chore(dev): Add token rotation for keycloak provider & sync account expires date with session expires

CrawlerCode · CrawlerCode · commit 27ee17b2d70f · 2025-03-27T21:57:18.000+01:00
diff --git a/packages/dev/src/app/components/auth/ExpiresBadge.tsx b/packages/dev/src/app/components/auth/ExpiresBadge.tsx
@@ -0,0 +1,40 @@
+import type { ComponentProps } from "react";
+import Badge from "../general/Badge";
+
+export const ExpiresBadge = ({
+  expiresAt: expiresAtString,
+  title,
+  ...props
+}: {
+  title: string;
+  expiresAt?: string | null;
+} & Omit<ComponentProps<typeof Badge>, "variant" | "children">) => {
+  if (!expiresAtString) {
+    return null;
+  }
+
+  const expiresAt = new Date(expiresAtString);
+
+  return (
+    <Badge variant="yellow" {...props}>
+      {title}: {expiresAt.toLocaleString()} ({formatRelativeTime(expiresAt)})
+    </Badge>
+  );
+};
+
+const formatRelativeTime = (date: Date) => {
+  const now = new Date();
+  const diffInSeconds = Math.floor((date.getTime() - now.getTime()) / 1000);
+
+  const rtf = new Intl.RelativeTimeFormat();
+
+  if (diffInSeconds < 60) {
+    return rtf.format(diffInSeconds, "seconds");
+  } else if (diffInSeconds < 3600) {
+    return rtf.format(Math.floor(diffInSeconds / 60), "minutes");
+  } else if (diffInSeconds < 86400) {
+    return rtf.format(Math.floor(diffInSeconds / 3600), "hours");
+  } else {
+    return rtf.format(Math.floor(diffInSeconds / 86400), "days");
+  }
+};
diff --git a/packages/dev/src/app/components/auth/payload/PayloadSessionClientWithUsePayloadSession.tsx b/packages/dev/src/app/components/auth/payload/PayloadSessionClientWithUsePayloadSession.tsx
@@ -2,6 +2,7 @@
 
 import { usePayloadSession } from "payload-authjs/client";
 import Badge from "../../general/Badge";
+import { ExpiresBadge } from "../ExpiresBadge";
 
 export const PayloadSessionClientWithUsePayloadSession = () => {
   const { status, session, refresh } = usePayloadSession();
@@ -14,11 +15,12 @@ export const PayloadSessionClientWithUsePayloadSession = () => {
         >
           Status: {status}
         </Badge>
-        {session?.expires && (
-          <Badge variant="yellow" onClick={refresh}>
-            Expires: {new Date(session.expires).toLocaleString()}
-          </Badge>
-        )}
+        <ExpiresBadge title="Session Expires" expiresAt={session?.expires} onClick={refresh} />
+        <ExpiresBadge title="Account Expires" expiresAt={session?.user.currentAccount?.expiresAt} />
+        <ExpiresBadge
+          title="Account Refresh Token Expires"
+          expiresAt={session?.user.currentAccount?.refreshExpiresAt}
+        />
         {session?.collection ? (
           <Badge variant="dark">Collection: {session.collection}</Badge>
         ) : null}
diff --git a/packages/dev/src/app/components/auth/payload/PayloadSessionServer.tsx b/packages/dev/src/app/components/auth/payload/PayloadSessionServer.tsx
@@ -1,6 +1,7 @@
 import { revalidateTag } from "next/cache";
 import { getPayloadSession } from "payload-authjs";
 import Badge from "../../general/Badge";
+import { ExpiresBadge } from "../ExpiresBadge";
 
 export const PayloadSessionServer = async () => {
   const session = await getPayloadSession();
@@ -11,20 +12,22 @@ export const PayloadSessionServer = async () => {
         <Badge variant={session ? "green" : "red"}>
           Status: {session ? "authenticated" : "unauthenticated"}
         </Badge>
-        {session?.expires && (
-          <Badge
-            variant="yellow"
-            onClick={async () => {
-              "use server";
+        <ExpiresBadge
+          title="Session Expires"
+          expiresAt={session?.expires}
+          onClick={async () => {
+            "use server";
 
-              revalidateTag("payload-session");
+            revalidateTag("payload-session");
 
-              return Promise.resolve();
-            }}
-          >
-            Expires: {new Date(session.expires).toLocaleString()}
-          </Badge>
-        )}
+            return Promise.resolve();
+          }}
+        />
+        <ExpiresBadge title="Account Expires" expiresAt={session?.user.currentAccount?.expiresAt} />
+        <ExpiresBadge
+          title="Account Refresh Token Expires"
+          expiresAt={session?.user.currentAccount?.refreshExpiresAt}
+        />
         {session?.collection ? (
           <Badge variant="dark">Collection: {session.collection}</Badge>
         ) : null}
diff --git a/packages/dev/src/auth/base.config.ts b/packages/dev/src/auth/base.config.ts
@@ -1,5 +1,5 @@
 import jwt from "jsonwebtoken";
-import type { NextAuthConfig } from "next-auth";
+import type { NextAuthConfig, Session } from "next-auth";
 // eslint-disable-next-line @typescript-eslint/no-unused-vars
 import type { JWT } from "next-auth/jwt";
 import type { PayloadAuthjsUser } from "payload-authjs";
@@ -36,7 +36,7 @@ export const authConfig: NextAuthConfig = {
     updateAge: 60, // 1 minute
   },
   callbacks: {
-    jwt: ({ token, user, account, trigger }) => {
+    jwt: async ({ token, user, account, trigger }) => {
       //console.log("callbacks.jwt", trigger, token, user, account);
 
