSaga.tsadmin-ui/app/redux/sagas/AuthSaga.tsadmin-ui/app/redux/sagas/LockSaga.tsadmin-ui/plugins/auth-server/components/Ssa/hooks/useSsaApi.tsadmin-ui/app/redux/features/authSlice.ts
📚 Learning: 2025-11-07T12:55:26.241Z
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:93-104
Timestamp: 2025-11-07T12:55:26.241Z
Learning: In the Cedarling configuration feature (admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx), the sync role to scopes mappings operation depends on the `auiPolicyStoreUrl`. The backend fetches content from this URL and syncs roles based on the response. Therefore, the audit log for the sync operation should include the `auiPolicyStoreUrl` in its payload to provide proper audit context.
Applied to files:
admin-ui/plugins/auth-server/components/AuthN/hooks/useAcrAudit.tsadmin-ui/plugins/auth-server/components/Scopes/hooks/useScopeActions.tsadmin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsxadmin-ui/plugins/auth-server/components/Sessions/SessionListPage.tsxadmin-ui/plugins/services/Components/Configuration/hooks/index.tsadmin-ui/plugins/admin/components/CustomScripts/hooks/auditUtils.tsadmin-ui/app/components/App/PermissionsPolicyInitializer.tsxadmin-ui/plugins/admin/components/Webhook/hooks/useWebhookAudit.tsadmin-ui/app/redux/sagas/SagaUtils.ts
📚 Learning: 2025-11-10T14:18:58.310Z
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:107-109
Timestamp: 2025-11-10T14:18:58.310Z
Learning: In the Cedarling configuration page (admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx), console.error calls should be kept in catch blocks when there are multiple operations in the try block, as they help print the whole error object with details for debugging unexpected errors.
Applied to files:
admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx
📚 Learning: 2025-11-07T12:17:39.857Z
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:43-149
Timestamp: 2025-11-07T12:17:39.857Z
Learning: In the Cedarling configuration UI PR (#2378), the `configApiPolicyStoreUrl` field is intentionally out of scope. It relates to config API configuration and will be covered in a separate PR. The current PR focuses on the Admin UI policy store URL (`auiPolicyStoreUrl`).
Applied to files:
admin-ui/app/components/App/PermissionsPolicyInitializer.tsx
📚 Learning: 2025-11-05T19:57:35.143Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2415
File: admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx:148-153
Timestamp: 2025-11-05T19:57:35.143Z
Learning: In the SSA Add page (admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx), the Back button should fall back to '/auth-server/config/ssa' when browser history is unavailable, not '/home/dashboard', as this keeps users in the SSA management context.
Applied to files:
admin-ui/plugins/auth-server/redux/sagas/SsaSaga.jsadmin-ui/plugins/auth-server/components/Ssa/hooks/useSsaApi.ts
🧬 Code graph analysis (34)
admin-ui/plugins/admin/components/CustomScripts/hooks/useCustomScriptApi.ts (2)
admin-ui/app/redux/sagas/types/audit.ts (1)
RootState(40-43)admin-ui/plugins/admin/components/CustomScripts/constants.ts (1)
SCRIPT_CACHE_CONFIG(3-9)
admin-ui/app/redux/sagas/MauSaga.ts (2)
admin-ui/plugins/admin/redux/sagas/ApiRoleSaga.js (3)
api(22-22)JansConfigApi(16-16)issuer(20-20)admin-ui/app/redux/api/base.ts (1)
getClient(3-31)
admin-ui/plugins/auth-server/components/Configuration/Defaults/hooks/useLoggingApi.ts (1)
admin-ui/app/redux/sagas/types/audit.ts (1)
RootState(40-43)
admin-ui/app/routes/Dashboards/hooks/useDashboardLicense.ts (1)
admin-ui/app/redux/sagas/types/audit.ts (1)
RootState(40-43)
admin-ui/plugins/auth-server/redux/sagas/OIDCSaga.js (6)
admin-ui/plugins/admin/redux/sagas/ApiRoleSaga.js (3)
api(22-22)JansConfigApi(16-16)issuer(20-20)admin-ui/plugins/admin/redux/sagas/MappingSaga.js (3)
api(21-23)JansConfigApi(15-15)issuer(19-19)admin-ui/plugins/auth-server/redux/sagas/OAuthScopeSaga.js (3)
api(27-27)JansConfigApi(11-11)issuer(25-25)admin-ui/plugins/auth-server/redux/sagas/SessionSaga.js (3)
api(20-20)JansConfigApi(8-8)issuer(18-18)admin-ui/plugins/auth-server/redux/sagas/SsaSaga.js (3)
api(22-24)JansConfigApi(17-17)issuer(20-20)admin-ui/app/redux/api/base.ts (1)
getClient(3-31)
admin-ui/app/utils/AuditLogger.ts (1)
admin-ui/app/redux/api/backend-api.ts (1)
postUserAction(52-69)
admin-ui/plugins/admin/redux/sagas/ApiRoleSaga.js (4)
admin-ui/plugins/admin/redux/sagas/ApiPermissionSaga.js (3)
api(23-23)JansConfigApi(16-16)issuer(21-21)admin-ui/plugins/auth-server/redux/sagas/OAuthScopeSaga.js (3)
api(27-27)JansConfigApi(11-11)issuer(25-25)admin-ui/plugins/auth-server/redux/sagas/SessionSaga.js (3)
api(20-20)JansConfigApi(8-8)issuer(18-18)admin-ui/app/redux/api/base.ts (1)
getClient(3-31)
admin-ui/plugins/admin/components/MAU/hooks/useMauStats.ts (3)
admin-ui/app/redux/sagas/types/audit.ts (1)
RootState(40-43)admin-ui/plugins/admin/components/MAU/utils/index.ts (1)
formatDateForApi(2-2)admin-ui/plugins/admin/components/MAU/utils/dataAugmentation.ts (1)
formatDateForApi(4-6)
admin-ui/plugins/auth-server/redux/sagas/OAuthScopeSaga.js (5)
admin-ui/plugins/admin/redux/sagas/ApiPermissionSaga.js (3)
api(23-23)JansConfigApi(16-16)issuer(21-21)admin-ui/plugins/admin/redux/sagas/ApiRoleSaga.js (3)
api(22-22)JansConfigApi(16-16)issuer(20-20)admin-ui/plugins/auth-server/redux/sagas/MessageSaga.js (5)
api(24-24)JansConfigApi(15-15)issuer(22-22)issuer(29-29)issuer(38-38)admin-ui/plugins/auth-server/redux/sagas/SessionSaga.js (3)
api(20-20)JansConfigApi(8-8)issuer(18-18)admin-ui/app/redux/api/base.ts (1)
getClient(3-31)
admin-ui/plugins/admin/redux/api/AssetApi.ts (1)
admin-ui/plugins/admin/components/Assets/types/AssetApiTypes.ts (2)
AssetFormData(62-72)Document(4-17)
admin-ui/plugins/saml/redux/sagas/SamlSaga.ts (3)
admin-ui/app/redux/api/base.ts (1)
getClient(3-31)admin-ui/plugins/saml/types/index.ts (1)
SamlRootState(8-8)admin-ui/plugins/saml/types/state.ts (1)
SamlRootState(3-11)
admin-ui/app/routes/Dashboards/hooks/useDashboardClients.ts (1)
admin-ui/app/redux/sagas/types/audit.ts (1)
RootState(40-43)
admin-ui/app/redux/sagas/ProfileDetailsSaga.ts (2)
admin-ui/app/redux/api/base.ts (1)
getClient(3-31)admin-ui/app/utils/TokenController.ts (1)
isFourZeroOneError(23-25)
admin-ui/app/routes/Pages/ByeBye.tsx (2)
admin-ui/app/redux/api/backend-api.ts (1)
deleteAdminUiSession(115-123)admin-ui/app/utils/Util.ts (1)
uuidv4(3-15)
admin-ui/plugins/admin/redux/sagas/MappingSaga.js (5)
admin-ui/plugins/admin/redux/sagas/ApiRoleSaga.js (3)
api(22-22)JansConfigApi(16-16)issuer(20-20)admin-ui/plugins/auth-server/redux/sagas/OIDCSaga.js (10)
api(27-27)api(34-34)api(62-62)api(86-86)api(108-108)api(128-128)api(154-154)JansConfigApi(19-19)issuer(25-25)issuer(32-32)admin-ui/plugins/auth-server/redux/sagas/SessionSaga.js (3)
api(20-20)JansConfigApi(8-8)issuer(18-18)admin-ui/plugins/auth-server/redux/sagas/UMAResourceSaga.js (4)
api(18-18)api(46-46)JansConfigApi(12-12)issuer(16-16)admin-ui/app/redux/api/base.ts (1)
getClient(3-31)
admin-ui/app/redux/api/base.ts (8)
admin-ui/plugins/admin/redux/sagas/ApiPermissionSaga.js (2)
JansConfigApi(16-16)issuer(21-21)admin-ui/plugins/admin/redux/sagas/ApiRoleSaga.js (2)
JansConfigApi(16-16)issuer(20-20)admin-ui/plugins/admin/redux/sagas/MappingSaga.js (2)
JansConfigApi(15-15)issuer(19-19)admin-ui/plugins/auth-server/redux/sagas/JsonConfigSaga.js (2)
JansConfigApi(12-12)issuer(16-16)admin-ui/plugins/auth-server/redux/sagas/MessageSaga.js (4)
JansConfigApi(15-15)issuer(22-22)issuer(29-29)issuer(38-38)admin-ui/plugins/auth-server/redux/sagas/OIDCSaga.js (3)
JansConfigApi(19-19)issuer(25-25)issuer(32-32)admin-ui/plugins/auth-server/redux/sagas/SsaSaga.js (2)
JansConfigApi(17-17)issuer(20-20)admin-ui/plugins/auth-server/redux/sagas/UMAResourceSaga.js (2)
JansConfigApi(12-12)issuer(16-16)
admin-ui/plugins/admin/redux/sagas/WebhookSaga.ts (3)
admin-ui/plugins/admin/redux/sagas/ApiRoleSaga.js (3)
api(22-22)JansConfigApi(16-16)issuer(20-20)admin-ui/plugins/auth-server/redux/sagas/OIDCSaga.js (7)
api(27-27)api(34-34)api(62-62)api(86-86)JansConfigApi(19-19)issuer(25-25)issuer(32-32)admin-ui/app/redux/api/base.ts (1)
getClient(3-31)
admin-ui/app/routes/Dashboards/DashboardPage.tsx (3)
admin-ui/app/redux/sagas/types/audit.ts (1)
RootState(40-43)admin-ui/app/cedarling/types/index.ts (1)
RootState(128-135)admin-ui/plugins/auth-server/components/Sessions/types/index.ts (1)
RootState(10-10)
admin-ui/plugins/user-management/helper/userAuditHelpers.ts (1)
admin-ui/app/redux/sagas/types/audit.ts (1)
AuditLog(14-21)
admin-ui/app/routes/Dashboards/Reports/Reports.tsx (2)
admin-ui/app/redux/sagas/types/audit.ts (1)
RootState(40-43)admin-ui/app/routes/Dashboards/constants.ts (1)
REPORTS_CACHE_CONFIG(6-9)
admin-ui/plugins/admin/components/Health/hooks/useHealthStatus.ts (1)
admin-ui/app/redux/sagas/types/audit.ts (1)
RootState(40-43)
admin-ui/plugins/auth-server/redux/sagas/SsaSaga.js (2)
admin-ui/app/redux/api/base.ts (1)
getClient(3-31)admin-ui/plugins/auth-server/redux/api/SsaApi.js (1)
SsaApi(3-74)
admin-ui/app/redux/sagas/AttributesSaga.ts (3)
admin-ui/plugins/admin/redux/sagas/ApiRoleSaga.js (3)
api(22-22)JansConfigApi(16-16)issuer(20-20)admin-ui/plugins/auth-server/redux/sagas/OIDCSaga.js (7)
api(27-27)api(34-34)api(62-62)api(86-86)JansConfigApi(19-19)issuer(25-25)issuer(32-32)admin-ui/app/redux/api/base.ts (1)
getClient(3-31)
admin-ui/plugins/admin/redux/sagas/AssetSaga.ts (1)
admin-ui/app/redux/api/base.ts (1)
getClient(3-31)
admin-ui/app/redux/sagas/HealthSaga.ts (2)
admin-ui/plugins/admin/redux/sagas/ApiRoleSaga.js (3)
api(22-22)JansConfigApi(16-16)issuer(20-20)admin-ui/app/redux/api/base.ts (1)
getClient(3-31)
admin-ui/plugins/admin/redux/sagas/ApiPermissionSaga.js (6)
admin-ui/plugins/admin/redux/sagas/ApiRoleSaga.js (3)
api(22-22)JansConfigApi(16-16)issuer(20-20)admin-ui/plugins/admin/redux/sagas/MappingSaga.js (3)
api(21-23)JansConfigApi(15-15)issuer(19-19)admin-ui/plugins/auth-server/redux/sagas/MessageSaga.js (6)
api(24-24)api(31-33)JansConfigApi(15-15)issuer(22-22)issuer(29-29)issuer(38-38)admin-ui/plugins/auth-server/redux/sagas/OAuthScopeSaga.js (3)
api(27-27)JansConfigApi(11-11)issuer(25-25)admin-ui/plugins/auth-server/redux/sagas/SessionSaga.js (3)
api(20-20)JansConfigApi(8-8)issuer(18-18)admin-ui/app/redux/api/base.ts (1)
getClient(3-31)
admin-ui/app/redux/sagas/SagaUtils.ts (3)
admin-ui/plugins/user-management/helper/userAuditHelpers.ts (2)
initAudit(86-101)AuditLog(9-18)admin-ui/app/redux/sagas/types/audit.ts (1)
AuditLog(14-21)admin-ui/plugins/admin/redux/sagas/types/audit.ts (1)
AuditLog(1-17)
admin-ui/app/routes/Dashboards/hooks/useDashboardLockStats.ts (1)
admin-ui/app/redux/sagas/types/audit.ts (1)
RootState(40-43)
admin-ui/app/redux/sagas/LicenseDetailsSaga.ts (2)
admin-ui/plugins/admin/redux/sagas/ApiRoleSaga.js (3)
api(22-22)JansConfigApi(16-16)issuer(20-20)admin-ui/app/redux/api/base.ts (1)
getClient(3-31)
admin-ui/app/redux/sagas/AuthSaga.ts (1)
admin-ui/app/redux/api/backend-api.ts (5)
fetchServerConfiguration(4-15)putServerConfiguration(17-26)fetchApiAccessToken(72-83)createAdminUiSession(103-112)deleteAdminUiSession(115-123)
admin-ui/app/redux/sagas/LockSaga.ts (2)
admin-ui/plugins/admin/redux/sagas/ApiRoleSaga.js (3)
api(22-22)JansConfigApi(16-16)issuer(20-20)admin-ui/app/redux/api/base.ts (1)
getClient(3-31)
admin-ui/plugins/auth-server/redux/sagas/SessionSaga.js (3)
admin-ui/plugins/admin/redux/sagas/ApiRoleSaga.js (3)
api(22-22)JansConfigApi(16-16)issuer(20-20)admin-ui/plugins/auth-server/redux/sagas/OAuthScopeSaga.js (3)
api(27-27)JansConfigApi(11-11)issuer(25-25)admin-ui/app/redux/api/base.ts (1)
getClient(3-31)
admin-ui/plugins/auth-server/components/Ssa/hooks/useSsaApi.ts (3)
admin-ui/app/redux/sagas/types/audit.ts (1)
RootState(40-43)admin-ui/plugins/auth-server/components/Ssa/types/ssaTypes.ts (1)
SsaData(14-18)admin-ui/plugins/auth-server/redux/sagas/SsaSaga.js (1)
getSsaJwt(51-67)
admin-ui/app/utils/AppAuthProvider.tsx (1)
admin-ui/app/redux/api/backend-api.ts (2)
fetchApiAccessToken(72-83)fetchPolicyStore(95-100)
There was a problem hiding this comment.
