louis/OSS-BSS-Field-Dispatch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: handle Authentik session expiry in SPA

Browse Source 
- authFetch uses redirect:'manual' to detect 302 from Authentik
- If session expired (302/401/opaqueredirect), reload page to trigger
  Traefik forwardAuth → Authentik re-login flow
- Logout redirects to Authentik invalidation flow
- App.vue calls checkSession on mount to populate user identity

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
louispaulb 2026-03-27 13:34:39 -04:00
parent f1faffeab9
commit 7ef22873f0
2 changed files with 29 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/App.vue
View File

@ -3,7 +3,9 @@
</template> </template>
<script setup> <script setup>
// Auth is handled by Authentik forwardAuth at the Traefik level. import { onMounted } from 'vue'
// If the user reaches this page, they are already authenticated. import { useAuthStore } from 'src/stores/auth'
// The X-authentik-email header identifies the user.
const auth = useAuthStore()
onMounted(() => auth.checkSession())
</script> </script>

36
src/api/auth.js
View File

@ -1,6 +1,7 @@
// ── ERPNext API auth — service token ──────────────────────────────────────── // ── ERPNext API auth — service token + Authentik session guard ──────────────
// All ERPNext API calls use a service token. User identity comes from Authentik // ERPNext API calls use a service token. User auth is via Authentik forwardAuth
// headers at the Traefik level (X-authentik-email, X-authentik-name). // at the Traefik level. If the Authentik session expires mid-use, API calls
// get redirected (302) — we detect this and reload to trigger re-auth.
// ───────────────────────────────────────────────────────────────────────────── // ─────────────────────────────────────────────────────────────────────────────
import { BASE_URL } from 'src/config/erpnext' import { BASE_URL } from 'src/config/erpnext'
@ -8,23 +9,34 @@ const SERVICE_TOKEN = 'b273a666c86d2d0:613842e506d13b8'
export function authFetch (url, opts = {}) { export function authFetch (url, opts = {}) {
opts.headers = { ...opts.headers, Authorization: 'token ' + SERVICE_TOKEN } opts.headers = { ...opts.headers, Authorization: 'token ' + SERVICE_TOKEN }
return fetch(url, opts) opts.redirect = 'manual' // Don't follow redirects — detect Authentik 302
return fetch(url, opts).then(res => {
// If Traefik/Authentik redirects (session expired), reload page to re-auth
if (res.type === 'opaqueredirect' || res.status === 302 || res.status === 401) {
window.location.reload()
return new Response('{}', { status: 401 })
}
return res
})
} }
export function getCSRF () { return null } export function getCSRF () { return null }
export function invalidateCSRF () {} export function invalidateCSRF () {}
export async function login () { /* handled by Authentik */ } export async function login () { window.location.reload() }
export async function logout () { export async function logout () {
window.location.href = 'https://auth.targo.ca/application/o/gigafibre-dispatch/end-session/' window.location.href = 'https://auth.targo.ca/if/flow/default-invalidation-flow/'
} }
export async function getLoggedUser () { export async function getLoggedUser () {
try { try {
const res = await authFetch(BASE_URL + '/api/method/frappe.auth.get_logged_user') const res = await fetch(BASE_URL + '/api/method/frappe.auth.get_logged_user', {
const data = await res.json() headers: { Authorization: 'token ' + SERVICE_TOKEN },
return data.message || 'authenticated' })
} catch { if (res.ok) {
return 'authenticated' // Authentik guarantees auth even if ERPNext is down const data = await res.json()
} return data.message || 'authenticated'
}
} catch {}
return 'authenticated'
} }