Proper way to handle HTTP Authentication & (jwt) token renewal

[jeanhdex]

When one is accessing an API with authentication, what is the best way to handle HTTP Authentication and token renewal?

My first guess was using a context with a RwSignal and running a background task, dedicated to token renewal when it expires. It seems a bit far from the philosophy of leptos; so I was wondering if any of you have ever asked yourself this question and found an elegant way to answer it :)

I started using leptos a few days ago and I'm completely seduced ; I hope there's a solution to do this.

[gbj]

Hm yeah I'm not great with the details of JWT. What's the flow that you actually need to do to renew a token? Is it something you can verify on the server, and renew from the server if it needs to be renewed? In that case something like a validate() server function that auto-renews is the way to go.

Worth checking out the session_auth_axum example in the repo if you haven't. I don't think it's JWT based but is a fairly well-developed auth example.

[jeanhdex]

The main idea is: first, you get an auth token (there are multiple ways to get this token, from your server or a different one, mixing with OpenID standard, etc). Then, you request an access token authenticating with this auth token. The auth token is used to access resources on a server. The only thing is that it must be frequently renewed (every minutes or hours, depending on the server's policy).

I tried two different ways of doing that with leptos:

1. Storing tokens in the Context (in a structure itself wrapped in a RwSignal). Implementing get_token on this structure, and the implementation has to access the data, check expiration dates, renew token if necessary, and then return the token to use in the app. The problem with this approach is that the function has to be async to make web requests (if necessary). Also, I guess when rendering the same page some components may want to renew the same token at the same time, which isn't great.

2. Still storing tokens in the Contexct (same, in a structure wrapped in a RwSignal) and always accessing the token value by reading the Signal. And when the app starts, spawn a task which has to renew the token when necessary (the only one able to write the signal). The problem with this approach is that the task isn't cancellable with leptos and there isn't a way to do somethink like the tokio::select! macro: either wait x minutes before renewal or wait for the signal to say "please stop task".

I'd like to work with server functions but since the API I'm using must use PATCH, PUT, DELETE, send data encoded in json, etc., I don't think it' s the right way to go (even if I really love the concept of server functions!

[gbj]

The problem with this approach is that the task isn't cancellable with leptos and there isn't a way to do somethink like the tokio::select! macro: either wait x minutes before renewal or wait for the signal to say "please stop task".

Not sure I understand this part. "Spawn a task" is server-side language for what you're trying to do, but I'm interpreting this as "run something to renew the token every few minutes," in which case set_interval_with_handle, which runs a task every X amount of time and returns a cancellable handle, sounds right to me. You can just store the handle in a struct and run .clear() on it to say "please stop task."

[jeanhdex]

Sorry for the late reply: at first I thought it was a good solution but since this function's signature only takes a 'static closure as parameter I don't have any clue on how to use this (it need to access context and to be able to mutate it somehow).

[jeanhdex]

So... I didn't find a very elegant way of doing it but here is where I am at the moment and it works pretty well.

I have a global state context which looks like this:

#[derive(Debug, Clone, Copy, PartialEq)]
pub struct GlobalState {
    pub logged_in_user: RwSignal<Option<LoggedInUser>>,
}

#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
pub struct LoggedInUser {
    access_token: String,
    access_token_exp: DateTime<Utc>,

    auth_token: String,
    auth_token_exp: DateTime<Utc>,
}

and basically what I do is just a call to spawn_local(...) and run a function indefinitely checks the context and wait a bit before checking again if the token is expired or not :)