refactor: improved login flow (#56)

* style: update GitHubButton styles for improved layout

- Added a margin of 1px to the GitHubButton for better spacing.
- Reduced font size from 1.05rem to 0.8rem for a more compact appearance.

* feat: integrate Redis for session management

- Added Redis service to docker-compose for session storage.
- Implemented Redis connection in config.py and updated session management functions.
- Refactored dependencies to utilize Redis for session retrieval and deletion.
- Updated requirements.txt to include Redis library.

* feat: implement token expiration handling and refresh mechanism

- Added functions to check if the access token is expired and to refresh the token using the refresh token.
- Updated dependencies to utilize the new token management functions in the authentication flow.
- Enhanced the login endpoint to support session management with token state.

* feat: add endpoint to retrieve active session count from Redis

- Implemented a new GET endpoint `/count` to return the number of active sessions stored in Redis.
- The endpoint requires authentication and returns a dictionary with the active session count and a message.
- Integrated Redis client to facilitate session counting.

* feat: enhance session management with token expiration handling

- Updated the session management to include token expiration by passing the expiry time to the set_session function.
- Improved the authentication callback to handle token data more effectively.

* feat: enhance authentication flow and session management

- Added frontend URL to OIDC configuration for improved redirect handling.
- Updated session management to pass token expiration to the set_session function.
- Modified logout endpoint to return a logout URL for Keycloak, enhancing user experience.
- Adjusted CORS settings to restrict allowed origins for better security.

* feat: implement logout functionality with Keycloak iframe handling

- Added a new handleLogout function to manage user logout via an iframe for Keycloak.
- Removed the previous inline logout logic from the MainMenu.Item component.
- Enhanced error handling and session invalidation upon logout completion.

* feat: add Redis configuration and update docker-compose for password authentication

- Added Redis password configuration to the .env.template file.
- Updated the Redis service command in docker-compose to require the Redis password.
- Enhanced README to include Redis setup instructions and password usage.

* feat: add API workers configuration to environment and startup script

- Introduced API_WORKERS variable in .env.template for configurable worker count.
- Updated startup.sh to utilize the API_WORKERS variable when starting the application with uvicorn.

* feat: add PostHog configuration to runtime settings

- Updated startup script to include PostHog key and host in runtime configuration.
- Enhanced global TypeScript definitions to accommodate new PostHog properties.
- Modified PostHog initialization to utilize runtime configuration values, improving flexibility.

* feat: add Redis password configuration to Redis client in config.py

- Updated the Redis client initialization to include password retrieval from environment variables, enhancing security and flexibility in Redis connections.

Author: atyrode

.env.template

@@ -4,11 +4,17 @@ KEYCLOAK_PORT=8080
 CODER_PORT=7080
 APP_PORT=8000
 
+# API Configuration
+API_WORKERS=4
+
 # Database Configuration
 POSTGRES_USER=admin
 POSTGRES_PASSWORD=admin123
 POSTGRES_DB=pad
 
+# Redis Configuration
+REDIS_PASSWORD=redis123
+
 # Keycloak Configuration
 KEYCLOAK_ADMIN=admin
 KEYCLOAK_ADMIN_PASSWORD=admin123

README.md

@@ -50,7 +50,16 @@ This simplified example lets you host pad on `localhost` but is not safe for rea
     docker compose up -d postgres 
     ```
 
-### 3️⃣ Keycloak 🔑
+### 3️⃣ Redis 🔄
+> In-memory data store for caching and session management with password authentication
+
+*   Run the Redis container with password authentication
+    ```bash
+    docker compose up -d redis
+    ```
+*   The Redis password is configured in your `.env` file using the `REDIS_PASSWORD` variable
+
+### 4️⃣ Keycloak 🔑
 > OIDC provider for access and user management (within coder and pad app)
 *   Run the Keycloak container
     ```bash
@@ -78,7 +87,7 @@ This simplified example lets you host pad on `localhost` but is not safe for rea
     *   **Important:** Tick `Email verified`
     *   Go to the `Credentials` tab for the new user and set a password
 
-### 4️⃣ Coder 🧑‍💻
+### 5️⃣ Coder 🧑‍💻
 
 *   **Find Docker Group ID:** You'll need this to grant necessary permissions
     ```bash
@@ -119,7 +128,7 @@ This simplified example lets you host pad on `localhost` but is not safe for rea
         CODER_DEFAULT_ORGANIZATION=your_organization_id # Example: 70f6af06-ef3a-4b4c-a663-c03c9ee423bb
         ```
 
