Centralize Authentication

[Ben-El]

Closes #9544

Summary

This PR refactors the WebUI authentication and navigation flow to improve reliability and consistency across login, logout, and protected routes.

Motivation

Previously, authentication state and redirects were handled in multiple components, which caused inconsistencies:

• Logout didn't always clear UI state immediately.
• After logging out, clicking Back in the browser displayed the previous authenticated page.
• Users could access /auth/credentials after session expiry or cookie deletion until a refresh occurred.
• The top navigation bar sometimes persisted or disappeared unexpectedly between auth transitions.

Etc.

Changes

• Centralized authentication state via AuthContext and unified markAuthenticated / markUnauthenticated API.
• Added RequireAuth to handle redirects for unauthenticated users consistently.
• Updated useUser to rely on AuthContext status and cache only when authenticated.
• Adjusted ConfigProvider to re-fetch configuration when user state changes.
• Improved logout behavior in navbar.jsx to cleanly reset user state and redirect properly.
• Removed redundant or stale local storage reads/writes.
• Ensured /auth/login no longer shows when the user is already authenticated.
• Guaranteed login page loads without the main navbar when logged out.

Testings

Tested manually across the following flows:

https://docs.google.com/spreadsheets/d/1-1UFTf0sbI16325zvV8FYfnoc7y8i62Mb_GbVHhXdv8/edit?gid=0#gid=0

---

[itaigilo]

Will review this soon, but before starting -
@Ben-El can you please describe how this was tested?

This change touches a lot of sensitive flows, in different system setups.
We should be very careful with QA and testing this change, so I'd be happy for more details about it.

Also, @Annaseli may have some more context as the one recently updated these files.

[itaigilo]

Thanks for this massive change -
It's a very good step forward!

And I like the RequiresAuth idea, it makes a lot of sense.

Blocking mainly since the login flow is still scattered, and I think it can be further encapsulated.

And in addition:
These are maybe the most delicate flows in the WebUI, require proper testing, and are not properly covered by unit or integration tests.
Hence, IMHO the hardest part in this change is validating and QA-ing the different flows.
So please make sure that you have validated all the different flows yourself, including Cloud, Enterprise, SCIM and RBAC. According to the PR description, these are still missing.

[itaigilo]

In other contexts (for example configProvider.tsx) all the types are on the same file.
I think we should keep a unified pattern.

[itaigilo]

Nit: what's "shape"?
Let's align to AuthContextType like the other contexts we have.

[itaigilo]

In api/index.js, the "user" is persisted into cache (see auth.login()).
Why do we need to save and maintain this information twice, instead of encapsulating it into a single place?

[itaigilo]

An empty catch clause is a bad practice.
At least log an error there.

[itaigilo]

Why do you need two functions here, and not unify to a single setStatus() function?

[itaigilo]

Or even better - maybe use useEffect() to update the localStorage as a side effect (as done in configProvider, for example)?

[Ben-El]

Since the recent changes, useEffect is no longer necessary 👍

[itaigilo]

Please explain this change.

[Ben-El]

For SSO: external IdP logout must be a full navigation and replace history

[itaigilo]

Nit but important - should be RequiresAuth, since it's a trait of a component.

[itaigilo]

I would expect a redirection to "/", and have the "/" to redirect to login if needed.
In other words, have the "/auth/login" redirection in a single place.

[Annaseli]

@Ben-El @itaigilo
Hi I will review it as well a bit later today

[itaigilo]

Great progress here @Ben-El .
I think that the architecture is now in place,
And the AuthProvider and RequiresAuth are a good solution,
And the code looks good.

Added some comments, most of them mainly revolve around cleaning up the code and readability.

In addition, please address the questions raised about testing this:
We've already had some changes in the auth area that ended up in either new production bugs or in regression. Since the changes in this PR are major, we should do the most for finding these bugs before releasing. Since these area isn't properly covered by tests, the whole testing / QA of this feature must be addressed.

[itaigilo]

Suggested change

	if (path === "/auth/login") return true;
	return path.startsWith("/auth/oidc");
	if (path === "/auth/login") return true;
	if (path.startsWith("/auth/oidc")) return true;
	return false;

[itaigilo]

Suggested change

	if (path === "/auth/login") return true;
	return path.startsWith("/auth/oidc");
	return path === "/auth/login" || path.startsWith("/auth/oidc");

[itaigilo]

Maybe replace UKNOWN with PENDING?
Is there a scenario in which there's no auth request initiated?