Actionable comments posted: 7
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (11)
admin-ui/plugins/admin/redux/sagas/WebhookSaga.ts (1)
193-193: Consider removing debug console.log statements.There are several
console.log('error: ', error)calls remaining in error handlers (lines 193, 225, 260, 342). While these pre-date this PR's changes, consider removing or replacing them with structured logging to avoid leaking error details to the browser console in production.admin-ui/app/redux/sagas/types/audit.ts (2)
9-21: Guard allAuditLog.headersconsumers; avoidanyin header map.
headers?: AuditLogHeaders(Line 15) will break any code that assumesheadersexists (e.g.,{...audit.headers}), so ensure call sites default it (headers ?? {}) before merging/iterating. Also,[key: string]: any(Line 11) defeats header type-safety and can let non-string values through to HTTP clients.Proposed type tightening
export interface AuditLogHeaders { Authorization?: string - [key: string]: any + [key: string]: string | undefined }
23-38: Add token blacklist to Redux persist config and clear tokens on logout.Both
jwtTokenanduserinfo_jwtare currently persisted to localStorage without explicit exclusion (persistConfig lacks blacklist), and neither is cleared when the session is deleted (deleteAdminUiSessionResponse only setshasSession = false). This creates a security risk: sensitive OAuth tokens remain accessible in localStorage after logout.Add
blacklist: ['authReducer']to the persistConfig inadmin-ui/app/redux/store/index.ts, or more granularly, explicitly exclude token fields. Additionally, updatedeleteAdminUiSessionResponseto resetjwtTokenanduserinfo_jwttonull:deleteAdminUiSessionResponse: (state) => { state.hasSession = false state.jwtToken = null state.userinfo_jwt = null }admin-ui/plugins/auth-server/redux/api/SsaApi.js (1)
8-27: Ensure 401s propagate as errors (fetch doesn’t throw), otherwise redirectToLogout won’t trigger reliably.
Right nowfetch(...).then(r => r.json())will happily “succeed” on 401/403 and only fail if JSON parsing fails; sagatry/catch401 logic may never run.Proposed fix (reject on non-2xx + safer body parsing)
getAllSsa = ({ payload, authServerHost }) => { const { token } = payload const headers = { 'Content-Type': 'application/json' } if (token) { headers['Authorization'] = 'Bearer ' + token } return new Promise((resolve, reject) => { fetch(`${authServerHost}/jans-auth/restv1/ssa`, { headers, method: 'GET', credentials: 'include', }) - .then((response) => response.json()) + .then(async (response) => { + const contentType = response.headers.get('content-type') || '' + const data = contentType.includes('application/json') + ? await response.json() + : await response.text() + if (!response.ok) { + return Promise.reject({ status: response.status, data }) + } + return data + }) .then((data) => { handleResponse(null, reject, resolve, data) }) .catch((error) => { handleResponse(error, reject, resolve, null) }) }) }Also applies to: 30-49, 52-70
admin-ui/app/utils/AppAuthProvider.tsx (2)
161-175: Potential UI bug:showAdminUImay stay false whenuserinfoalready exists.
In theelsebranch (Line 161+), there’s nosetShowAdminUI(true)on the “happy path”, so a refresh with persisteduserinfocan render the redirect flow instead of Admin UI.Proposed minimal fix
} else { if (!userinfo.jansAdminUIRole || userinfo.jansAdminUIRole.length == 0) { setShowAdminUI(false) alert('The logged-in user do not have valid role. Logging out of Admin UI') setRoleNotFound(true) const state = uuidv4() const sessionEndpoint = `${authConfigs.endSessionEndpoint}?state=${state}&post_logout_redirect_uri=${localStorage.getItem('postLogoutRedirectUri')}` window.location.href = sessionEndpoint return null } + setShowAdminUI(true) // Re-create session if not present if (!hasSession) { - dispatch(getAPIAccessToken(userinfo_jwt)) + dispatch(getAPIAccessToken(ujwt)) } }
149-183: The code at line 176 still calls the old/oauth2/api-protection-tokenendpoint, contradicting the PR objective to create Admin UI sessions via/oauth2/session.The issue is a dual flow:
- Line 159/173 dispatches
getAPIAccessToken(ujwt), which triggers a saga that calls the old endpoint AND then properly dispatchescreateAdminUiSession- Line 176 synchronously calls
fetchApiAccessToken(ujwt)directly to the old endpoint, bypassing the new session creation flowThis represents an incomplete migration. The new
/oauth2/sessionendpoint is wired into the saga (AuthSaga.ts line 112), but AppAuthProvider bypasses it with a direct call to the deprecated token endpoint. For consistency with PR objectives, the synchronous call at line 176 should be removed or restructured to depend on the session creation flow instead.admin-ui/plugins/auth-server/redux/sagas/SsaSaga.js (1)
49-64: Add 401 redirect handling togetSsaJwtfor consistency (currently missing).Proposed fix
} catch (e) { yield put(updateToast(true, 'error')) yield put(getSsaJwtResponse([])) + if (isFourZeroOneError(e)) { + yield* redirectToLogout() + return + } return e }admin-ui/plugins/auth-server/redux/sagas/SessionSaga.js (1)
30-30: Consider removing debug console.log statement.This
console.log('SessionSaga: API response data:', data)appears to be debug output that may clutter production logs.🔧 Suggested fix
- console.log('SessionSaga: API response data:', data)admin-ui/plugins/auth-server/components/Ssa/hooks/useSsaApi.ts (3)
161-167: Redundant null coalescing after guard check.The
token ?? ''on line 167 is unnecessary since line 161 already throws iftokenis falsy, guaranteeingtokenis a non-empty string at that point.♻️ Suggested simplification
if (!token) { throw new Error('No authentication token available') } if (!authServerHost) { throw new Error('Auth server host not configured') } - return createSsa(payload, token ?? '', authServerHost) + return createSsa(payload, token, authServerHost)
181-187: Same redundant null coalescing pattern.The
token ?? ''on line 187 is redundant after the null guard on line 181.♻️ Suggested simplification
if (!token) { throw new Error('No authentication token available') } if (!authServerHost) { throw new Error('Auth server host not configured') } - return getSsaJwt(jti, token ?? '', authServerHost) + return getSsaJwt(jti, token, authServerHost)
57-79: Architectural inconsistency: SSA API authentication strategy diverges between old and new implementations.The new React Query hooks in
useSsaApi.tsalways require an explicit JWT bearer token (lines 57-79, 81-105, 107-131), but the legacySsaApi.jsused bySsaSaga.jssupports session-based authentication: it conditionally adds the bearer token only if provided and always includescredentials: 'include'(lines 18, 40, 61). SinceSsaSaga.jspassestoken: null, the old implementation falls back to session cookies entirely.This needs clarification:
- If SSA endpoints require explicit bearer tokens, the saga-based calls are insecure (passing null token while relying on credentials).
- If endpoints support session-based auth, the new hooks should include
credentials: 'include'for consistency.Align both implementations on the intended authentication mechanism.
🤖 Fix all issues with AI agents
In @admin-ui/app/redux/api/base.ts:
- Around line 10-13: The fallback hardcoded URL in defaultClient.basePath
('https://admin-ui-test.gluu.org') is unsafe for production; update the
expression that sets defaultClient.basePath to either remove the hardcoded test
URL entirely or replace it with the consistent fallback used elsewhere (e.g.,
'http://localhost:8080'), by changing the fallback after
window['configApiBaseUrl'] and process.env.CONFIG_API_BASE_URL so production
deployments rely on injected window.configApiBaseUrl or env vars rather than the
test host.
In @admin-ui/app/redux/features/authSlice.ts:
- Around line 99-111: deleteAdminUiSessionResponse currently only sets
hasSession = false which relies on the logout redirect to clear other auth
fields; update deleteAdminUiSessionResponse to defensively reset the reducer to
the initial auth state (or explicitly clear sensitive fields like
isAuthenticated, userinfo, permissions, apiProtectionToken, ujwt) so calling
deleteAdminUiSessionResponse alone always wipes auth data; reference the
reducer's initialState and the deleteAdminUiSessionResponse reducer function to
implement the change.
In @admin-ui/app/redux/sagas/AuthSaga.ts:
- Around line 134-153: The deleteAdminUiSessionWorker currently always
dispatches deleteAdminUiSessionResponse with no success flag, making its error
state inconsistent with createAdminUiSessionWorker; update
deleteAdminUiSessionWorker to dispatch deleteAdminUiSessionResponse({ success:
true }) on success and deleteAdminUiSessionResponse({ success: false }) in the
catch block (and ensure any callers/selectors expect the new shape), referencing
the deleteAdminUiSessionWorker and deleteAdminUiSessionResponse symbols so the
response payload includes a success boolean analogous to
createAdminUiSessionWorker.
In @admin-ui/app/routes/Pages/ByeBye.tsx:
- Line 43: In the ByeBye component's useEffect (the effect that currently ends
with "}, [])"), add the comment "// eslint-disable-next-line
react-hooks/exhaustive-deps" immediately above the closing brace so it's clear
the omission of dispatch, hasSession, and config from the dependency array is
intentional; follow the same placement/pattern used in SidebarMenu's useEffect
to silence the rule for this specific effect.
In @admin-ui/app/utils/AppAuthProvider.tsx:
- Around line 178-183: The then-block uses tokenResponse without verifying
tokenResponse.access_token specifically, so if the response shape changes you
may pass undefined into fetchPolicyStore; update the promise handler (the
.then(...) that returns fetchPolicyStore) to explicitly check that tokenResponse
is an object and that tokenResponse.access_token is a non-empty string (throwing
a descriptive Error like "Missing access_token in tokenResponse" when invalid)
before calling fetchPolicyStore(tokenResponse.access_token), so fetchPolicyStore
always receives a valid token.
In @admin-ui/plugins/auth-server/redux/api/SsaApi.js:
- Around line 10-13: The header-building logic is duplicated in multiple places;
add a small helper function buildHeaders(token) that returns { 'Content-Type':
'application/json' } plus an 'Authorization': 'Bearer ' + token entry only when
token is truthy, then replace the three inline header constructions with calls
to buildHeaders(token) (keep the exact header keys and behavior unchanged so
callers using token continue to get the Authorization header).
In @admin-ui/plugins/auth-server/redux/sagas/SsaSaga.js:
- Around line 108-112: The call in SsaSaga.js passes an unused authorization:
null to ssaApi.removeSsa; remove the extraneous property so the call becomes
call(ssaApi.removeSsa, { jti: payload.action.action_data }) — locate the call to
ssaApi.removeSsa in the saga (the line that currently does
call(ssaApi.removeSsa, { jti: ..., authorization: null })) and delete the
authorization field, leaving the rest (and the subsequent yield
put(updateToast(true, 'success'))) unchanged.
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (24)
admin-ui/app/cedarling/hooks/useCedarling.tsadmin-ui/app/cedarling/types/index.tsadmin-ui/app/redux/api/base.tsadmin-ui/app/redux/features/authSlice.tsadmin-ui/app/redux/features/types/authTypes.tsadmin-ui/app/redux/sagas/AppInitSaga.tsadmin-ui/app/redux/sagas/AttributesSaga.tsadmin-ui/app/redux/sagas/AuthSaga.tsadmin-ui/app/redux/sagas/InitSaga.tsadmin-ui/app/redux/sagas/MauSaga.tsadmin-ui/app/redux/sagas/ProfileDetailsSaga.tsadmin-ui/app/redux/sagas/SagaUtils.tsadmin-ui/app/redux/sagas/types/audit.tsadmin-ui/app/routes/Pages/ByeBye.tsxadmin-ui/app/utils/AppAuthProvider.tsxadmin-ui/plugins/admin/redux/sagas/AssetSaga.tsadmin-ui/plugins/admin/redux/sagas/CustomScriptSaga.tsadmin-ui/plugins/admin/redux/sagas/WebhookSaga.tsadmin-ui/plugins/auth-server/components/Ssa/hooks/useSsaApi.tsadmin-ui/plugins/auth-server/redux/api/SsaApi.jsadmin-ui/plugins/auth-server/redux/sagas/OIDCSaga.jsadmin-ui/plugins/auth-server/redux/sagas/SessionSaga.jsadmin-ui/plugins/auth-server/redux/sagas/SsaSaga.jsadmin-ui/plugins/saml/types/state.ts
💤 Files with no reviewable changes (1)
- admin-ui/plugins/saml/types/state.ts
🧰 Additional context used
🧠 Learnings (5)
📚 Learning: 2026-01-06T13:45:19.278Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2561
File: admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts:4-101
Timestamp: 2026-01-06T13:45:19.278Z
Learning: In admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts, ensure Yup schema marks fields as nullable when the backend DTOs permit nulls and do not mark them as required. Align frontend validation with backend validation to prevent conflicts when editing existing configurations with null values; apply this pattern consistently to other Admin UI validation files where the backend is the source of truth.