-### 5️⃣ Pad App 📝
+### 6️⃣ Pad App 📝
 > The fastAPI app that both serves the build frontend and the backend API to interface with Coder
 
 *   **Run the Application:**
@@ -139,8 +148,3 @@ This simplified example lets you host pad on `localhost` but is not safe for rea
 ## 🚀 Project Growth
 
 [![Star History Chart](https://api.star-history.com/svg?repos=pad-ws/pad.ws&type=Date)](https://star-history.com/#pad-ws/pad.ws&Date)
-
-
-
-
-

docker-compose.yml

@@ -12,6 +12,17 @@ services:
       - postgres_data:/var/lib/postgresql/data
     restart: unless-stopped
     network_mode: host
+    
+  redis:
+    image: redis:alpine
+    container_name: redis
+    ports:
+      - "6379:6379"
+    volumes:
+      - redis_data:/data
+    restart: unless-stopped
+    command: redis-server --requirepass ${REDIS_PASSWORD} --save 60 1 --loglevel warning
+    network_mode: host
 
   keycloak:
     image: quay.io/keycloak/keycloak:25.0
@@ -73,6 +84,9 @@ services:
       - POSTGRES_DB=${POSTGRES_DB}
       - POSTGRES_HOST=localhost
       - POSTGRES_PORT=${POSTGRES_PORT}
+      - REDIS_HOST=localhost
+      - REDIS_PORT=6379
+      - REDIS_PASSWORD=${REDIS_PASSWORD}
       - CODER_API_KEY=${CODER_API_KEY}
       - CODER_URL=http://localhost:${CODER_PORT}
       - CODER_TEMPLATE_ID=${CODER_TEMPLATE_ID}
@@ -81,3 +95,4 @@ services:
 
 volumes:
   postgres_data:
+  redis_data:

scripts/startup.sh

@@ -6,8 +6,10 @@ mkdir -p /app/frontend/dist/assets
 cat > /app/frontend/dist/assets/runtime-config.js <<EOL
 window.RUNTIME_CONFIG = {
   CODER_URL: "${CODER_URL}"
+  VITE_PUBLIC_POSTHOG_KEY: "${VITE_PUBLIC_POSTHOG_KEY}"
+  VITE_PUBLIC_POSTHOG_HOST: "${VITE_PUBLIC_POSTHOG_HOST}"  
 };
 EOL
 
 # Start the application
-exec uvicorn main:app --host 0.0.0.0 --port 8000
+exec uvicorn main:app --host 0.0.0.0 --port 8000 --workers $API_WORKERS

src/backend/config.py

@@ -1,4 +1,10 @@
 import os
+import json
+import time
+import httpx
+import redis
+import jwt
+from typing import Optional, Dict, Any, Tuple
 from dotenv import load_dotenv
 
 load_dotenv()
@@ -11,10 +17,39 @@
     'client_secret': os.getenv('OIDC_CLIENT_SECRET'),
     'server_url': os.getenv('OIDC_SERVER_URL'),
     'realm': os.getenv('OIDC_REALM'),
-    'redirect_uri': os.getenv('REDIRECT_URI')
+    'redirect_uri': os.getenv('REDIRECT_URI'),
+    'frontend_url': os.getenv('FRONTEND_URL')
 }
 
-sessions = {}
+# Redis connection
+redis_client = redis.Redis(
+    host=os.getenv('REDIS_HOST', 'localhost'),
+    password=os.getenv('REDIS_PASSWORD', None),
+    port=int(os.getenv('REDIS_PORT', 6379)),
+    db=0,
+    decode_responses=True
+)
+
+# Session management functions
+def get_session(session_id: str) -> Optional[Dict[str, Any]]:
+    """Get session data from Redis"""
+    session_data = redis_client.get(f"session:{session_id}")
+    if session_data:
+        return json.loads(session_data)
+    return None
+
+def set_session(session_id: str, data: Dict[str, Any], expiry: int) -> None:
+    """Store session data in Redis with expiry in seconds"""
+    redis_client.setex(
+        f"session:{session_id}", 
+        expiry,
+        json.dumps(data)
+    )
+
+def delete_session(session_id: str) -> None:
+    """Delete session data from Redis"""
+    redis_client.delete(f"session:{session_id}")
+
 provisioning_times = {}
 