[Ben-El]

The UNKNOWN (or PENDING) state just represents this short initial phase before that request completes, not a scenario where the request doesn't happen.

So PENDING might indeed be a clearer name, since it better conveys "auth check in progress" rather than "no request".

[itaigilo]

Can this happen?
Isn't AuthContext initialized no matter what?

[Ben-El]

It can happen if a component using useAuth() is rendered outside the <AuthProvider>, for example in a storybook, or future refactors where a subtree is mounted separately.

The guard makes the failure explicit and easy to debug, instead of causing null errors later.
So it's a safety net, it should never trigger in production, but it's still valuable during development.

[itaigilo]

Can you please explain this hashing?
What it does and why it's needed?

[Ben-El]

The hash was Anna's suggestion, the "hash" here refers to the fragment part of the URL (the part after #, not cryptographic hashing).

We include both location.search and location.hash in the next value so that when the user gets redirected back after login, they return to the exact same URL, including query params and hash anchors.

Without this, the redirect would lose any #fragment and land the user at the base page instead.

Maybe hashing is not critical for now, but in the future we may have anchors or something, so it'll cover that too.

[itaigilo]

Both "/auth/login" and "/auth/oidc" should be consts.

[itaigilo]

Is this logic also required here (and not only in authContext)? Isn't this covered by flows catched by the context?

[Ben-El]

Good question!
The check in RequiresAuth is intentional.
While authContext handles unauthorized events globally (e.g. when a token expires or the server returns 401), RequiresAuth acts as a route guard that ensures protected pages aren’t rendered even briefly when there's no active user yet.

So the logic overlaps a bit but serves a different timing:
authContext reacts after unauthorized events, while RequiresAuth prevents access before rendering a protected route.

[itaigilo]

🔥

[itaigilo]

I agree with @Annaseli here.
This hook is already minimal -
It can be unified with the authContext for simplicity and easier tracking.

[itaigilo]

Please make this code more readable, either by extracting to sub-functions, renaming vars or adding comments.
Currently it's pretty hard to understand what it does.

[itaigilo]

I suspect there might be a race condition here, between setAuthStatus and router.navigate.
How about making sure that the router.navigate will happen after the setAuthStatus?

[itaigilo]

@Ben-El great progress, it's almost there.

Still some questions,
And some small improvements required.

[itaigilo]

Make lakefs_post_login_next a const common to all relevant files.

[itaigilo]

Nit: rename stored to postLoginNext or something like this.

[itaigilo]

I read this function a few time, and still can't figure out what it's doing,
And what "build next from window" means.

[Ben-El]

It builds the redirect target URL from window.location.
I will change to a clearer name, getCurrentRelativeUrl or something.
Thx.

[itaigilo]

Nit: this can be inside the if.

[itaigilo]

Why this is inside useEffect?
Did you test the behavior of the Dark Mode after this change?

[Ben-El]

Good question!
I moved this logic into useEffect because setting a DOM attribute is a side-effect,
and React best practices recommend running side-effects inside useEffect rather than during render.
This ensures that the attribute is updated only when darkMode changes, and prevents double execution under strict mode.
I tested it and confirmed that dark mode toggling and initial theme load still behave as expected.

[itaigilo]

This is both hard to read and tricky to maintain.
Please use URLSearchParams() or something similar to create this in a more robust way.

[itaigilo]

This is both hard to read and tricky to maintain.
Please use URLSearchParams() or something similar to create this in a more robust way.

[itaigilo]

@Ben-El this comment still awaits your addressing.

[itaigilo]

🤔

[itaigilo]

This is both hard to read and tricky to maintain.
Please use URLSearchParams() or something similar to create this in a more robust way.

[itaigilo]

TBH, this whole login algorithm/flow is still not clear.
Note that there's been a decent amount of comments in the original code, for a reason.
Making this flow clearer will make it much easier to review.

[itaigilo]

LGTM, nice work!

I hope the testing part will work out fine 🤞

[itaigilo]

Nit: what's the style, {aaa} or { aaa }?

[Ben-El]

{ aaa }

[itaigilo]

This comment belongs to the next line...

[Annaseli]

Can you add a comment that explains this code?