Applied to files:
admin-ui/plugins/admin/redux/sagas/WebhookSaga.tsadmin-ui/app/redux/sagas/AttributesSaga.tsadmin-ui/app/redux/sagas/AppInitSaga.tsadmin-ui/app/redux/sagas/MauSaga.tsadmin-ui/plugins/admin/redux/sagas/CustomScriptSaga.tsadmin-ui/app/redux/api/base.tsadmin-ui/app/redux/sagas/InitSaga.tsadmin-ui/app/redux/sagas/SagaUtils.tsadmin-ui/app/redux/sagas/ProfileDetailsSaga.tsadmin-ui/app/redux/sagas/AuthSaga.tsadmin-ui/app/cedarling/types/index.tsadmin-ui/app/cedarling/hooks/useCedarling.tsadmin-ui/app/redux/features/types/authTypes.tsadmin-ui/plugins/auth-server/components/Ssa/hooks/useSsaApi.tsadmin-ui/plugins/admin/redux/sagas/AssetSaga.tsadmin-ui/app/redux/features/authSlice.tsadmin-ui/app/redux/sagas/types/audit.ts
📚 Learning: 2025-11-05T19:57:35.143Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2415
File: admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx:148-153
Timestamp: 2025-11-05T19:57:35.143Z
Learning: In the SSA Add page (admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx), the Back button should fall back to '/auth-server/config/ssa' when browser history is unavailable, not '/home/dashboard', as this keeps users in the SSA management context.
Applied to files:
admin-ui/app/redux/sagas/AttributesSaga.tsadmin-ui/plugins/auth-server/redux/sagas/OIDCSaga.jsadmin-ui/app/redux/sagas/InitSaga.tsadmin-ui/app/routes/Pages/ByeBye.tsxadmin-ui/app/redux/sagas/ProfileDetailsSaga.tsadmin-ui/plugins/auth-server/redux/sagas/SsaSaga.jsadmin-ui/app/redux/sagas/AuthSaga.tsadmin-ui/plugins/auth-server/components/Ssa/hooks/useSsaApi.ts
📚 Learning: 2025-11-06T08:23:20.948Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2418
File: admin-ui/plugins/user-management/components/UserForm.tsx:290-297
Timestamp: 2025-11-06T08:23:20.948Z
Learning: In the UserForm component (admin-ui/plugins/user-management/components/UserForm.tsx), the Back button should fall back to '/user/usersmanagement' when browser history is unavailable, not '/home/dashboard', as this keeps users in the user management context. This aligns with the new requirement that users should be redirected to the respective listing screen of the component rather than the dashboard.
Applied to files:
admin-ui/app/routes/Pages/ByeBye.tsxadmin-ui/app/redux/sagas/ProfileDetailsSaga.ts
📚 Learning: 2025-11-07T12:55:26.241Z
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:93-104
Timestamp: 2025-11-07T12:55:26.241Z
Learning: In the Cedarling configuration feature (admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx), the sync role to scopes mappings operation depends on the `auiPolicyStoreUrl`. The backend fetches content from this URL and syncs roles based on the response. Therefore, the audit log for the sync operation should include the `auiPolicyStoreUrl` in its payload to provide proper audit context.
Applied to files:
admin-ui/app/redux/sagas/SagaUtils.ts
📚 Learning: 2025-11-10T14:18:58.310Z
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:107-109
Timestamp: 2025-11-10T14:18:58.310Z
Learning: In the Cedarling configuration page (admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx), console.error calls should be kept in catch blocks when there are multiple operations in the try block, as they help print the whole error object with details for debugging unexpected errors.
Applied to files:
admin-ui/app/utils/AppAuthProvider.tsx
🧬 Code graph analysis (15)
admin-ui/plugins/admin/redux/sagas/WebhookSaga.ts (3)
admin-ui/plugins/admin/redux/sagas/ApiRoleSaga.js (3)
api(22-22)JansConfigApi(16-16)issuer(20-20)admin-ui/app/redux/api/base.ts (1)
getClient(3-31)admin-ui/app/redux/sagas/SagaUtils.ts (1)
redirectToLogout(23-26)
admin-ui/app/redux/sagas/AttributesSaga.ts (3)
admin-ui/plugins/admin/redux/sagas/ApiRoleSaga.js (3)
JansConfigApi(16-16)issuer(20-20)api(22-22)admin-ui/app/redux/api/base.ts (1)
getClient(3-31)admin-ui/app/redux/sagas/SagaUtils.ts (1)
redirectToLogout(23-26)
admin-ui/plugins/auth-server/redux/sagas/OIDCSaga.js (2)
admin-ui/app/redux/api/base.ts (1)
getClient(3-31)admin-ui/app/redux/sagas/SagaUtils.ts (1)
redirectToLogout(23-26)
admin-ui/app/redux/sagas/MauSaga.ts (2)
admin-ui/app/redux/api/base.ts (1)
getClient(3-31)admin-ui/app/redux/sagas/SagaUtils.ts (1)
redirectToLogout(23-26)
admin-ui/plugins/admin/redux/sagas/CustomScriptSaga.ts (3)
admin-ui/plugins/admin/redux/sagas/types/customScript.ts (1)
CustomScriptRootState(15-17)admin-ui/app/redux/api/base.ts (1)
getClient(3-31)admin-ui/app/redux/sagas/SagaUtils.ts (1)
redirectToLogout(23-26)
admin-ui/app/redux/api/base.ts (10)
admin-ui/plugins/auth-server/redux/sagas/OIDCSaga.js (3)
JansConfigApi(19-19)issuer(25-25)issuer(31-31)admin-ui/plugins/auth-server/redux/sagas/SessionSaga.js (2)
JansConfigApi(8-8)issuer(18-18)admin-ui/plugins/auth-server/redux/sagas/SsaSaga.js (2)
JansConfigApi(17-17)issuer(20-20)admin-ui/plugins/admin/redux/sagas/ApiRoleSaga.js (2)
JansConfigApi(16-16)issuer(20-20)admin-ui/plugins/admin/redux/sagas/ApiPermissionSaga.js (2)
JansConfigApi(16-16)issuer(21-21)admin-ui/plugins/admin/redux/sagas/MappingSaga.js (2)
JansConfigApi(15-15)issuer(19-19)admin-ui/plugins/auth-server/redux/sagas/JsonConfigSaga.js (2)
JansConfigApi(12-12)issuer(16-16)admin-ui/plugins/auth-server/redux/sagas/MessageSaga.js (4)
JansConfigApi(15-15)issuer(22-22)issuer(29-29)issuer(38-38)admin-ui/plugins/auth-server/redux/sagas/UMAResourceSaga.js (2)
JansConfigApi(12-12)issuer(16-16)admin-ui/plugins/auth-server/redux/sagas/OAuthScopeSaga.js (2)
JansConfigApi(11-11)issuer(25-25)
admin-ui/app/redux/sagas/InitSaga.ts (2)
admin-ui/app/redux/api/base.ts (1)
getClient(3-31)admin-ui/app/redux/sagas/SagaUtils.ts (1)
redirectToLogout(23-26)
admin-ui/plugins/auth-server/redux/sagas/SessionSaga.js (4)
admin-ui/plugins/auth-server/redux/sagas/OIDCSaga.js (10)
api(26-26)api(32-32)api(60-60)api(84-84)api(106-106)api(126-126)api(152-152)JansConfigApi(19-19)issuer(25-25)issuer(31-31)admin-ui/plugins/admin/redux/sagas/ApiRoleSaga.js (3)
api(22-22)JansConfigApi(16-16)issuer(20-20)admin-ui/app/redux/api/base.ts (1)
getClient(3-31)admin-ui/app/redux/sagas/SagaUtils.ts (1)
redirectToLogout(23-26)
admin-ui/app/routes/Pages/ByeBye.tsx (1)
admin-ui/app/utils/Util.ts (1)
uuidv4(3-15)
admin-ui/app/redux/sagas/SagaUtils.ts (1)
admin-ui/app/redux/sagas/types/audit.ts (3)
AuditLog(14-21)RootState(40-43)AuthState(23-38)
admin-ui/app/redux/sagas/ProfileDetailsSaga.ts (3)
admin-ui/app/redux/api/base.ts (1)
getClient(3-31)admin-ui/app/utils/TokenController.ts (1)
isFourZeroOneError(23-25)admin-ui/app/redux/sagas/SagaUtils.ts (1)
redirectToLogout(23-26)
admin-ui/app/redux/sagas/AuthSaga.ts (2)
admin-ui/app/redux/api/backend-api.ts (3)
fetchServerConfiguration(4-15)putServerConfiguration(17-26)createAdminUiSession(103-112)admin-ui/app/redux/sagas/SagaUtils.ts (1)
redirectToLogout(23-26)
admin-ui/plugins/auth-server/components/Ssa/hooks/useSsaApi.ts (1)
admin-ui/plugins/auth-server/redux/sagas/SsaSaga.js (1)
getSsaJwt(49-64)
admin-ui/plugins/admin/redux/sagas/AssetSaga.ts (2)
admin-ui/app/redux/api/base.ts (1)
getClient(3-31)admin-ui/app/redux/sagas/SagaUtils.ts (1)
redirectToLogout(23-26)
admin-ui/app/utils/AppAuthProvider.tsx (1)
admin-ui/app/redux/api/backend-api.ts (1)
fetchApiAccessToken(72-83)
🔇 Additional comments (36)
admin-ui/plugins/admin/redux/sagas/WebhookSaga.ts (3)
36-36: LGTM!The import of
redirectToLogoutfromSagaUtilsis correct and aligns with the centralized 401 handling approach used across other saga files.
49-53: LGTM!The API client instantiation with
nulltoken is consistent with the session-based authentication pattern used across the codebase. ThegetClientutility correctly handles this by enabling cookies whenhasSessionis true (perbase.tslines 13-17).
79-84: Consistent 401 handling pattern across all saga functions.The
yield*delegation syntax correctly propagates the generator effects fromredirectToLogout, and the earlyreturnprevents further saga execution. This pattern is applied consistently across all 8 error handlers in this file (getWebhooks,createWebhook,deleteWebhook,updateWebhook,getFeatures,getFeaturesByWebhookId,getWebhooksByFeatureId,triggerWebhook).The shift from token refresh to logout on 401 aligns with the session-based authentication model where an invalid session should redirect users to re-authenticate.
admin-ui/app/cedarling/hooks/useCedarling.ts (1)
21-25: Verify jwtToken population in session-cookie flow; existing type safety and checks mitigate immediate risk.The
jwtTokenfield is correctly populated with the OAuth2accessTokenfrom the token response (AppAuthProvider.tsx:155) and is properly typed asstring | null. The destructuring and aliasing toaccess_tokenmatches theITokeninterface expected by Cedarling. Additionally, explicit truthiness checks at lines 62 and 127 prevent use of missing or falsy tokens, which would surface the "Required tokens are missing" error before reaching Cedarling.The main remaining concern is whether
jwtTokenis populated in the session-cookie flow mentioned in the PR. If session-based authentication does not populate this field, authorization will correctly fail at the existing guards (not a silent Cedarling failure). This behavior depends on how the session flow populates authReducer and should be verified during testing, particularly if the PR shifts to session-cookie-only authentication.The suggested diff (explicit type check and comment) is optional given the existing safeguards, but adding a clarifying comment about the token's origin (OIDC access token, not Config API) could prevent future confusion if Config API removal is still in progress elsewhere.
admin-ui/app/redux/sagas/ProfileDetailsSaga.ts (1)
39-58: Cookie/session-based client + 401 logout flow looks consistent.
Line 45 usesgetClient(..., null, issuer)and Line 53-55 exits viaredirectToLogout()on 401.admin-ui/app/redux/sagas/MauSaga.ts (1)
11-15: Session-based client init + 401 logout redirect is consistent with the new auth model.Also applies to: 27-34
admin-ui/app/redux/sagas/AttributesSaga.ts (1)
15-19: Cookie/session-based client init + 401 redirect flow looks correct and consistent.Also applies to: 32-37
admin-ui/app/cedarling/types/index.ts (1)
112-125: Type rename is clean; no remainingJwtTokenconsumers found in the codebase.admin-ui/app/redux/sagas/InitSaga.ts (2)
16-38: LGTM! API client initialization aligned with session-based authentication.All API initialization functions correctly pass
nullas the token parameter togetClient, delegating session/cookie handling to the centralizedgetClientimplementation based onhasSessionstate.
50-53: Consistent 401 handling pattern applied across all sagas.The refactored error handling correctly uses
yield* redirectToLogout()followed by an earlyreturnto terminate the saga on session expiry. This is consistent with the broader migration to session-based authentication.Also applies to: 68-71, 85-88, 102-105
admin-ui/app/redux/sagas/AppInitSaga.ts (3)
5-10: Type definition correctly reflects the new session-based auth model.The
AuthReducerShapenow properly includeshasSessionandjwtTokenfields, aligning with the migration away from the previoustoken.access_tokenstructure.
25-32: Readiness gating correctly updated for session-based flow.The initialization now waits for
hasSession,idToken, anduserinfoJwtbefore proceeding. This ensures the Admin UI session is established before dispatching initialization actions.
64-68: New watcher correctly integrates session creation into app init flow.Adding the
createAdminUiSessionResponselistener ensuresrunAppInitIfReadyis triggered when the Admin UI session is successfully created, completing the authentication flow migration.admin-ui/plugins/auth-server/redux/sagas/SessionSaga.js (2)
17-21: API client initialization correctly updated.The
newFunctionproperly usesnullfor the token parameter, delegating authentication to the session-based cookie flow ingetClient.
37-40: Consistent 401 handling across all session saga functions.All error handlers properly use
yield* redirectToLogout()with early return, maintaining consistency with the broader authentication migration.Also applies to: 56-59, 75-78, 95-98
admin-ui/plugins/auth-server/redux/sagas/OIDCSaga.js (2)
24-34: API client factories correctly updated for session-based auth.Both
newFunctionandnewTokenFunctionproperly passnullas the token parameter, relying ongetClientto handle session-based authentication via cookies.
49-52: Comprehensive 401 handling updates across all OIDC operations.All saga functions consistently apply the
yield* redirectToLogout()pattern with early return on 401 errors, replacing the previous token refresh logic.Also applies to: 70-73, 94-97, 117-120, 143-146, 159-162
admin-ui/app/routes/Pages/ByeBye.tsx (2)
18-43: Logout flow correctly structured with async session deletion.The
performLogoutfunction properly sequences the logout operations: dispatch auth state reset, conditionally delete the Admin UI session, dispatch logout action, and finally redirect. Error handling for the session deletion is appropriately lenient (log and continue).
32-39: Fallback redirect logic is robust.The conditional check for
config.endSessionEndpointwith a fallback to localStorage or root path ensures the user is always redirected, even when the config is incomplete.admin-ui/plugins/admin/redux/sagas/CustomScriptSaga.ts (2)
39-43: API factory correctly updated for session-based authentication.The
createScriptApigenerator properly passesnullas the token, relying on the centralizedgetClientimplementation to handle session cookies.
66-69: Consistent 401 handling across all custom script operations.All saga functions properly implement the
yield* redirectToLogout()pattern with early return, maintaining consistency with the authentication migration across the codebase.Also applies to: 91-94, 121-124, 151-154, 177-180, 209-212
admin-ui/plugins/admin/redux/sagas/AssetSaga.ts (2)
38-42: API factory correctly updated for session-based authentication.The
createAssetApigenerator properly passesnullas the token parameter, delegating authentication to the session-based cookie flow.
