Add workos POC implementation

[paulfalgout]

Replaces #1323 Based on #1324

Shortcut Story ID: [sc-55351]

I don't have client ids in here or setup yet for dev.

I'm still not sure how we're going to implement our internal google connection, but I'm assuming the only option is separate clients.. but then I really don't know how the API will differentiate between if the token is internal or the orgs.

Summary by CodeRabbit

• New Features

  • Integrated WorkOS authentication library for enhanced user authentication.
  • Added a new configuration for WorkOS client settings.
  • Introduced a module for managing WorkOS authentication processes.
  • Enhanced authentication logic to support multiple providers, including WorkOS.

• Bug Fixes

  • Improved handling of application state during login and logout processes.

• Documentation

  • Updated configuration files to include new authentication settings.

• Refactor

  • Streamlined authentication logic across multiple providers for better modularity.

[coderabbitai]

Walkthrough

The changes encompass modifications to several JavaScript files and configuration files to enhance authentication functionality. A new dependency for the WorkOS authentication library is added, along with a new configuration section. The authentication logic is refactored to streamline token management across multiple providers, and new files are introduced for handling authentication with WorkOS. Routing paths are standardized through a dedicated configuration file, improving organization and maintainability.

Changes

Files	Change Summary
package.json	Added glob pattern "src/js/auth/*.js" and new dependency "@workos-inc/authkit-js": "^0.5.1".
public/appconfig.json	Renamed section "kinde2" to "kinde" and added new section "workos" with properties clientId, rwClientId, and createClientOptions.
src/js/auth.js	Refactored authentication logic, updated token management functions, and modified logout handling.
src/js/auth/workos.js	Created WorkOS authentication module with functions for login, logout, and token management.
src/js/config.js	Added workosConfig object for configuration management and updated fetchConfig function.

Possibly related PRs

• Refactor auth for consistency #1324: The changes in this PR involve modifications to src/js/auth.js, specifically enhancing the authentication logic and integrating the getAuthAgent function, which is directly related to the updates made in the main PR that also modifies the getAuthAgent function to include WorkOS as an authentication option.

Suggested reviewers

• nmajor25

Poem

🐇 In the meadow where bunnies play,
New paths and tokens brighten the day.
With WorkOS and Kinde, we leap and bound,
Authentication joyfully found!
Hops of joy, a code delight,
In our burrow, all feels right! 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[cypress]

RoundingWell Care Ops Frontend    Run #6837

Run Properties:   Passed #6837  •  4c563b937c: Support optional separate rwClientId for workos

Project	RoundingWell Care Ops Frontend
Branch Review	workos-add
Run status	Passed #6837
Run duration	03m 01s
Commit	4c563b937c: Support optional separate rwClientId for workos
Committer	Paul Falgout
View all properties for this run ↗︎

---

Test results
Failures	0
Flaky	1
Pending	0
Skipped	0
Passing	312
View all changes introduced in this branch ↗︎

[coveralls]

Pull Request Test Coverage Report for Build a73766f9-278b-4b19-b671-78ced9d39fc6

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 99.987%

---

Totals
Change from base Build eba506bc-3bff-4440-a9ae-e64020912832:	0.0%
Covered Lines:	5921
Relevant Lines:	5921

---

💛 - Coveralls

[coderabbitai]

Actionable comments posted: 11

🧹 Outside diff range and nitpick comments (5)

src/js/auth/config.js (2)

1-5: LGTM! Consider adding JSDoc comments for better documentation.

The constant declarations for routing paths are well-structured and follow a consistent naming convention. The exported constants will be useful for maintaining consistent routing throughout the application.

To improve documentation, consider adding JSDoc comments for each constant. This will provide better context for developers using these constants in other parts of the application. Here's an example of how you could enhance the documentation:

/** The root path of the application */
export const PATH_ROOT = '/';

/** The path for the RealWell dashboard */
export const PATH_RWELL = '/rw';

/** The path for authenticated users */
export const PATH_AUTHD = '/authenticated';

/** The path for the login page */
export const PATH_LOGIN = '/login';

/** The path for the logout action */
export const PATH_LOGOUT = '/logout';

---

1-5: Consider additional configuration for WorkOS and Google authentication.

While these routing constants are a good start for organizing the authentication flow, the WorkOS POC implementation and the mentioned internal Google connection might require additional configuration.

Given the uncertainty expressed in the PR description about the internal Google connection and API token differentiation, consider the following:

1. Are there any WorkOS-specific routes or endpoints that need to be defined as constants?
2. Might there be a need for separate constants to handle Google authentication routes?
3. Consider adding constants or configuration options to help differentiate between internal tokens and those belonging to organizations.