 def get_auth_url() -> str:
@@ -23,10 +58,81 @@ def get_auth_url() -> str:
     params = {
         'client_id': OIDC_CONFIG['client_id'],
         'response_type': 'code',
-        'redirect_uri': OIDC_CONFIG['redirect_uri']
+        'redirect_uri': OIDC_CONFIG['redirect_uri'],
+        'scope': 'openid profile email'
     }
     return f"{auth_url}?{'&'.join(f'{k}={v}' for k,v in params.items())}"
 
 def get_token_url() -> str:
     """Get the token endpoint URL"""
     return f"{OIDC_CONFIG['server_url']}/realms/{OIDC_CONFIG['realm']}/protocol/openid-connect/token"
+
+def is_token_expired(token_data: Dict[str, Any], buffer_seconds: int = 30) -> bool:
+    """
+    Check if the access token is expired or about to expire
+    
+    Args:
+        token_data: The token data containing the access token
+        buffer_seconds: Buffer time in seconds to refresh token before it actually expires
+        
+    Returns:
+        bool: True if token is expired or about to expire, False otherwise
+    """
+    if not token_data or 'access_token' not in token_data:
+        return True
+        
+    try:
+        # Decode the JWT token without verification to get expiration time
+        decoded = jwt.decode(token_data['access_token'], options={"verify_signature": False})
+        
+        # Get expiration time from token
+        exp_time = decoded.get('exp', 0)
+        
+        # Check if token is expired or about to expire (with buffer)
+        current_time = time.time()
+        return current_time + buffer_seconds >= exp_time
+    except Exception as e:
+        print(f"Error checking token expiration: {str(e)}")
+        return True
+
+async def refresh_token(session_id: str, token_data: Dict[str, Any]) -> Tuple[bool, Dict[str, Any]]:
+    """
+    Refresh the access token using the refresh token
+    
+    Args:
+        session_id: The session ID
+        token_data: The current token data containing the refresh token
+        
+    Returns:
+        Tuple[bool, Dict[str, Any]]: Success status and updated token data
+    """
+    if not token_data or 'refresh_token' not in token_data:
+        return False, token_data
+        
+    try:
+        async with httpx.AsyncClient() as client:
+            refresh_response = await client.post(
+                get_token_url(),
+                data={
+                    'grant_type': 'refresh_token',
+                    'client_id': OIDC_CONFIG['client_id'],
+                    'client_secret': OIDC_CONFIG['client_secret'],
+                    'refresh_token': token_data['refresh_token']
+                }
+            )
+            
+            if refresh_response.status_code != 200:
+                print(f"Token refresh failed: {refresh_response.text}")
+                return False, token_data
+                
+            # Get new token data
+            new_token_data = refresh_response.json()
+            
+            # Update session with new tokens
+            expiry = new_token_data['expires_in']
+            set_session(session_id, new_token_data, expiry)
+            
+            return True, new_token_data
+    except Exception as e:
+        print(f"Error refreshing token: {str(e)}")
+        return False, token_data

src/backend/dependencies.py

@@ -1,7 +1,7 @@
 from typing import Optional
 from fastapi import Request, HTTPException, Depends
 
-from config import sessions
+from config import get_session, is_token_expired, refresh_token
 
 class SessionData:
     def __init__(self, access_token: str, token_data: dict):
@@ -15,7 +15,7 @@ def __init__(self, auto_error: bool = True):
     async def __call__(self, request: Request) -> Optional[SessionData]:
         session_id = request.cookies.get('session_id')
 
-        if not session_id or session_id not in sessions:
+        if not session_id:
             if self.auto_error:
                 raise HTTPException(
                     status_code=401,
@@ -24,7 +24,32 @@ async def __call__(self, request: Request) -> Optional[SessionData]:
                 )
             return None
 