60-63: Consistent 401 handling across all asset operations.All saga functions properly implement the
yield* redirectToLogout()pattern with early return, maintaining consistency with the broader authentication migration.Also applies to: 84-87, 108-111, 134-137, 157-160, 184-187
admin-ui/app/redux/features/types/authTypes.ts (1)
25-25: LGTM!The type updates properly reflect the shift to session-based authentication. The
jwtTokennaming follows camelCase convention, andhasSession: booleancleanly represents the session state.Also applies to: 38-38
admin-ui/app/redux/sagas/SagaUtils.ts (2)
23-26: LGTM with minor observation.The
redirectToLogouthelper centralizes session expiry handling. The hard redirect viawindow.location.hrefis appropriate here since the saga execution doesn't need to continue after logout. The audit log dispatch before redirect ensures the logout event is captured.
42-44: The change to logout on 401 errors is consistent with the existing application-wide pattern. All 401 error handling across the codebase (in SsaSaga, OAuthScopeSaga, OIDCSaga, CustomScriptSaga, AssetSaga, WebhookSaga, SessionSaga, and others) already triggers logout withyield* redirectToLogout()orwindow.location.href = '/logout'. There is no evidence of token refresh recovery logic for 401 errors in the codebase. This is the intended behavior.Likely an incorrect or invalid review comment.
admin-ui/app/redux/api/base.ts (1)
15-21: LGTM - Session-based authentication toggle.The conditional logic correctly enables cookies and clears the access token when a session exists, falling back to token-based auth otherwise. This aligns with the PR's objective to transition to HttpOnly session cookies.
Also applies to: 46-52
admin-ui/app/redux/sagas/AuthSaga.ts (3)
47-69: LGTM - Conditional token fetching based on session state.The logic correctly skips token fetching when
hasSessionis true, aligning with the session-based authentication model. The fallback togetApiTokenWithDefaultScopes()when no token is provided ensures backward compatibility during the transition.
87-90: LGTM - Unified 401 handling with redirectToLogout.Using the centralized
redirectToLogouthelper ensures consistent session expiry behavior across all sagas that handle 401 errors.
109-113: Session creation flow is correct.The implementation properly follows the intended flow. The
jwt.payloadparameter contains the user-info JWT (ujwt) returned fromfetchUserInformation, not the raw access token. At line 159 in AppAuthProvider.tsx, the action dispatches the ujwt as the payload, which is then extracted in the saga at line 112 and passed as theujwtparameter tocreateAdminUiSession, alongside the API protection token.admin-ui/app/redux/features/authSlice.ts (6)
33-34: LGTM!Clear saga trigger pattern with appropriate comment. The underscore-prefixed parameters correctly indicate intentionally unused variables.
53-74: LGTM!Consistent camelCase naming (
jwtToken) applied to payload and state fields. The reducer logic is correct.
76-83: LGTM!Payload correctly simplified to remove
access_tokenin alignment with the session-based authentication model. The reducer now sets onlyissuer,permissions, andisAuthenticatedstate.
90-92: LGTM!Correctly simplified to only set
issuer, consistent with the removal of token-based authentication.
130-133: LGTM!New session lifecycle actions are correctly exported for use in sagas and components.
23-26: No action needed. TheAuthStatetype definition in./types/authTypesalready includes all required fields (jwtToken,userInum,isUserInfoFetched, andhasSession) with compatible types, confirming proper alignment with the initial state.Likely an incorrect or invalid review comment.
There was a problem hiding this comment.
Actionable comments posted: 4
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (3)
admin-ui/plugins/auth-server/redux/sagas/SsaSaga.js (3)
49-64: Missing 401 handling ingetSsaJwt.Unlike
getSsa,addSsaConfig, andremoveSsaConfig, this function does not check for 401 errors and redirect to logout. This inconsistency could result in stale error states when the session expires during a JWT fetch.🔧 Proposed fix to add 401 handling
} catch (e) { yield put(updateToast(true, 'error')) yield put(getSsaJwtResponse([])) + if (isFourZeroOneError(e)) { + yield* redirectToLogout() + return + } return e }
87-92: Incorrect toast message on success path.On line 90,
updateToast(true, 'success', data?.error)passesdata?.erroras the message, but this is in the success branch wheredata?.errorshould be falsy. This likely displaysundefinedor an empty message instead of a meaningful success notification.🔧 Proposed fix
if (!data?.error) { createAndDownloadJSONFile(data) yield put(toggleSaveConfig(true)) - yield put(updateToast(true, 'success', data?.error)) + yield put(updateToast(true, 'success', 'SSA created successfully')) yield call(postUserAction, audit) }
126-147: Consider a more descriptive filename for downloaded SSA.The hardcoded
'file.json'filename is generic. A more descriptive name like'ssa-<timestamp>.json'or'ssa-data.json'would help users identify downloaded files.♻️ Optional improvement
function createAndDownloadJSONFile(data) { const jsonData = JSON.stringify(data, null, 2) const blob = new Blob([jsonData], { type: 'application/json' }) const link = document.createElement('a') link.href = URL.createObjectURL(blob) - link.download = 'file.json' + link.download = `ssa-${Date.now()}.json` document.body.appendChild(link) link.click() document.body.removeChild(link) URL.revokeObjectURL(link.href) }
🤖 Fix all issues with AI agents
In @admin-ui/app/redux/sagas/AuthSaga.ts:
- Around line 145-152: deleteAdminUiSessionWorker currently only dispatches
deleteAdminUiSessionResponse on success, so failures leave Redux hasSession
stale; update the worker (deleteAdminUiSessionWorker) to always dispatch
deleteAdminUiSessionResponse regardless of whether deleteAdminUiSessionApi
throws (e.g., by moving the yield put(deleteAdminUiSessionResponse()) into a
finally block or dispatching it in the catch), and keep logging the error from
the catch to preserve diagnostics.
- Around line 134-143: The createAdminUiSessionWorker currently dispatches
createAdminUiSessionResponse({ success: false }) on error without details;
modify the catch block in createAdminUiSessionWorker to capture the caught error
(e.g., error) and dispatch createAdminUiSessionResponse({ success: false, error:
stringify or normalize the error message/status }) and optionally include the
error in the console log; then update the reducer's action payload type/shape
that handles createAdminUiSessionResponse to accept and store an optional error
field (and update any selectors/consumers that assume only { success }) so the
UI and logs can surface meaningful debugging info.
In @admin-ui/app/routes/Pages/ByeBye.tsx:
- Around line 19-21: performLogout dispatches setAuthState incorrectly by
passing a boolean; setAuthState expects a payload shaped as { state: boolean }
(see authSlice setAuthState action). Update the dispatch in performLogout to
call dispatch(setAuthState({ state: false })) and adjust any other calls to
setAuthState to provide an object with the state property rather than a raw
boolean.
In @admin-ui/app/utils/AppAuthProvider.tsx:
- Around line 171-183: The code always fetches a bearer token then calls
fetchPolicyStore even when a session exists; update the flow so when hasSession
is true you call fetchPolicyStore using session auth (i.e., omit the access
token and ensure withCredentials: true is used) and skip dispatching
getAPIAccessToken(userinfo_jwt) and the subsequent token fetch; only call
getAPIAccessToken and fetchPolicyStore with the returned token when hasSession
is false (or if backend requires bearer auth after verification), keeping
function names fetchPolicyStore and getAPIAccessToken and the hasSession check
as the decision points.
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (6)
admin-ui/app/redux/features/authSlice.tsadmin-ui/app/redux/sagas/AuthSaga.tsadmin-ui/app/routes/Pages/ByeBye.tsxadmin-ui/app/utils/AppAuthProvider.tsxadmin-ui/plugins/auth-server/redux/api/SsaApi.jsadmin-ui/plugins/auth-server/redux/sagas/SsaSaga.js
🧰 Additional context used
🧠 Learnings (5)
📚 Learning: 2025-11-06T08:23:20.948Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2418
File: admin-ui/plugins/user-management/components/UserForm.tsx:290-297
Timestamp: 2025-11-06T08:23:20.948Z
Learning: In the UserForm component (admin-ui/plugins/user-management/components/UserForm.tsx), the Back button should fall back to '/user/usersmanagement' when browser history is unavailable, not '/home/dashboard', as this keeps users in the user management context. This aligns with the new requirement that users should be redirected to the respective listing screen of the component rather than the dashboard.
Applied to files:
admin-ui/app/routes/Pages/ByeBye.tsx
📚 Learning: 2025-11-05T19:57:35.143Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2415
File: admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx:148-153
Timestamp: 2025-11-05T19:57:35.143Z
Learning: In the SSA Add page (admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx), the Back button should fall back to '/auth-server/config/ssa' when browser history is unavailable, not '/home/dashboard', as this keeps users in the SSA management context.
Applied to files:
admin-ui/app/routes/Pages/ByeBye.tsxadmin-ui/plugins/auth-server/redux/sagas/SsaSaga.jsadmin-ui/app/redux/sagas/AuthSaga.ts
📚 Learning: 2025-12-05T18:24:41.713Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2498
File: admin-ui/plugins/saml/components/SamlConfigurationForm.tsx:30-30
Timestamp: 2025-12-05T18:24:41.713Z
Learning: In the GluuFederation/flex admin-ui codebase, `SetTitle` (imported from 'Utils/SetTitle') is a custom React hook that should be called at the component's top level, not inside `useEffect` or other hooks, because it internally manages side effects for setting page titles.
Applied to files:
admin-ui/app/routes/Pages/ByeBye.tsx
📚 Learning: 2026-01-06T13:45:19.278Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2561
File: admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts:4-101
Timestamp: 2026-01-06T13:45:19.278Z
Learning: In admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts, ensure Yup schema marks fields as nullable when the backend DTOs permit nulls and do not mark them as required. Align frontend validation with backend validation to prevent conflicts when editing existing configurations with null values; apply this pattern consistently to other Admin UI validation files where the backend is the source of truth.
Applied to files:
admin-ui/app/redux/sagas/AuthSaga.tsadmin-ui/app/redux/features/authSlice.ts
📚 Learning: 2025-11-26T12:25:34.923Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2475
File: admin-ui/plugins/auth-server/components/Clients/ClientDetailPage.js:111-216
Timestamp: 2025-11-26T12:25:34.923Z
Learning: In the admin-ui codebase, avoid suggesting comments for small functionalities or straightforward layout decisions in smaller components. Comments should be reserved for more complex or non-obvious logic.
Applied to files:
admin-ui/app/redux/features/authSlice.ts
🧬 Code graph analysis (4)
admin-ui/app/utils/AppAuthProvider.tsx (1)
admin-ui/app/redux/api/backend-api.ts (1)
fetchApiAccessToken(72-83)
admin-ui/app/routes/Pages/ByeBye.tsx (1)
admin-ui/app/utils/Util.ts (1)
uuidv4(3-15)
admin-ui/plugins/auth-server/redux/sagas/SsaSaga.js (3)
admin-ui/app/redux/api/base.ts (1)
getClient(3-31)admin-ui/plugins/auth-server/redux/api/SsaApi.js (1)
SsaApi(11-76)admin-ui/app/redux/sagas/SagaUtils.ts (1)
redirectToLogout(23-26)
admin-ui/app/redux/sagas/AuthSaga.ts (2)
admin-ui/app/redux/api/backend-api.ts (3)
fetchServerConfiguration(4-15)putServerConfiguration(17-26)createAdminUiSession(103-112)admin-ui/app/redux/sagas/SagaUtils.ts (1)
redirectToLogout(23-26)
🔇 Additional comments (13)
admin-ui/plugins/auth-server/redux/api/SsaApi.js (2)
3-9: LGTM! Clean helper function for conditional Authorization header.The
buildHeadersfunction properly handles the optional token parameter, supporting both the new cookie-based auth flow (when token isnull) and legacy token-based auth when needed.
19-23: LGTM! Correct use ofcredentials: 'include'for cookie-based auth.Adding
credentials: 'include'to all fetch calls ensures HttpOnly session cookies are sent with cross-origin requests, aligning with the new session-based authentication flow.Also applies to: 36-41, 54-58
admin-ui/plugins/auth-server/redux/sagas/SsaSaga.js (1)
12-12: LGTM! Consistent transition to session-based auth with proper 401 handling.The changes correctly:
- Pass
nulltokens to rely on HttpOnly cookies for authentication- Use
yield* redirectToLogout()to properly delegate to the generator on 401 errors- Maintain consistency with the broader auth flow changes across the Admin UI
Also applies to: 22-22, 30-30, 42-43, 54-54, 84-84, 96-97, 119-120
admin-ui/app/redux/features/authSlice.ts (3)
5-27: LGTM! State shape changes align with session-based authentication.The addition of
hasSessionand renamingJwtTokentojwtTokenproperly supports the transition to session-based authentication. The initial state correctly defaultshasSessiontofalse.
99-109: Session lifecycle reducers look correct.The implementation properly:
- Sets
hasSession = trueonly on successful session creation- Resets to
initialStateon session deletion (complete logout cleanup)One consideration:
createAdminUiSessionResponsewithsuccess: falsedoesn't update state. Verify this is intentional—the saga logs the error but the UI won't have visibility into failed session creation.
76-83: Verify authentication state timing.
isAuthenticatedis set totrueingetAPIAccessTokenResponse(Line 82), but the Admin UI session is created asynchronously afterward. If session creation fails, the user may appear authenticated without a valid session.Consider setting
isAuthenticated = trueincreateAdminUiSessionResponseinstead, or ensure the flow handles partial authentication states gracefully.admin-ui/app/routes/Pages/ByeBye.tsx (2)
22-30: Graceful error handling for session deletion.The try/catch ensures logout proceeds even if the backend session deletion fails. This is the correct approach for logout flows.
32-44: Stale closure risk with async logout.The
performLogoutfunction capturesconfigandhasSessionat mount time. If these values change during the async operation (unlikely but possible), stale values will be used.Since logout is a terminal action and the window redirects immediately after, this is low-risk. The empty dependency array with the eslint-disable is acceptable here.
admin-ui/app/redux/sagas/AuthSaga.ts (2)
47-69: Session-aware config fetching looks correct.The logic correctly:
- Skips token fetching when
hasSessionis true (session cookie handles auth)- Falls back to fetching a new token if
access_tokenis not provided and no session exists
97-120: Admin UI session creation flow aligns with requirements.The worker correctly:
- Fetches API access token scopes/issuer
- Obtains a default-scoped API protection token
- Dispatches
createAdminUiSessionwith the user JWT and protection tokenThe session creation is dispatched asynchronously (handled by its own watcher), which is the correct saga pattern.
admin-ui/app/utils/AppAuthProvider.tsx (3)
34-36: LGTM! Auth state destructuring updated correctly.The addition of
hasSessionto the selector aligns with the new session-based authentication flow.