It might be beneficial to create a separate configuration file specifically for authentication providers (e.g., authProviders.js). This file could include:

export const AUTH_PROVIDERS = {
  WORKOS: 'workos',
  GOOGLE: 'google',
  // Add other providers as needed
};

export const PROVIDER_ROUTES = {
  [AUTH_PROVIDERS.WORKOS]: {
    // WorkOS specific routes
  },
  [AUTH_PROVIDERS.GOOGLE]: {
    // Google specific routes
  },
};

export const TOKEN_TYPES = {
  INTERNAL: 'internal',
  ORGANIZATION: 'organization',
};

This structure would allow for easier management of multiple authentication providers and token types, addressing some of the concerns mentioned in the PR description.

src/js/config.js (2)

16-16: LGTM: Update to fetchConfig function

The update to fetchConfig correctly extends workosConfig with data from the fetched configuration, consistent with how other config objects are handled.

Consider adding error handling to the fetchConfig function. For example:

function fetchConfig(success, error) {
  fetch(`/appconfig.json?${ new URLSearchParams({ _: _NOW_ }) }`)
    .then(response => {
      if (!response.ok) {
        throw new Error(`HTTP error! status: ${response.status}`);
      }
      return response.json();
    })
    .then(config => {
      // ... existing code ...
      success();
    })
    .catch(e => {
      console.error("Failed to fetch config:", e);
      if (error) error(e);
    });
}

This would make the function more robust and allow for better error handling in the application.

---

WorkOS Configuration Incomplete: Missing Client ID

• The public/appconfig.json file contains the workos configuration, but the clientId is set to << id here >>, indicating that the Client ID is missing.
• No WorkOS-related implementations were found in src/js/auth/workos.js, suggesting incomplete integration.

🔗 Analysis chain

Line range hint 1-32: Verify WorkOS configuration and next steps

The changes to include WorkOS configuration look good. However, based on the PR objectives, there are a few points to consider:

1. Client IDs: The PR mentions that client IDs have not been included or set up for the development environment. Ensure that these are added and properly configured before merging.

2. Internal Google connection: There's uncertainty about implementing an internal Google connection. This may require further investigation or discussion with the team.

3. API differentiation: The PR raises a question about how the API will differentiate between internal tokens and those belonging to organizations. This might need clarification or additional implementation.

To ensure all necessary configuration is in place, you can run the following script:

This script will help verify that the necessary WorkOS configuration is present in the appconfig.json file.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for WorkOS configuration in appconfig.json

# Test: Verify WorkOS configuration exists in appconfig.json
if grep -q '"workos":' appconfig.json; then
  echo "WorkOS configuration found in appconfig.json"
else
  echo "Warning: WorkOS configuration not found in appconfig.json"
fi

# Test: Check for client ID in WorkOS configuration
if grep -q '"clientId":' appconfig.json; then
  echo "Client ID found in appconfig.json"
else
  echo "Warning: Client ID not found in appconfig.json"
fi

Length of output: 399

---

Script:

#!/bin/bash
# Description: Search for WorkOS configuration in all JSON files

echo "Searching for WorkOS configuration in JSON files..."
ast-grep --lang json --pattern $'{
  "workos": $$$
}' 

# Alternatively, search for WorkOS-related environment variables
echo "Searching for WorkOS-related environment variables..."
dotenv_files=$(fd .env)
for file in $dotenv_files; do
  grep -E '^WORKOS_' "$file" && echo "Found WorkOS environment variables in $file"
done

Length of output: 311

---

Script:

#!/bin/bash
# Description: Search for 'workos' references in all code files

echo "Searching for 'workos' references in code files..."
rg -i 'workos' --files-with-matches

echo "Searching for WorkOS-related function calls and variable declarations..."
ast-grep --lang javascript --pattern $'$_($$_)' --output

Length of output: 672

---

Script:

#!/bin/bash
# Description: Display contents of public/appconfig.json to check WorkOS configuration

if [ -f public/appconfig.json ]; then
  echo "Contents of public/appconfig.json:"
  cat public/appconfig.json
else
  echo "public/appconfig.json does not exist."
fi

Length of output: 1191

---

Script:

#!/bin/bash
# Description: Search for WorkOS-related function calls and variable declarations in JavaScript files

echo "Searching for WorkOS-related function calls and variable declarations..."

ast-grep --lang javascript --pattern $'const workos = $_;' src/js/auth/workos.js
ast-grep --lang javascript --pattern $'workos.$$_($_)' src/js/auth/workos.js

Length of output: 314

src/js/auth/kinde.js (1)

78-84: Ensure iframe busting logic handles cross-origin frames

In the login function, the iframe busting code checks if the current window is not the topmost window and then tries to redirect the top window to PATH_LOGIN:

if (top !== self) {
  top.location = PATH_LOGIN;
  return;
}

This can cause issues if the page is loaded within an iframe from a different origin due to cross-origin restrictions, potentially throwing a security exception.