[Ben-El]

The idea is that refreshUser can optionally receive an object of options, currently only { useCache?: boolean }.
refreshUser is an async method to reload the current user state from the API.
It accepts an optional options object (currently { useCache?: boolean }),
allowing callers to control whether to use cached data or force a fresh fetch.

[Annaseli]

Why onUnauthorized and not onUnauthenticated?

[Annaseli]

I’m not familiar with /auth/oidc, but I am familiar with /oidc/login and /oidc/logout. Could you point out where you saw /auth/oidc being used?

[Ben-El]

Will change it

[Annaseli]

Why redirect to ROUTES.LOGIN instead of to the root, which already redirects to the login page?
Also, shouldn’t the /logout endpoints handle this redirection already?

[Ben-El]

We redirect explicitly to ROUTES.LOGIN instead of / for a few reasons:

onUnauthorized is triggered by 401s from XHR/fetch calls anywhere in the app.
Redirects returned by the /logout endpoint don't affect SPA navigation (the browser will not change window.location), so the client must navigate explicitly.

Going directly to /auth/login avoids an extra hop (root → login) and reduces flicker.

It also guarantees we keep the intended next target and doesn't rely on whatever logic the root route currently implements.

We keep the isPublicAuthRoute guard to avoid redirect loops if we are already on the login/oidc/sso paths.

TL;DR: direct, deterministic navigation to the login page is safer and smoother here.

[Annaseli]

Why aren’t you wrapping await auth.getCurrentUserWithCache() with useAPI?
Also, related to this, if you’re recalculating this while the user is in a loading state, shouldn’t you handle it by setting setStatus(AUTH_STATUS.PENDING)?

[Ben-El]

I decided not to use useAPI here because the AuthContext runs outside the component lifecycle - we call refreshUser on app startup, after login/logout, and on pageshow events.
Using useAPI here would introduce redundant redirects and implicit 401 handling that conflict with onUnauthorized.
Regarding PENDING, I will add a selective state update: it will set only when performing a cold refresh (useCache: false) and the user isn't already authenticated.
This will avoid flicker during background updates while still providing a proper loading state.

[Annaseli]

Why is it in useEffect?
Also, it looks similar to the DoNavigate func

[Annaseli]

in the previous code, the check for error was above the check for setup

[Annaseli]

Why was this step added here? we didn't have a step like that before, didn't we?

[Ben-El]

We had.

[Annaseli]

Note that in the previous code we had:

<Route index element={<Navigate to="credentials" />} />

right after:

<Route path="auth" element={<Layout />} >

and before:

<Route path="login" element={<LoginPage />} />
<Route path="users/create" element={...} />

[Ben-El]

But we want the credentials page to be guarded, no?
We want it to be accessible only when the user is authenticated.
In the current implementation the <Route index element={} is under
<Route element={}>.
If it should not be, please do tell.

[itaigilo]

Suggested change

	import React, {createContext, useContext, useMemo, useState, ReactNode, useCallback, useEffect} from "react";
	import { useNavigate } from "react-router-dom";
	import { auth } from "../api";
	import {getCurrentRelativeUrl, isPublicAuthRoute, ROUTES} from "../utils";
	import React, { createContext, useContext, useMemo, useState, ReactNode, useCallback, useEffect } from "react";
	import { useNavigate } from "react-router-dom";
	import { auth } from "../api";
	import { getCurrentRelativeUrl, isPublicAuthRoute, ROUTES } from "../utils";

[Annaseli]

shouldn't ${ROUTES.LOGIN}?redirected=true include the whole origin url path (before /auth/login)?

[Ben-El]

In this case we intentionally don't include the full origin.
history.replaceState treats relative URLs as scoped to the current origin, so
replaceState(null, "", "/auth/login?redirected=true") automatically becomes
http://<current-origin>/auth/login?redirected=true.

Keeping it relative is safer and more portable.
It works consistently in local dev, production, and behind reverse proxies, without hardcoding the origin.

[Annaseli]

I think we should keep a comment (where it should be in the new version) explaining why the redirected flag is set to true, since it wasn’t clear to either Barak or me when we first saw it.

[Annaseli]

In the previous version we kept the: query: router.query

[Ben-El]

I will update the redirect to keep the existing query.
In React Router v6, we do this with location.search.