139-158: Token flow correctly propagates OAuth access token.The
oauthAccessTokenis captured from the token response and dispatched viagetUserInfoResponseasjwtToken. This aligns with the state rename fromJwtTokentojwtToken.
178-181: Good defensive error handling for token response.The explicit validation of
tokenResponsebefore proceeding prevents cryptic errors from accessing properties on null/undefined. The thrown error is caught by the outer catch block and surfaced viasetError.
There was a problem hiding this comment.
Actionable comments posted: 0
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
admin-ui/app/redux/sagas/AuthSaga.ts (1)
97-120: Consider handling the case whendefaultTokenis null after session creation dispatch.The flow dispatches
createAdminUiSessiononly whendefaultTokenis truthy, but ifgetApiTokenWithDefaultScopesfails and returnsnull, the session won't be created. This may leave the app in an inconsistent state where authentication succeeded but no session exists.💡 Suggested improvement
Consider logging or handling the case when
defaultTokenis null to provide visibility into session creation failures:const defaultToken = yield* getApiTokenWithDefaultScopes() if (defaultToken) { yield put(createAdminUiSession({ ujwt: jwt.payload, apiProtectionToken: defaultToken })) + } else { + console.warn('Unable to create Admin UI session: failed to obtain default token') }
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (4)
admin-ui/app/redux/features/authSlice.tsadmin-ui/app/redux/sagas/AuthSaga.tsadmin-ui/app/routes/Pages/ByeBye.tsxadmin-ui/app/utils/AppAuthProvider.tsx
🧰 Additional context used
🧠 Learnings (8)
📓 Common learnings
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:43-149
Timestamp: 2025-11-07T12:17:39.857Z
Learning: In the Cedarling configuration UI PR (#2378), the `configApiPolicyStoreUrl` field is intentionally out of scope. It relates to config API configuration and will be covered in a separate PR. The current PR focuses on the Admin UI policy store URL (`auiPolicyStoreUrl`).
📚 Learning: 2025-11-05T19:57:35.143Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2415
File: admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx:148-153
Timestamp: 2025-11-05T19:57:35.143Z
Learning: In the SSA Add page (admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx), the Back button should fall back to '/auth-server/config/ssa' when browser history is unavailable, not '/home/dashboard', as this keeps users in the SSA management context.
Applied to files:
admin-ui/app/routes/Pages/ByeBye.tsxadmin-ui/app/redux/sagas/AuthSaga.ts
📚 Learning: 2025-11-06T08:23:20.948Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2418
File: admin-ui/plugins/user-management/components/UserForm.tsx:290-297
Timestamp: 2025-11-06T08:23:20.948Z
Learning: In the UserForm component (admin-ui/plugins/user-management/components/UserForm.tsx), the Back button should fall back to '/user/usersmanagement' when browser history is unavailable, not '/home/dashboard', as this keeps users in the user management context. This aligns with the new requirement that users should be redirected to the respective listing screen of the component rather than the dashboard.
Applied to files:
admin-ui/app/routes/Pages/ByeBye.tsx
📚 Learning: 2025-12-05T18:24:41.713Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2498
File: admin-ui/plugins/saml/components/SamlConfigurationForm.tsx:30-30
Timestamp: 2025-12-05T18:24:41.713Z
Learning: In the GluuFederation/flex admin-ui codebase, `SetTitle` (imported from 'Utils/SetTitle') is a custom React hook that should be called at the component's top level, not inside `useEffect` or other hooks, because it internally manages side effects for setting page titles.
Applied to files:
admin-ui/app/routes/Pages/ByeBye.tsx
📚 Learning: 2025-11-07T12:55:26.241Z
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:93-104
Timestamp: 2025-11-07T12:55:26.241Z
Learning: In the Cedarling configuration feature (admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx), the sync role to scopes mappings operation depends on the `auiPolicyStoreUrl`. The backend fetches content from this URL and syncs roles based on the response. Therefore, the audit log for the sync operation should include the `auiPolicyStoreUrl` in its payload to provide proper audit context.
Applied to files:
admin-ui/app/utils/AppAuthProvider.tsx
📚 Learning: 2025-11-10T14:18:58.310Z
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:107-109
Timestamp: 2025-11-10T14:18:58.310Z
Learning: In the Cedarling configuration page (admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx), console.error calls should be kept in catch blocks when there are multiple operations in the try block, as they help print the whole error object with details for debugging unexpected errors.
Applied to files:
admin-ui/app/redux/sagas/AuthSaga.ts
📚 Learning: 2026-01-06T13:45:19.278Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2561
File: admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts:4-101
Timestamp: 2026-01-06T13:45:19.278Z
Learning: In admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts, ensure Yup schema marks fields as nullable when the backend DTOs permit nulls and do not mark them as required. Align frontend validation with backend validation to prevent conflicts when editing existing configurations with null values; apply this pattern consistently to other Admin UI validation files where the backend is the source of truth.
Applied to files:
admin-ui/app/redux/sagas/AuthSaga.tsadmin-ui/app/redux/features/authSlice.ts
📚 Learning: 2025-11-26T12:25:34.923Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2475
File: admin-ui/plugins/auth-server/components/Clients/ClientDetailPage.js:111-216
Timestamp: 2025-11-26T12:25:34.923Z
Learning: In the admin-ui codebase, avoid suggesting comments for small functionalities or straightforward layout decisions in smaller components. Comments should be reserved for more complex or non-obvious logic.
Applied to files:
admin-ui/app/redux/features/authSlice.ts
🧬 Code graph analysis (3)
admin-ui/app/routes/Pages/ByeBye.tsx (1)
admin-ui/app/utils/Util.ts (1)
uuidv4(3-15)
admin-ui/app/utils/AppAuthProvider.tsx (1)
admin-ui/app/redux/api/backend-api.ts (2)
fetchPolicyStore(95-100)fetchApiAccessToken(72-83)
admin-ui/app/redux/sagas/AuthSaga.ts (2)
admin-ui/app/redux/api/backend-api.ts (3)
fetchServerConfiguration(4-15)putServerConfiguration(17-26)createAdminUiSession(103-112)admin-ui/app/redux/sagas/SagaUtils.ts (1)
redirectToLogout(23-26)
🔇 Additional comments (10)
admin-ui/app/routes/Pages/ByeBye.tsx (1)
18-44: LGTM! Well-structured async logout flow.The logout logic correctly:
- Dispatches state changes before async operations to immediately update UI
- Guards session deletion with
hasSessioncheck- Provides proper error handling with logging
- Implements fallback URI when
endSessionEndpointis unavailableadmin-ui/app/utils/AppAuthProvider.tsx (3)
34-36: LGTM! Selector updated correctly for session-based auth.The
hasSessionaddition aligns with the new session-based authentication flow defined in the auth slice.
139-158: Token handling and user info dispatch updated correctly.The rename from
JwtTokentooauthAccessTokenandjwtTokenin the payload aligns with the slice changes and provides clearer naming semantics.
171-184: Session recreation and policy store fetch logic is correct.The branching based on
hasSessioncorrectly implements:
- Re-creating session when not present (using stored
userinfo_jwt)- Direct policy store fetch when session exists (uses credentials via
withCredentials)- Token-based policy store fetch as fallback when session needs to be established
Note:
fetchApiAccessToken(ujwt)is called with a single argument while the function signature expects(jwt, permissionTag). This is intentional—permissionTagdefaults to[]within the function, but being explicit with both parameters would improve clarity.admin-ui/app/redux/sagas/AuthSaga.ts (3)
134-153: LGTM! Session lifecycle workers are well-implemented.Good patterns observed:
createAdminUiSessionWorkerproperly dispatches success/failure responses with error detailsdeleteAdminUiSessionWorkerusesfinallyto ensuredeleteAdminUiSessionResponseis always dispatched, maintaining consistent state even on errors
47-68: LGTM! Session-aware OAuth config fetching.The conditional token acquisition based on
hasSessioncorrectly implements the new flow:
- When session exists: fetch config without token (uses session cookie via
withCredentials)- When no session: obtain token first, then fetch config with bearer auth
85-95: LGTM! 401 handling updated to use centralized logout redirect.Using
redirectToLogoutfrom SagaUtils provides consistent session expiry handling across sagas.admin-ui/app/redux/features/authSlice.ts (3)
99-112: Session action reducers implemented correctly.The implementation aligns with the session-based auth flow:
createAdminUiSessionis a saga trigger (no-op reducer)createAdminUiSessionResponseonly setshasSession = trueon successdeleteAdminUiSessionResponsecorrectly resets toinitialStatefor clean logoutOne consideration: if
createAdminUiSessionResponsereceivessuccess: false, the state remains unchanged. Verify this is the intended behavior - if the app should handle session creation failure differently (e.g., logout or retry), you may want to add explicit failure handling.
76-83: LGTM! Token storage removed in favor of session-based auth.The reducer no longer stores access tokens, only setting
issuerandpermissions. This aligns with the PR objective of using HttpOnly session cookies instead of per-request bearer tokens.
5-27: LGTM! Initial state updated for session-based auth.The changes correctly:
- Rename
JwtTokentojwtTokenfor consistent naming- Add
hasSession: falsefor tracking server-side session state
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
admin-ui/app/redux/sagas/AuthSaga.ts (1)
1-1: Consider removing@ts-nocheckin a follow-up.Disabling TypeScript checking across the entire file masks potential type errors in the new session management code. Consider enabling type checking and addressing type issues incrementally.
🤖 Fix all issues with AI agents
In @admin-ui/app/redux/sagas/AuthSaga.ts:
- Around line 173-175: The watcher createAdminUiSessionWatcher currently uses
takeEvery which can spawn concurrent createAdminUiSessionWorker instances and
cause race conditions; change it to use takeLatest so only the latest
'auth/createAdminUiSession' action runs (i.e., yield
takeLatest('auth/createAdminUiSession', createAdminUiSessionWorker)) and update
the imports to use takeLatest instead of takeEvery.
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (1)
admin-ui/app/redux/sagas/AuthSaga.ts
🧰 Additional context used
🧠 Learnings (3)
📚 Learning: 2025-11-05T19:57:35.143Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2415
File: admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx:148-153
Timestamp: 2025-11-05T19:57:35.143Z
Learning: In the SSA Add page (admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx), the Back button should fall back to '/auth-server/config/ssa' when browser history is unavailable, not '/home/dashboard', as this keeps users in the SSA management context.
Applied to files:
admin-ui/app/redux/sagas/AuthSaga.ts
📚 Learning: 2025-11-10T14:18:58.310Z
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:107-109
Timestamp: 2025-11-10T14:18:58.310Z
Learning: In the Cedarling configuration page (admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx), console.error calls should be kept in catch blocks when there are multiple operations in the try block, as they help print the whole error object with details for debugging unexpected errors.
Applied to files:
admin-ui/app/redux/sagas/AuthSaga.ts
📚 Learning: 2026-01-06T13:45:19.278Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2561
File: admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts:4-101
Timestamp: 2026-01-06T13:45:19.278Z
Learning: In admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts, ensure Yup schema marks fields as nullable when the backend DTOs permit nulls and do not mark them as required. Align frontend validation with backend validation to prevent conflicts when editing existing configurations with null values; apply this pattern consistently to other Admin UI validation files where the backend is the source of truth.
Applied to files:
admin-ui/app/redux/sagas/AuthSaga.ts
🔇 Additional comments (6)
admin-ui/app/redux/sagas/AuthSaga.ts (6)
47-69: LGTM!The session-aware token logic correctly skips token acquisition when a session exists, falling back to default scopes when needed. Storing
postLogoutRedirectUribefore dispatching ensures logout redirects work properly.
85-94: LGTM!The 401 error handling correctly delegates to
redirectToLogoutand returns to prevent further execution. Thefinallyblock ensuresputConfigWorkerResponseis dispatched for cleanup regardless of the error path.
109-118: Consider clarifying the error context.The flow looks correct for the new session-based authentication. However, the error message "Failed to obtain API token" could be more specific since it refers to the default scopes token needed for session creation, not the main API access token.
💡 Optional: Clarify error message
if (defaultToken) { yield put(createAdminUiSession({ ujwt: jwt.payload, apiProtectionToken: defaultToken })) } else { - console.error('Failed to obtain API token for session creation') + console.error('Failed to obtain API protection token for session creation') yield put( - createAdminUiSessionResponse({ success: false, error: 'Failed to obtain API token' }), + createAdminUiSessionResponse({ success: false, error: 'Failed to obtain API protection token' }), ) }
150-158: LGTM!Using
finallyto always dispatchdeleteAdminUiSessionResponseis correct for logout flows—the UI should proceed with cleanup regardless of whether the API call succeeds. This ensures a consistent user experience during logout.
180-189: LGTM!The new session watchers are correctly forked alongside existing watchers in the root saga.
139-148: This concern is not applicable—the API correctly throws on error.The
createAdminUiSessionAPI in backend-api.ts explicitly throws errors in its catch block (line 110:throw error), so the try-catch pattern in the saga is correct. The suggestion based on comparing this tofetchApiTokenWithDefaultScopesdoes not apply; that function uses a different error-handling pattern (returns the error instead of throwing), butcreateAdminUiSessionfollows the throw pattern, which the saga correctly handles.Likely an incorrect or invalid review comment.
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In @admin-ui/app/redux/sagas/AuthSaga.ts:
- Around line 150-158: The catch block in deleteAdminUiSessionWorker currently
uses console.log which is inappropriate for errors; replace
console.log('Problems deleting Admin UI session.', error) with
console.error('Problems deleting Admin UI session.', error) so the full error
object is logged (keep the try/catch/finally structure and still call
deleteAdminUiSessionApi in the try and yield put(deleteAdminUiSessionResponse())
in finally).
- Around line 139-148: In createAdminUiSessionWorker, replace the console.log in
the catch block with console.error and enrich the dispatched error payload by
extracting axios-specific details (e.g. error.response?.data,
error.response?.status) falling back to error.message; keep the existing
createAdminUiSessionApi call and ensure the createAdminUiSessionResponse action
is called with success: false and a detailed error field (e.g. include response
data or status when present) so debugging shows the axios response body as well
as the message.
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (1)
admin-ui/app/redux/sagas/AuthSaga.ts
🧰 Additional context used
🧠 Learnings (3)
📚 Learning: 2025-11-05T19:57:35.143Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2415
File: admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx:148-153
Timestamp: 2025-11-05T19:57:35.143Z
Learning: In the SSA Add page (admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx), the Back button should fall back to '/auth-server/config/ssa' when browser history is unavailable, not '/home/dashboard', as this keeps users in the SSA management context.