-        session = sessions[session_id]
+        session = get_session(session_id)
+        if not session:
+            if self.auto_error:
+                raise HTTPException(
+                    status_code=401,
+                    detail="Not authenticated",
+                    headers={"WWW-Authenticate": "Bearer"},
+                )
+            return None
+            
+        # Check if token is expired and refresh if needed
+        if is_token_expired(session):
+            # Try to refresh the token
+            success, new_session = await refresh_token(session_id, session)
+            if not success:
+                # Token refresh failed, user needs to re-authenticate
+                if self.auto_error:
+                    raise HTTPException(
+                        status_code=401,
+                        detail="Session expired",
+                        headers={"WWW-Authenticate": "Bearer"},
+                    )
+                return None
+            # Use the refreshed token data
+            session = new_session
+            
         return SessionData(
             access_token=session.get('access_token'),
             token_data=session

src/backend/main.py

@@ -37,7 +37,7 @@ async def lifespan(_: FastAPI):
 # CORS middleware setup
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=["https://kc.pad.ws", "https://alex.pad.ws"],
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],

src/backend/requirements.txt

@@ -8,3 +8,4 @@ PyJWT
 requests
 sqlalchemy
 posthog
+redis

src/backend/routers/auth.py

@@ -2,10 +2,10 @@
 import jwt
 import httpx
 from fastapi import APIRouter, Request, HTTPException, Depends
-from fastapi.responses import RedirectResponse, FileResponse
+from fastapi.responses import RedirectResponse, FileResponse, JSONResponse
 import os
 
-from config import get_auth_url, get_token_url, OIDC_CONFIG, sessions, STATIC_DIR
+from config import get_auth_url, get_token_url, OIDC_CONFIG, set_session, delete_session, STATIC_DIR, get_session
 from dependencies import SessionData, require_auth
 from coder import CoderAPI
 
@@ -14,13 +14,18 @@
 
 @auth_router.get("/login")
 async def login(request: Request, kc_idp_hint: str = None, popup: str = None):
+    
     session_id = secrets.token_urlsafe(32)
+
     auth_url = get_auth_url()
     state = "popup" if popup == "1" else "default"
+
     if kc_idp_hint:
         auth_url = f"{auth_url}&kc_idp_hint={kc_idp_hint}"
+
     # Add state param to OIDC URL
     auth_url = f"{auth_url}&state={state}"
+
     response = RedirectResponse(auth_url)
     response.set_cookie('session_id', session_id)
 
@@ -48,8 +53,10 @@ async def callback(request: Request, code: str, state: str = "default"):
         if token_response.status_code != 200:
             raise HTTPException(status_code=400, detail="Auth failed")
 
-        sessions[session_id] = token_response.json()
-        access_token = token_response.json()['access_token']
+        token_data = token_response.json()
+        expiry = token_data['expires_in']
+        set_session(session_id, token_data, expiry)
+        access_token = token_data['access_token']
         user_info = jwt.decode(access_token, options={"verify_signature": False})
 
         try:
@@ -65,24 +72,26 @@ async def callback(request: Request, code: str, state: str = "default"):
         return FileResponse(os.path.join(STATIC_DIR, "auth/popup-close.html"))
     else:
         return RedirectResponse('/')
-
+    
 @auth_router.get("/logout")
 async def logout(request: Request):
     session_id = request.cookies.get('session_id')
-    if session_id in sessions:
-        del sessions[session_id]
 
-    # Create a response that doesn't redirect but still clears the cookie
-    from fastapi.responses import JSONResponse
-    response = JSONResponse({"status": "success", "message": "Logged out successfully"})
+    session_data = get_session(session_id)
+    if not session_data:
+        return RedirectResponse('/')
+    
+    id_token = session_data.get('id_token', '')
+    
+    # Delete the session from Redis
+    delete_session(session_id)
+    
+    # Create the Keycloak logout URL with redirect back to our app
+    logout_url = f"{OIDC_CONFIG['server_url']}/realms/{OIDC_CONFIG['realm']}/protocol/openid-connect/logout"
+    redirect_uri = OIDC_CONFIG['frontend_url']  # Match the frontend redirect URI
+    full_logout_url = f"{logout_url}?id_token_hint={id_token}&post_logout_redirect_uri={redirect_uri}"
 
-    # Clear the session_id cookie with all necessary parameters
-    response.delete_cookie(
-        key="session_id",
-        path="/",
-        domain=None,  # Use None to match the current domain
-        secure=request.url.scheme == "https",
-        httponly=True
-    )
+    # Create a redirect response to Keycloak's logout endpoint
+    response = JSONResponse({"status": "success", "logout_url": full_logout_url})
 
     return response