Artyom / Refresh Token Bugs and a Login Redirect

[Artyom-G]

Notion ticket link

Ticket Name

Implementation description

• There is a bug where the auth/refresh does not work, this is because the cookie set the Authorization token without the 'Bearer' keyword
• There was also a bug where if the refresh token expired then the user would be softlocked on the frontend, to get unlocked they would need to delete the access_token cookie
• I also added a redirect for when the user is not signed-in or when the refresh token expires

Steps to test

You can test for both fixed bugs with one method
You can force a refresh on every axios request

1. Go to AuthUtils.ts on the frontend and make the validateAccessToken always return false (simulating the access token being expired)
2. You will see a refresh post request being made whenever you do literally anything on the frontend page with status 200
3. Another thing you should try is going to authService.ts on the backend and make the renewToken() function always through an error, this will simulate the refresh token being expired
4. On the frontend instead of seeing status code 200, you will now see an error, you would be able to reload the page and login again (before there was literally nothing you can do but delete the cookie manually)
5. To test the redirect, try going to /profile and you will be redirect to the /login, refreshing the page also redirects you to the login, so basically doing anything at all will redirect you

What should reviewers focus on?

• Seeing that the refresh login is properly handled and you are not locked out anymore
• Also check the redirect logic in the BaseAPIClient.ts, if we have more complicated permissions then it might need tweaking

Checklist

• My PR name is descriptive and in imperative tense
• My commit messages are descriptive and in imperative tense. My commits are atomic and trivial commits are squashed or fixup'd into non-trivial commits
• I have run the appropriate linter(s)
• I have requested a review from the PL, as well as other devs who have background knowledge on this PR or who will be building on top of this PR

[Artyom-G]

oh yeah, the branch name was renamed so its a new PR, but the changes are mostly the same as last PR except also added a Login Redirect

[matthewd-so]

Yeah we will replace this in production. It is localhost for now because firebase requires a valid url for email link sign in

[matthewd-so]

Is the logic backwards?