Applied to files:
admin-ui/app/redux/sagas/AuthSaga.ts
📚 Learning: 2025-11-10T14:18:58.310Z
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:107-109
Timestamp: 2025-11-10T14:18:58.310Z
Learning: In the Cedarling configuration page (admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx), console.error calls should be kept in catch blocks when there are multiple operations in the try block, as they help print the whole error object with details for debugging unexpected errors.
Applied to files:
admin-ui/app/redux/sagas/AuthSaga.ts
📚 Learning: 2026-01-06T13:45:19.278Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2561
File: admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts:4-101
Timestamp: 2026-01-06T13:45:19.278Z
Learning: In admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts, ensure Yup schema marks fields as nullable when the backend DTOs permit nulls and do not mark them as required. Align frontend validation with backend validation to prevent conflicts when editing existing configurations with null values; apply this pattern consistently to other Admin UI validation files where the backend is the source of truth.
Applied to files:
admin-ui/app/redux/sagas/AuthSaga.ts
🧬 Code graph analysis (1)
admin-ui/app/redux/sagas/AuthSaga.ts (2)
admin-ui/app/redux/api/backend-api.ts (3)
fetchServerConfiguration(4-15)putServerConfiguration(17-26)createAdminUiSession(103-112)admin-ui/app/redux/sagas/SagaUtils.ts (1)
redirectToLogout(23-26)
🔇 Additional comments (5)
admin-ui/app/redux/sagas/AuthSaga.ts (5)
1-28: LGTM!Imports are well-organized. Aliasing the API functions (
createAdminUiSessionApi,deleteAdminUiSessionApi) avoids naming conflicts with the Redux actions.
47-69: LGTM!The conditional token retrieval based on
hasSessioncorrectly implements the cookie-based auth flow. ThefetchServerConfigurationAPI properly switches between bearer token andwithCredentialsbased on token presence.
71-95: LGTM!The 401 error handling with
redirectToLogoutis appropriate for session-based authentication. TheputServerConfigurationAPI correctly useswithCredentialsfor cookie-based auth.
97-125: LGTM!The chained flow (get API access token → get default token → create session) correctly implements the new session creation process per PR objectives. Dispatching
createAdminUiSessionResponsedirectly on token failure is an acceptable shortcut.
160-189: LGTM!Using
takeLatestfor session creation prevents duplicate session creation attempts. The watchers are correctly registered in the root saga.
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
admin-ui/app/redux/sagas/AuthSaga.ts (1)
97-125: Handle fallback/failure cases explicitly.If
jwtis falsy or the API response is invalid (nullor-1), the worker silently exits without dispatching any response action. This could leave the calling component in an indeterminate loading state.🐛 Proposed fix
function* getAPIAccessTokenWorker(jwt) { try { if (jwt) { const response = yield call(fetchApiAccessToken, jwt.payload) if (response && response !== -1) { yield put( getAPIAccessTokenResponse({ scopes: response.scopes, issuer: response.issuer, }), ) const defaultToken = yield* getApiTokenWithDefaultScopes() if (defaultToken) { yield put(createAdminUiSession({ ujwt: jwt.payload, apiProtectionToken: defaultToken })) } else { console.error('Failed to obtain API token for session creation') yield put( createAdminUiSessionResponse({ success: false, error: 'Failed to obtain API token' }), ) } return } + // Invalid response from API + console.error('Invalid API access token response:', response) } + // No JWT provided or invalid response - dispatch failure + yield put( + createAdminUiSessionResponse({ success: false, error: 'Failed to get API access token' }), + ) } catch (error) { console.error('Problems getting API Access Token.', error?.response?.data || error) + yield put( + createAdminUiSessionResponse({ success: false, error: error?.message || 'API access error' }), + ) } }
🤖 Fix all issues with AI agents
In @admin-ui/app/redux/sagas/AuthSaga.ts:
- Around line 60-64: The conditional uses the magic number -1 to indicate an
error from fetchServerConfiguration; replace that literal with a clearly named
constant (e.g., FETCH_CONFIG_ERROR or FETCH_SERVER_CONFIGURATION_ERROR) and use
it in the check in AuthSaga where response is evaluated, or update
fetchServerConfiguration to return a well-documented sentinel (null/undefined)
or throw; then update the branch that calls
localStorage.setItem('postLogoutRedirectUri', response.postLogoutRedirectUri)
and yield put(getOAuth2ConfigResponse({ config: response })) to check against
the named constant (or explicit null) instead of using -1 so the intent is clear
and maintainable.
- Around line 139-150: createAdminUiSessionWorker currently treats all errors
the same; add explicit 401 handling to mirror putConfigWorker by detecting
error?.response?.status === 401 in the catch block and invoking the app's
logout/unauthorized flow (the same action or saga used elsewhere to clear
session and redirect on 401), then return/exit; otherwise continue to derive
errorMessage and yield put(createAdminUiSessionResponse({ success: false, error:
errorMessage })). Ensure you still reference createAdminUiSessionApi and
createAdminUiSessionResponse when making the changes.
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (2)
admin-ui/app/redux/sagas/AuthSaga.tsadmin-ui/app/redux/sagas/SessionSaga.ts
🧰 Additional context used
🧠 Learnings (3)
📚 Learning: 2025-11-10T14:18:58.310Z
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:107-109
Timestamp: 2025-11-10T14:18:58.310Z
Learning: In the Cedarling configuration page (admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx), console.error calls should be kept in catch blocks when there are multiple operations in the try block, as they help print the whole error object with details for debugging unexpected errors.
Applied to files:
admin-ui/app/redux/sagas/SessionSaga.tsadmin-ui/app/redux/sagas/AuthSaga.ts
📚 Learning: 2026-01-06T13:45:19.278Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2561
File: admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts:4-101
Timestamp: 2026-01-06T13:45:19.278Z
Learning: In admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts, ensure Yup schema marks fields as nullable when the backend DTOs permit nulls and do not mark them as required. Align frontend validation with backend validation to prevent conflicts when editing existing configurations with null values; apply this pattern consistently to other Admin UI validation files where the backend is the source of truth.
Applied to files:
admin-ui/app/redux/sagas/SessionSaga.tsadmin-ui/app/redux/sagas/AuthSaga.ts
📚 Learning: 2025-11-05T19:57:35.143Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2415
File: admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx:148-153
Timestamp: 2025-11-05T19:57:35.143Z
Learning: In the SSA Add page (admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx), the Back button should fall back to '/auth-server/config/ssa' when browser history is unavailable, not '/home/dashboard', as this keeps users in the SSA management context.
Applied to files:
admin-ui/app/redux/sagas/AuthSaga.ts
🔇 Additional comments (5)
admin-ui/app/redux/sagas/SessionSaga.ts (1)
31-37: LGTM!Using
console.errorfor error logging in catch blocks is the correct approach and aligns with debugging best practices. Based on learnings, console.error calls should be kept in catch blocks to print the whole error object with details for debugging unexpected errors.admin-ui/app/redux/sagas/AuthSaga.ts (4)
18-28: LGTM!Clean separation of API functions (with
Apisuffix aliases) from action creators, and proper import of the newredirectToLogouthelper for 401 handling.
87-90: LGTM!Proper 401 handling pattern: redirect to logout and return early to prevent further processing. This aligns with the session-based authentication flow where 401 indicates session expiry.
152-160: LGTM!Good use of the
finallyblock to ensuredeleteAdminUiSessionResponseis always dispatched regardless of success or failure. This is appropriate for logout flows where the response must be guaranteed.
175-180: LGTM!Appropriate use of
takeLatestfor session creation (cancels pending if new request comes in) andtakeEveryfor session deletion (allows each deletion request to complete).
There was a problem hiding this comment.
- There multiple calls to
/admin-ui/oauth2/api-protection-tokenis not required. Single call should be sufficient. /admin-ui/oauth2/api-protection-tokenshould not be called with UJWT parameter. We will restrict the use of ujwt parameter from backend.
- /policyStore endpoint should not be called with authorization header with access-token
|
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
admin-ui/plugins/auth-server/components/Ssa/hooks/useSsaApi.ts (2)
165-172: Remove redundant null coalescing operator.After the explicit
if (!token)guard on lines 166-168, TypeScript narrowstokentostring. The?? ''on line 172 is unnecessary and may confuse readers about whether the guard is sufficient.Suggested fix
mutationFn: (payload: SsaCreatePayload) => { if (!token) { throw new Error('No authentication token available') } if (!authServerHost) { throw new Error('Auth server host not configured') } - return createSsa(payload, token ?? '', authServerHost) + return createSsa(payload, token, authServerHost) },
184-192: Remove redundant null coalescing operator.Same issue as
useCreateSsa: after theif (!token)guard, the?? ''is redundant.Suggested fix
mutationFn: (jti: string) => { if (!token) { throw new Error('No authentication token available') } if (!authServerHost) { throw new Error('Auth server host not configured') } - return getSsaJwt(jti, token ?? '', authServerHost) + return getSsaJwt(jti, token, authServerHost) },
🤖 Fix all issues with AI agents
In @admin-ui/app/redux/sagas/AuthSaga.ts:
- Line 1: Remove the top-level "@ts-nocheck" and restore TypeScript checking for
this saga; then add appropriate types for the saga exports and generator
functions (e.g., type annotations for AuthSaga generator functions like
loginFlow, logoutFlow, and watchAuthSaga), declare action payload interfaces for
auth actions and use typed redux-saga effects (call, put, takeEvery/takeLatest)
with proper return/result types, and replace any untyped "any" usages with
concrete types so the file compiles under strict TS and preserves runtime
behavior.
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (4)
admin-ui/app/redux/sagas/AuthSaga.tsadmin-ui/plugins/auth-server/components/Ssa/hooks/useSsaApi.tsadmin-ui/plugins/auth-server/plugin-metadata.jsadmin-ui/plugins/services/Components/Configuration/hooks/index.ts
🧰 Additional context used
🧠 Learnings (5)
📓 Common learnings
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:43-149
Timestamp: 2025-11-07T12:17:39.857Z
Learning: In the Cedarling configuration UI PR (#2378), the `configApiPolicyStoreUrl` field is intentionally out of scope. It relates to config API configuration and will be covered in a separate PR. The current PR focuses on the Admin UI policy store URL (`auiPolicyStoreUrl`).
📚 Learning: 2025-11-07T12:55:26.241Z
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:93-104
Timestamp: 2025-11-07T12:55:26.241Z
Learning: In the Cedarling configuration feature (admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx), the sync role to scopes mappings operation depends on the `auiPolicyStoreUrl`. The backend fetches content from this URL and syncs roles based on the response. Therefore, the audit log for the sync operation should include the `auiPolicyStoreUrl` in its payload to provide proper audit context.
Applied to files:
admin-ui/plugins/services/Components/Configuration/hooks/index.ts
📚 Learning: 2026-01-06T13:45:19.278Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2561
File: admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts:4-101
Timestamp: 2026-01-06T13:45:19.278Z
Learning: In admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts, ensure Yup schema marks fields as nullable when the backend DTOs permit nulls and do not mark them as required. Align frontend validation with backend validation to prevent conflicts when editing existing configurations with null values; apply this pattern consistently to other Admin UI validation files where the backend is the source of truth.
Applied to files:
admin-ui/plugins/services/Components/Configuration/hooks/index.tsadmin-ui/app/redux/sagas/AuthSaga.tsadmin-ui/plugins/auth-server/components/Ssa/hooks/useSsaApi.ts
📚 Learning: 2025-11-05T19:57:35.143Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2415
File: admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx:148-153
Timestamp: 2025-11-05T19:57:35.143Z
Learning: In the SSA Add page (admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx), the Back button should fall back to '/auth-server/config/ssa' when browser history is unavailable, not '/home/dashboard', as this keeps users in the SSA management context.
Applied to files:
admin-ui/app/redux/sagas/AuthSaga.tsadmin-ui/plugins/auth-server/components/Ssa/hooks/useSsaApi.ts
📚 Learning: 2025-11-10T14:18:58.310Z
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:107-109
Timestamp: 2025-11-10T14:18:58.310Z
Learning: In the Cedarling configuration page (admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx), console.error calls should be kept in catch blocks when there are multiple operations in the try block, as they help print the whole error object with details for debugging unexpected errors.
Applied to files:
admin-ui/app/redux/sagas/AuthSaga.ts
🧬 Code graph analysis (3)
admin-ui/plugins/auth-server/plugin-metadata.js (1)
admin-ui/app/redux/sagas/SessionSaga.ts (1)
sessionSaga(44-46)
admin-ui/app/redux/sagas/AuthSaga.ts (3)
admin-ui/app/redux/api/backend-api.ts (1)
createAdminUiSession(103-112)admin-ui/app/utils/TokenController.ts (1)
isFourZeroOneError(23-25)admin-ui/app/redux/sagas/SagaUtils.ts (1)
redirectToLogout(23-26)
admin-ui/plugins/auth-server/components/Ssa/hooks/useSsaApi.ts (3)
admin-ui/app/cedarling/types/index.ts (1)
RootState(128-135)admin-ui/app/redux/sagas/types/audit.ts (1)
RootState(40-43)admin-ui/plugins/auth-server/components/Ssa/types/ssaTypes.ts (1)
SsaData(14-18)
🔇 Additional comments (17)
admin-ui/plugins/services/Components/Configuration/hooks/index.ts (3)
11-21: LGTM — token removal aligns with session-based auth.The
useAuditAuthhook correctly removes the token from both the returned object and the dependency array, consistent with the shift to HttpOnly session cookies. The remaining dependencies (clientIdanduserinfo) are appropriate for audit context.
23-94: LGTM — consistent token removal across all LDAP audit callbacks.The
useLdapAudithook correctly removestokenfrom destructuring and all three callback dependency arrays (logLdapCreate,logLdapUpdate,logLdapDelete). ThelogAuditUserActioncalls are updated accordingly.
96-124: LGTM — cache audit hook follows the same pattern.The
useCacheAudithook is correctly updated to removetokenfrom destructuring and the callback dependency array, maintaining consistency with the other audit hooks.admin-ui/plugins/auth-server/plugin-metadata.js (1)
254-254: LGTM!The formatting change to the sagas array is purely cosmetic with no functional impact. All necessary sagas, including
sessionSaga()for handling session management, remain properly registered.admin-ui/app/redux/sagas/AuthSaga.ts (10)
32-47: LGTM!The token resolution logic correctly handles both success and AxiosError cases, setting appropriate backend status on failure.
49-75: LGTM!The session-aware token resolution is well-structured:
- When
hasSessionis true, API calls rely on session cookies (withCredentials).- When no session exists, it falls back to token-based auth.