       /**
@@ -77,14 +77,73 @@ export const authConfig: NextAuthConfig = {
         token.currentAccount = {
           provider: account.provider,
           providerAccountId: account.providerAccountId,
-          access_token: account.access_token,
-          refresh_token: account.refresh_token,
-          expires_at: account.expires_at
+          accessToken: account.access_token,
+          refreshToken: account.refresh_token,
+          expiresAt: account.expires_at
             ? new Date(account.expires_at * 1000).toISOString()
             : undefined,
+          refreshExpiresAt:
+            account.refresh_expires_in && typeof account.refresh_expires_in === "number"
+              ? new Date(new Date().getTime() + account.refresh_expires_in * 1000).toISOString()
+              : undefined,
         };
       }
 
+      /**
+       * Refresh access token for keycloak provider
+       *
+       * @see https://authjs.dev/guides/refresh-token-rotation
+       */
+      if (
+        token.currentAccount?.provider === "keycloak" &&
+        // Access token is expired or will expire in 3 minutes
+        token.currentAccount.expiresAt &&
+        new Date() >=
+          new Date(new Date(token.currentAccount.expiresAt).getTime() - 3 * 60 * 1000) &&
+        // Refresh token is present and not expired
+        token.currentAccount.refreshToken &&
+        token.currentAccount.refreshExpiresAt &&
+        new Date() < new Date(token.currentAccount.refreshExpiresAt)
+      ) {
+        try {
+          const response = await fetch(
+            `${process.env.AUTH_KEYCLOAK_ISSUER}/protocol/openid-connect/token`,
+            {
+              method: "POST",
+              headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+              },
+              body: new URLSearchParams({
+                grant_type: "refresh_token",
+                client_id: process.env.AUTH_KEYCLOAK_ID!,
+                client_secret: process.env.AUTH_KEYCLOAK_SECRET!,
+                refresh_token: token.currentAccount.refreshToken,
+              }),
+            },
+          );
+
+          if (!response.ok) {
+            throw new Error(
+              `Request failed with status ${response.status}: ${response.statusText}`,
+            );
+          }
+
+          const refreshedTokens = await response.json();
+
+          token.currentAccount.accessToken = refreshedTokens.access_token;
+          token.currentAccount.refreshToken = refreshedTokens.refresh_token;
+          token.currentAccount.expiresAt = new Date(
+            new Date().getTime() + refreshedTokens.expires_in * 1000,
+          ).toISOString();
+          token.currentAccount.refreshExpiresAt = new Date(
+            new Date().getTime() + refreshedTokens.refresh_expires_in * 1000,
+          ).toISOString();
+        } catch (error) {
+          // eslint-disable-next-line no-console
+          console.error("Error refreshing access token", error);
+        }
+      }
+
       return token;
     },
     session: ({ session, token }) => {
@@ -106,6 +165,14 @@ export const authConfig: NextAuthConfig = {
         session.user.currentAccount = token.currentAccount;
       }
 
+      /**
+       * If the current account has an expires date, sync the session expires date with it
+       */
+      const expiresAt = token?.currentAccount?.refreshExpiresAt || token?.currentAccount?.expiresAt;
+      if (expiresAt) {
+        (session as Session).expires = new Date(expiresAt).toISOString();
+      }
+
       return session;
     },
     authorized: ({ auth }) => {
diff --git a/packages/dev/src/payload-types.ts b/packages/dev/src/payload-types.ts
@@ -140,9 +140,10 @@ export interface User {
   currentAccount?: {
     provider?: string | null;
     providerAccountId?: string | null;
-    access_token?: string | null;
-    refresh_token?: string | null;
-    expires_at?: string | null;
+    accessToken?: string | null;
+    refreshToken?: string | null;
+    expiresAt?: string | null;
+    refreshExpiresAt?: string | null;
   };
   verificationTokens?:
     | {
@@ -261,9 +262,10 @@ export interface UsersSelect<T extends boolean = true> {
     | {
         provider?: T;
         providerAccountId?: T;
-        access_token?: T;
-        refresh_token?: T;
-        expires_at?: T;
+        accessToken?: T;
+        refreshToken?: T;
+        expiresAt?: T;
+        refreshExpiresAt?: T;
       };
   verificationTokens?:
     | T
diff --git a/packages/dev/src/payload/collections/users.ts b/packages/dev/src/payload/collections/users.ts
@@ -71,15 +71,19 @@ const Users: CollectionConfig = {
                   type: "row",
                   fields: [
                     {
-                      name: "access_token",
+                      name: "accessToken",
                       type: "text",
                     },
                     {
-                      name: "refresh_token",
+                      name: "refreshToken",
                       type: "text",
                     },
                     {
-                      name: "expires_at",
+                      name: "expiresAt",
+                      type: "date",
+                    },
+                    {
+                      name: "refreshExpiresAt",
                       type: "date",
                     },
                   ],