- 401 errors correctly trigger logout redirect.
77-101: LGTM!Error handling correctly distinguishes 401 (session expired → logout) from other errors (toast notification). The finally block ensures
putConfigWorkerResponseis always dispatched.
103-135: Session creation flow aligns with PR objectives.The worker correctly:
- Fetches API access token with user JWT
- Obtains default scopes token for session creation
- Dispatches
createAdminUiSessionwith bothujwtandapiProtectionTokenThe fallback error handling (lines 120-124) appropriately logs and dispatches a failure response when the protection token cannot be obtained.
137-147: LGTM!Standardized error logging. Location service calls appropriately don't require 401 session handling.
149-164: LGTM!Session creation worker correctly:
- Calls the API with
ujwtandapiProtectionTokenas per PR requirements- Handles 401 with logout redirect
- Extracts error messages from multiple response formats for user feedback
166-174: LGTM!Session deletion correctly:
- Always dispatches response in
finallyblock for consistent state updates- Logs errors without blocking logout flow
- Omits 401 handling appropriately since session deletion is part of logout
189-194: LGTM!Good choice using
takeLatestfor session creation to prevent duplicate concurrent requests during rapid navigation or retries.
196-205: LGTM!New session watchers properly integrated into the root saga.
30-30: No action needed. TheAPI_ERROR_RESPONSEconstant correctly aligns with backend-api behavior. BothfetchServerConfigurationandfetchApiAccessTokenexplicitly catch errors and return-1(not throw exceptions), making the comparisons at lines 62 and 107 valid and necessary.admin-ui/plugins/auth-server/components/Ssa/hooks/useSsaApi.ts (3)
138-157: LGTM!The
enabledguard properly prevents query execution when token is null, and the retry logic appropriately disables retries on authentication/authorization errors (401/403).
16-25: ThejwtTokenfield is properly defined in the actual Redux authReducer and this concern is unfounded.The canonical
AuthStateinterface inadmin-ui/app/redux/features/types/authTypes.tsdefinesjwtToken: string | null(line 25), and theauthSlice.tsreducer initializes it asnullin the initial state. The localAuthStateinterface defined in this file is an intentional scoping pattern—used similarly inuseSsaAuditLogger.tsand other hooks—to declare only the fields needed by this specific hook. This pattern is safe and does not create a runtime risk of accessing undefined properties.Likely an incorrect or invalid review comment.
62-84: The review comment contains a factual error and should be dismissed.The core premise—that
jwtTokenis the user-info JWT from the/jans-auth/restv1/userinfoendpoint—is incorrect. In the actual codebase,jwtTokenis the OAuth access token obtained during authentication (AppAuthProvider.tsx, line 155:jwtToken: oauthAccessToken), which is separate fromuserinfo_jwt.The SSA endpoints correctly use the OAuth access token with Bearer authentication, which is standard OAuth/OIDC practice. Using OAuth access tokens to authorize requests to the Auth Server's SSA endpoint (
/jans-auth/restv1/ssa) is the expected pattern and requires no changes.Likely an incorrect or invalid review comment.
| @@ -1,6 +1,6 @@ | |||
| // @ts-nocheck | |||
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Consider enabling TypeScript checking.
The @ts-nocheck directive disables type checking for this file. Given the authentication-critical nature of this saga, type safety could help catch issues early.
🤖 Prompt for AI Agents
In @admin-ui/app/redux/sagas/AuthSaga.ts at line 1, Remove the top-level
"@ts-nocheck" and restore TypeScript checking for this saga; then add
appropriate types for the saga exports and generator functions (e.g., type
annotations for AuthSaga generator functions like loginFlow, logoutFlow, and
watchAuthSaga), declare action payload interfaces for auth actions and use typed
redux-saga effects (call, put, takeEvery/takeLatest) with proper return/result
types, and replace any untyped "any" usages with concrete types so the file
compiles under strict TS and preserves runtime behavior.
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Fix all issues with AI agents
In @admin-ui/app/redux/sagas/AuthSaga.ts:
- Around line 48-74: In getOAuth2ConfigWorker: if hasSession is false and
getApiTokenWithDefaultScopes() returns null, avoid calling
fetchServerConfiguration with a null token; instead handle the missing-token
case by returning early — e.g., log or dispatch getOAuth2ConfigResponse() (no
config) and return (or call redirectToLogout() if appropriate); locate this
logic around getApiTokenWithDefaultScopes(), fetchServerConfiguration, and
getOAuth2ConfigResponse to add the early return when token === null.
- Around line 102-124: getAPIAccessTokenWorker currently assumes jwt.payload
exists when dispatching createAdminUiSession; add a defensive check for
jwt.payload (e.g. const ujwt = jwt?.payload or if (!jwt || !jwt.payload) ...)
before using it and handle the missing payload path by logging and yielding
createAdminUiSessionResponse({ success: false, error: 'Missing JWT payload' })
or similar; update the branch that calls createAdminUiSession so it uses the
validated ujwt and does not access jwt.payload directly.
In @admin-ui/app/utils/AppAuthProvider.tsx:
- Around line 60-74: The useEffect that calls fetchPolicyStore currently only
logs errors and can update state after unmount; update the effect in
AppAuthProvider so that on fetch failure you dispatch an error state or trigger
a user notification (e.g., dispatch a 'cedarPermissions/setPolicyStoreError' or
call your notification API) instead of just console.error, and add cleanup to
avoid setting state after unmount by using a mounted flag or AbortController and
checking it before calling dispatch when handling the Promise returned by
fetchPolicyStore in the useEffect (referencing useEffect, fetchPolicyStore, and
the 'cedarPermissions/setPolicyStoreJson' action).
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (3)
admin-ui/app/redux/sagas/AuthSaga.tsadmin-ui/app/redux/sagas/LicenseSaga.tsadmin-ui/app/utils/AppAuthProvider.tsx
🧰 Additional context used
🧠 Learnings (5)
📓 Common learnings
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:43-149
Timestamp: 2025-11-07T12:17:39.857Z
Learning: In the Cedarling configuration UI PR (#2378), the `configApiPolicyStoreUrl` field is intentionally out of scope. It relates to config API configuration and will be covered in a separate PR. The current PR focuses on the Admin UI policy store URL (`auiPolicyStoreUrl`).
📚 Learning: 2026-01-06T13:45:19.278Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2561
File: admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts:4-101
Timestamp: 2026-01-06T13:45:19.278Z
Learning: In admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts, ensure Yup schema marks fields as nullable when the backend DTOs permit nulls and do not mark them as required. Align frontend validation with backend validation to prevent conflicts when editing existing configurations with null values; apply this pattern consistently to other Admin UI validation files where the backend is the source of truth.
Applied to files:
admin-ui/app/redux/sagas/LicenseSaga.tsadmin-ui/app/redux/sagas/AuthSaga.ts
📚 Learning: 2025-11-05T19:57:35.143Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2415
File: admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx:148-153
Timestamp: 2025-11-05T19:57:35.143Z
Learning: In the SSA Add page (admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx), the Back button should fall back to '/auth-server/config/ssa' when browser history is unavailable, not '/home/dashboard', as this keeps users in the SSA management context.
Applied to files:
admin-ui/app/redux/sagas/AuthSaga.ts
📚 Learning: 2025-11-10T14:18:58.310Z
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:107-109
Timestamp: 2025-11-10T14:18:58.310Z
Learning: In the Cedarling configuration page (admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx), console.error calls should be kept in catch blocks when there are multiple operations in the try block, as they help print the whole error object with details for debugging unexpected errors.
Applied to files:
admin-ui/app/redux/sagas/AuthSaga.ts
📚 Learning: 2025-11-07T12:55:26.241Z
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:93-104
Timestamp: 2025-11-07T12:55:26.241Z
Learning: In the Cedarling configuration feature (admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx), the sync role to scopes mappings operation depends on the `auiPolicyStoreUrl`. The backend fetches content from this URL and syncs roles based on the response. Therefore, the audit log for the sync operation should include the `auiPolicyStoreUrl` in its payload to provide proper audit context.
Applied to files:
admin-ui/app/utils/AppAuthProvider.tsx
🧬 Code graph analysis (2)
admin-ui/app/redux/sagas/AuthSaga.ts (3)
admin-ui/app/redux/api/backend-api.ts (4)
fetchServerConfiguration(4-15)putServerConfiguration(17-26)fetchApiTokenWithDefaultScopes(85-93)createAdminUiSession(103-112)admin-ui/app/utils/TokenController.ts (1)
isFourZeroOneError(23-25)admin-ui/app/redux/sagas/SagaUtils.ts (1)
redirectToLogout(23-26)
admin-ui/app/utils/AppAuthProvider.tsx (1)
admin-ui/app/redux/api/backend-api.ts (1)
fetchPolicyStore(95-100)
🔇 Additional comments (13)
admin-ui/app/utils/AppAuthProvider.tsx (4)
26-26: LGTM!Import change correctly removes
fetchApiAccessTokenin alignment with the shift to session-based authentication.
34-36: LGTM!The
hasSessionflag is correctly extracted and used to govern the session-based flow.
148-148: LGTM!The rename from
JwtTokentooauthAccessTokenimproves clarity by distinguishing this as the OAuth access token rather than a generic JWT.Also applies to: 157-157, 171-171
187-190: LGTM!The session re-creation logic correctly guards against redundant session creation by checking
hasSession. This aligns with the PR objective to only create sessions when needed.admin-ui/app/redux/sagas/AuthSaga.ts (8)
1-29: Imports and constants look good.The aliasing of API functions (
createAdminUiSessionApi,deleteAdminUiSessionApi) to avoid naming conflicts with Redux actions is a clean approach.
31-46: Helper function logic is correct.The function properly extracts the access token on success and sets backend status on error. Callers appropriately handle the null return case.
76-100: LGTM!The error handling with 401 redirect and finally block for cleanup is properly implemented.
144-154: LGTM!The location worker handles errors gracefully for this non-critical feature.
156-171: LGTM!The session creation worker properly handles success/failure cases with comprehensive error message extraction. The 401 redirect to logout aligns with the PR objectives.
173-181: LGTM!The session deletion worker correctly uses a finally block to ensure cleanup regardless of API success. Silently logging errors during logout is appropriate since the user is being logged out anyway.
196-201: Good use oftakeLatestfor session creation.Using
takeLatestforcreateAdminUiSessionWatcherprevents race conditions if multiple session creation requests are dispatched rapidly - only the most recent one will be processed.
203-212: LGTM!The new session watchers are correctly integrated into the root saga.
admin-ui/app/redux/sagas/LicenseSaga.ts (1)
44-49: LGTM! Consistent refactoring to use centralized token helper.The change aligns
newFunctionwith the existing pattern ingetApiTokenWithDefaultScopesby reusing thegetAccessToken()helper for token caching. Bothaccess_tokenandissuerare present in the token response returned byfetchApiTokenWithDefaultScopes, making the destructuring valid.
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Fix all issues with AI agents
In @admin-ui/app/redux/sagas/AuthSaga.ts:
- Around line 70-75: fetchServerConfiguration currently swallows errors and
returns -1, so the catch in AuthSaga (the try/catch around
fetchServerConfiguration) never sees 401s and the isFourZeroOneError check is
unreachable; fix by changing fetchServerConfiguration to re-throw the original
error (instead of returning -1) so the catch in AuthSaga can detect 401 via
isFourZeroOneError and call redirectToLogout, or alternatively add a check
immediately after the fetchServerConfiguration call in the saga to detect the -1
sentinel and invoke redirectToLogout/appropriate handling there. Include
references to fetchServerConfiguration, isFourZeroOneError, and redirectToLogout
when updating the code.
- Around line 96-99: The 401 detection is failing because isFourZeroOneError
only checks error.status and many Axios errors put status on
error.response.status; update isFourZeroOneError to also check
error.response?.status === 401 (in addition to error?.status) and search for API
helpers like putServerConfiguration that wrap Axios errors (they currently
rethrow new Error(...)) and change them to rethrow the original error or
preserve the response property (e.g., throw the caught error or attach the
original error to the new one) so the Axios response structure is retained for
isFourZeroOneError to work.
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (2)
admin-ui/app/redux/sagas/AuthSaga.tsadmin-ui/app/utils/AppAuthProvider.tsx
🧰 Additional context used
🧠 Learnings (5)
📓 Common learnings
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:43-149
Timestamp: 2025-11-07T12:17:39.857Z
Learning: In the Cedarling configuration UI PR (#2378), the `configApiPolicyStoreUrl` field is intentionally out of scope. It relates to config API configuration and will be covered in a separate PR. The current PR focuses on the Admin UI policy store URL (`auiPolicyStoreUrl`).
📚 Learning: 2025-11-07T12:55:26.241Z
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:93-104
Timestamp: 2025-11-07T12:55:26.241Z
Learning: In the Cedarling configuration feature (admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx), the sync role to scopes mappings operation depends on the `auiPolicyStoreUrl`. The backend fetches content from this URL and syncs roles based on the response. Therefore, the audit log for the sync operation should include the `auiPolicyStoreUrl` in its payload to provide proper audit context.
Applied to files:
admin-ui/app/utils/AppAuthProvider.tsx
📚 Learning: 2025-11-10T14:18:58.310Z
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:107-109
Timestamp: 2025-11-10T14:18:58.310Z
Learning: In the Cedarling configuration page (admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx), console.error calls should be kept in catch blocks when there are multiple operations in the try block, as they help print the whole error object with details for debugging unexpected errors.
Applied to files:
admin-ui/app/utils/AppAuthProvider.tsxadmin-ui/app/redux/sagas/AuthSaga.ts
📚 Learning: 2025-11-05T19:57:35.143Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2415
File: admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx:148-153
Timestamp: 2025-11-05T19:57:35.143Z
Learning: In the SSA Add page (admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx), the Back button should fall back to '/auth-server/config/ssa' when browser history is unavailable, not '/home/dashboard', as this keeps users in the SSA management context.
Applied to files:
admin-ui/app/redux/sagas/AuthSaga.ts
📚 Learning: 2026-01-06T13:45:19.278Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2561
File: admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts:4-101
Timestamp: 2026-01-06T13:45:19.278Z
Learning: In admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts, ensure Yup schema marks fields as nullable when the backend DTOs permit nulls and do not mark them as required. Align frontend validation with backend validation to prevent conflicts when editing existing configurations with null values; apply this pattern consistently to other Admin UI validation files where the backend is the source of truth.
Applied to files:
admin-ui/app/redux/sagas/AuthSaga.ts
🧬 Code graph analysis (2)
admin-ui/app/utils/AppAuthProvider.tsx (1)
admin-ui/app/redux/api/backend-api.ts (1)
fetchPolicyStore(95-100)
admin-ui/app/redux/sagas/AuthSaga.ts (3)
admin-ui/app/redux/api/backend-api.ts (4)
fetchServerConfiguration(4-15)putServerConfiguration(17-26)fetchApiTokenWithDefaultScopes(85-93)createAdminUiSession(103-112)admin-ui/app/utils/TokenController.ts (1)
isFourZeroOneError(23-25)admin-ui/app/redux/sagas/SagaUtils.ts (1)
redirectToLogout(23-26)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: sonar scan (admin-ui)
🔇 Additional comments (6)
admin-ui/app/utils/AppAuthProvider.tsx (2)
62-86: useEffect cleanup and logic looks correct.The
isMountedflag properly prevents state updates after unmount, and the dependency array correctly includeshasSessionanddispatch. ThefetchPolicyStore()call without a token will usewithCredentials: trueper the API implementation, which aligns with the session-based authentication flow.One observation: the
errorstate set viasetError(err)at line 78 doesn't appear to be rendered in the component's JSX. This is a pre-existing pattern in the file, but you may want to consider displaying fetch errors to users in a future enhancement.
197-200: Session recreation logic is sound.Guarding the session recreation with
!hasSessioncorrectly prevents redundant API calls when a session already exists. This aligns with the PR objective to manage session lifecycle explicitly.admin-ui/app/redux/sagas/AuthSaga.ts (4)
160-175: Session creation worker implementation is well-structured.The error message extraction at lines 166-167 comprehensively handles different response formats. Since
createAdminUiSessionApire-throws the original error (unlike other API functions), the error structure is preserved here.Note: The
isFourZeroOneErrorcheck at line 169 still has the same Axios error structure concern mentioned earlier, but it will work correctly if the utility is fixed.
177-185: Delete session worker handles errors gracefully.Using
finallyto dispatch the response ensures the logout flow completes regardless of API success. Silently logging delete errors is appropriate here since this runs during logout—the session is being abandoned anyway.
200-205: Good choice usingtakeLatestfor session creation.Using
takeLatestforcreateAdminUiSessionWatchercorrectly prevents duplicate concurrent session creation requests—only the latest will be processed.takeEveryfor delete is acceptable since logout is typically a single event.
207-215: Root saga correctly integrates new session watchers.The new
createAdminUiSessionWatcheranddeleteAdminUiSessionWatcherare properly forked alongside existing watchers.
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
admin-ui/app/redux/api/backend-api.ts (1)
52-69: Request body contains misplaced headers object.The
headersobject withContent-Typeis being sent as part of the request body rather than as actual HTTP headers. This appears to be a pre-existing issue, but worth addressing.Suggested fix
export const postUserAction = (userAction: any) => { delete userAction?.headers return axios .post( '/admin-ui/logging/audit', - { - headers: { - 'Content-Type': 'application/json', - }, - userAction, - }, - { withCredentials: true }, + userAction, + { + withCredentials: true, + headers: { 'Content-Type': 'application/json' }, + }, ) .then((response) => response) .catch((e) => { return -1 }) }
🤖 Fix all issues with AI agents
In @admin-ui/app/redux/api/backend-api.ts:
- Around line 95-100: fetchPolicyStore currently returns axios.get without any
.catch() handling, risking unhandled promise rejections; update fetchPolicyStore
to mirror other API helpers by appending a .catch() that logs or rethrows a
normalized error (using the same error handling approach used elsewhere in this
file), ensuring the Authorization/header logic for the token parameter remains
unchanged and keeping the returned promise signature consistent with other
functions in the module.
In @admin-ui/app/redux/sagas/AuthSaga.ts:
- Around line 1-3: Remove the top-line "@ts-nocheck" from the AuthSaga file and
enable TypeScript checking, then fix any resultant type errors by adding proper
types for saga effects and exported generators (e.g., annotate generator
functions like those using all, call, fork, put, select, takeEvery, takeLatest)
and type selectors/actions used in this file; ensure functions and variables in
AuthSaga.ts have explicit types (e.g., SagaIterator or Generator for sagas,
typed action interfaces for handlers) and update any select/use of session
management state to match the correct state interface so the file compiles under
TypeScript.
In @admin-ui/app/utils/TokenController.ts:
- Around line 23-25: The function isFourZeroOneError currently uses error?: any
which loses TypeScript safety; change the parameter type to a union like
AxiosError (imported from 'axios') | { status?: number } | unknown and narrow it
before accessing properties (e.g., check if (error && typeof (error as
any).response === 'object') or use an AxiosError type guard) so you safely read
response.status or status; update the signature of isFourZeroOneError to use
that union type and add the minimal type checks inside the function before
comparing to 401.
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (4)
admin-ui/app/redux/api/backend-api.tsadmin-ui/app/redux/sagas/AuthSaga.tsadmin-ui/app/redux/sagas/LicenseSaga.tsadmin-ui/app/utils/TokenController.ts
🧰 Additional context used
🧠 Learnings (4)
📓 Common learnings
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:43-149
Timestamp: 2025-11-07T12:17:39.857Z
Learning: In the Cedarling configuration UI PR (#2378), the `configApiPolicyStoreUrl` field is intentionally out of scope. It relates to config API configuration and will be covered in a separate PR. The current PR focuses on the Admin UI policy store URL (`auiPolicyStoreUrl`).
📚 Learning: 2026-01-06T13:45:19.278Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2561
File: admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts:4-101
Timestamp: 2026-01-06T13:45:19.278Z
Learning: In admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts, ensure Yup schema marks fields as nullable when the backend DTOs permit nulls and do not mark them as required. Align frontend validation with backend validation to prevent conflicts when editing existing configurations with null values; apply this pattern consistently to other Admin UI validation files where the backend is the source of truth.
Applied to files:
admin-ui/app/redux/api/backend-api.tsadmin-ui/app/redux/sagas/AuthSaga.tsadmin-ui/app/utils/TokenController.tsadmin-ui/app/redux/sagas/LicenseSaga.ts
📚 Learning: 2025-11-05T19:57:35.143Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2415
File: admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx:148-153
Timestamp: 2025-11-05T19:57:35.143Z
Learning: In the SSA Add page (admin-ui/plugins/auth-server/components/Ssa/SsaAddPage.tsx), the Back button should fall back to '/auth-server/config/ssa' when browser history is unavailable, not '/home/dashboard', as this keeps users in the SSA management context.
Applied to files:
admin-ui/app/redux/sagas/AuthSaga.ts
📚 Learning: 2025-11-10T14:18:58.310Z
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:107-109
Timestamp: 2025-11-10T14:18:58.310Z
Learning: In the Cedarling configuration page (admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx), console.error calls should be kept in catch blocks when there are multiple operations in the try block, as they help print the whole error object with details for debugging unexpected errors.
Applied to files:
admin-ui/app/redux/sagas/AuthSaga.ts
🧬 Code graph analysis (1)
admin-ui/app/redux/sagas/LicenseSaga.ts (1)
admin-ui/app/redux/api/backend-api.ts (1)
fetchApiTokenWithDefaultScopes(85-93)
🔇 Additional comments (13)
admin-ui/app/redux/api/backend-api.ts (4)
4-15: LGTM! Clean conditional auth handling.The dual-mode configuration (token-based for pre-session, cookie-based for post-session) correctly implements the new session flow. Error handling improvement from returning
-1to re-throwing is appropriate for proper error propagation.
17-26: LGTM! Simplified to session-only auth.The removal of token extraction and use of
withCredentials: truealigns with the new session-based architecture.
102-112: LGTM! Session creation follows the specified flow.The implementation correctly matches the PR objectives: POST to
/app/admin-ui/oauth2/sessionwithAuthorization: Bearer <api-protection-token>header andujwtin the request body. UsingwithCredentials: trueensures the session cookie is received and stored.
114-123: LGTM! Session deletion correctly implemented.The DELETE request with
withCredentials: trueproperly sends the session cookie for revocation, matching the logout flow specified in the PR objectives.admin-ui/app/redux/sagas/AuthSaga.ts (7)
29-46: LGTM! Clean helper for initial token retrieval.The function properly handles the initial token acquisition with appropriate error handling and backend status updates.
48-78: LGTM! Dual-mode configuration retrieval.The logic correctly handles both pre-session (token-based) and post-session (cookie-based) authentication flows with proper 401 handling.
80-104: LGTM! Configuration update with proper error handling.The worker correctly handles configuration updates with appropriate toast notifications and 401 redirect handling.
106-143: LGTM! Core session creation flow implemented.The worker correctly implements the new authentication flow: obtain the API protection token, dispatch the scopes/issuer to state, then trigger Admin UI session creation with the user-info JWT (
ujwt) and the API protection token. Error handling includes 401 redirect and proper state updates.
157-172: LGTM! Session creation worker with comprehensive error handling.The worker correctly handles session creation with proper error message extraction (checking multiple possible error response structures) and appropriate 401 redirect handling.
174-182: LGTM! Graceful logout handling.The
finallyblock ensuresdeleteAdminUiSessionResponseis always dispatched, allowing the UI to proceed with logout cleanup even if the API call fails. This is the correct behavior for logout flows.
197-212: LGTM! Appropriate saga effect choices.Using
takeLatestfor session creation correctly prevents duplicate session creation if the action is dispatched multiple times in quick succession.takeEveryfor deletion ensures logout requests are always processed.admin-ui/app/redux/sagas/LicenseSaga.ts (2)
29-40: LGTM! Good error handling improvement.Wrapping the token fetch in a try-catch with explicit error logging improves debuggability while maintaining the existing contract by re-throwing.
49-54: No changes needed. The code is correct as written.The backend endpoint
/app/admin-ui/oauth2/api-protection-tokenreturns bothaccess_tokenandissuerin the response (as confirmed by usage inAuthSaga.ts). The destructuring of both properties fromtokenResponseis valid, andgetClient()will receive the issuer value without risk ofundefined.Likely an incorrect or invalid review comment.
|
There was a problem hiding this comment.
Actionable comments posted: 0
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
admin-ui/app/redux/api/backend-api.ts (1)
52-69: Inconsistent error handling pattern.This function returns
-1on error (line 67), while other modified functions (fetchServerConfiguration,putServerConfiguration,fetchPolicyStore, etc.) now throw errors. This inconsistency makes error handling unpredictable for callers.Consider aligning with the throw pattern used in other functions, or document the rationale for the different behavior.
♻️ Suggested fix to align error handling
{ withCredentials: true }, ) .then((response) => response) - .catch((e) => { - return -1 + .catch((error) => { + console.error('Problems posting user action.', error) + throw error }) }
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (2)
admin-ui/app/redux/api/backend-api.tsadmin-ui/app/utils/TokenController.ts
🧰 Additional context used
🧠 Learnings (4)
📓 Common learnings
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:43-149
Timestamp: 2025-11-07T12:17:39.857Z
Learning: In the Cedarling configuration UI PR (#2378), the `configApiPolicyStoreUrl` field is intentionally out of scope. It relates to config API configuration and will be covered in a separate PR. The current PR focuses on the Admin UI policy store URL (`auiPolicyStoreUrl`).
📚 Learning: 2025-11-07T12:55:26.241Z
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:93-104
Timestamp: 2025-11-07T12:55:26.241Z
Learning: In the Cedarling configuration feature (admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx), the sync role to scopes mappings operation depends on the `auiPolicyStoreUrl`. The backend fetches content from this URL and syncs roles based on the response. Therefore, the audit log for the sync operation should include the `auiPolicyStoreUrl` in its payload to provide proper audit context.
Applied to files:
admin-ui/app/redux/api/backend-api.ts
📚 Learning: 2025-11-10T14:18:58.310Z
Learnt from: kdhttps
Repo: GluuFederation/flex PR: 2378
File: admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx:107-109
Timestamp: 2025-11-10T14:18:58.310Z
Learning: In the Cedarling configuration page (admin-ui/plugins/admin/components/Cedarling/CedarlingConfigPage.tsx), console.error calls should be kept in catch blocks when there are multiple operations in the try block, as they help print the whole error object with details for debugging unexpected errors.
Applied to files:
admin-ui/app/redux/api/backend-api.ts
📚 Learning: 2026-01-06T13:45:19.278Z
Learnt from: faisalsiddique4400
Repo: GluuFederation/flex PR: 2561
File: admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts:4-101
Timestamp: 2026-01-06T13:45:19.278Z
Learning: In admin-ui/plugins/auth-server/components/Configuration/ConfigApiConfiguration/validations.ts, ensure Yup schema marks fields as nullable when the backend DTOs permit nulls and do not mark them as required. Align frontend validation with backend validation to prevent conflicts when editing existing configurations with null values; apply this pattern consistently to other Admin UI validation files where the backend is the source of truth.
Applied to files:
admin-ui/app/redux/api/backend-api.tsadmin-ui/app/utils/TokenController.ts
🔇 Additional comments (8)
admin-ui/app/utils/TokenController.ts (2)
23-33: LGTM! Type definitions cleanly model common HTTP error shapes.The union type
HttpErrorcorrectly handles both Axios-style errors (with nestedresponse.status) and direct status errors, as well as null/undefined cases. This provides good flexibility for different call sites.
35-40: LGTM! 401 detection logic correctly handles multiple error shapes.The implementation properly:
- Guards against null/undefined errors
- Checks both Axios-style
response.statusand directstatusproperties- Returns true if either indicates a 401
This aligns well with the PR's transition to session-based auth where different parts of the codebase may produce varied error structures.
admin-ui/app/redux/api/backend-api.ts (6)
4-15: LGTM! Type improvement and conditional auth logic.The signature change from
token: anytotoken?: stringimproves type safety. The conditional config correctly supports both token-based and session-based (cookie) authentication modes, aligning with the PR objectives.
17-26: LGTM! Aligned with session-based auth.The switch to
withCredentials: truecorrectly enables cookie-based session authentication for configuration updates.
85-93: LGTM! Improved error handling.Throwing the error instead of returning it aligns with the error handling pattern in other modified functions and enables proper error propagation to callers.
95-106: LGTM! Consistent with the authentication pattern.The optional token parameter and conditional config mirror the pattern in
fetchServerConfiguration, providing consistent support for both token-based and session-based authentication.
108-118: LGTM! Correctly implements session creation per PR objectives.The function properly sends the API protection token in the Authorization header while enabling
withCredentialsto receive the session cookie from the backend. This aligns with the PR objective: "Authorization: Bearer <the_api-protection-token_used_before_login_to_access_license_apis>".
120-129: LGTM! Implements session deletion (logout) per PR objectives.The DELETE request with
withCredentials: truecorrectly sends the session cookie to revoke the Admin UI session, matching the PR objective for logout functionality.
3 participants
#2566
Closes #2566
Summary by CodeRabbit
New Features
Bug Fixes
Refactor
✏️ Tip: You can customize this high-level summary in your review settings.