Consider adding a try-catch block to handle any exceptions and provide a fallback:

 if (top !== self) {
-  top.location = PATH_LOGIN;
+  try {
+    top.location = PATH_LOGIN;
+  } catch (e) {
+    window.location = PATH_LOGIN;
+  }
   return;
 }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between e360aad and 1f389e6.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (8)

• package.json (2 hunks)
• public/appconfig.json (1 hunks)
• src/js/auth.js (2 hunks)
• src/js/auth/auth0.js (3 hunks)
• src/js/auth/config.js (1 hunks)
• src/js/auth/kinde.js (1 hunks)
• src/js/auth/workos.js (1 hunks)
• src/js/config.js (3 hunks)

🔇 Additional comments (18)

src/js/auth/config.js (1)

1-5: Verify usage of routing constants and replace hardcoded paths.

These routing constants are likely to be used across multiple components and modules. To ensure consistency and maintainability:

1. Verify that these constants are being used appropriately throughout the codebase, especially in components related to authentication and navigation.
2. Check for any remaining hardcoded path strings that should be replaced with these constants.

Run the following script to check for hardcoded paths and verify the usage of the new constants:

This script will help identify:

1. Any remaining hardcoded paths that might need to be replaced with the new constants.
2. Where the new routing constants are being used in the codebase.
3. Any imports of potentially outdated routing constants that should be updated to use the new config.js.

Please review the results and make any necessary adjustments to ensure consistent use of these new routing constants throughout the application.

src/js/config.js (2)

5-5: LGTM: Addition of workosConfig object

The addition of workosConfig is consistent with the existing pattern in the file and follows good practices by initializing it as an empty object.

---

28-28: LGTM: Addition of workosConfig to exports

The addition of workosConfig to the exports is correct and necessary. It follows the existing pattern and will make the configuration available for use in other parts of the application.

public/appconfig.json (2)

29-32: LGTM: WorkOS configuration added successfully.

The addition of the WorkOS configuration section aligns with the PR objectives for implementing a WorkOS POC. The structure looks correct with placeholders for future configuration.

---

29-32: Clarify the strategy for multiple authentication providers.

The configuration file now includes settings for Auth0, Kinde2, and WorkOS. Could you please clarify:

1. How these different providers will be used together?
2. Is there a plan to migrate from one provider to another, or will they coexist?
3. How will the application determine which provider to use for authentication?

This information will help ensure that the authentication flow is implemented correctly and securely across the application.

To help understand the usage of these providers, we can check for their imports and usage in the codebase:

#!/bin/bash
# Description: Check for usage of different auth providers in the codebase

echo "Auth0 usage:"
rg --type js "auth0" -g '!public/appconfig.json'

echo "\nKinde2 usage:"
rg --type js "kinde2" -g '!public/appconfig.json'

echo "\nWorkOS usage:"
rg --type js "workos" -g '!public/appconfig.json'

package.json (2)

225-225: New WorkOS dependency added

The addition of "@workos-inc/authkit-js": "^0.5.1" introduces WorkOS authentication capabilities to the project. This aligns with the PR objectives mentioning a WorkOS POC implementation.

To ensure this addition doesn't conflict with existing authentication methods and is properly integrated, please verify:

1. The usage of this library in the codebase:

#!/bin/bash
# Search for WorkOS usage in the codebase
rg --type js '@workos-inc/authkit-js'

2. Check for any potential conflicts with existing auth providers:

#!/bin/bash
# Search for other auth provider usage
rg --type js '@auth0/auth0-spa-js|@kinde-oss/kinde-auth-pkce-js'

These checks will help ensure that the WorkOS integration is properly implemented and doesn't conflict with existing authentication methods.

---

161-161: Verify the exclusion of auth files from code coverage

A new glob pattern "src/js/auth/*.js" has been added to the nyc configuration's exclude array. This means that all JavaScript files in the src/js/auth/ directory will be excluded from code coverage reports.

Please confirm if this exclusion is intentional. If these files contain critical authentication logic, it might be beneficial to include them in the code coverage to ensure proper testing.

To check the contents of the src/js/auth/ directory, you can run:

This will help determine if there are any files that should be included in the code coverage.

src/js/auth.js (1)

45-47: Ensure consistent handling of the success callback

In the auth function, each authentication provider's auth method is called with the success callback. Verify that all providers correctly invoke this callback upon successful authentication, ensuring a consistent application flow regardless of the provider used.

Run the following script to confirm that each provider calls success() in their auth methods:

#!/bin/bash
# Description: Verify that each provider's auth method invokes the success callback.

# Test: Search for 'success()' within auth methods of each provider.
for provider in workos kinde auth0; do
  echo "Checking ${provider}.js:"
  rg --type javascript -A 5 'async function auth\(success\)' "./auth/${provider}.js" | rg 'success\(\)'
done

src/js/auth/kinde.js (1)

1-138: Code structure and implementation look good

The overall implementation is well-organized, and the code follows best practices. The use of async/await and modular functions enhances readability and maintainability.

src/js/auth/auth0.js (9)

1-1: Importing isEmpty enhances configuration checks

The addition of isEmpty from underscore allows for reliable checking of the config object in the should function.

---

16-18: should function correctly determines initialization need

The should function effectively checks if the config is empty, which helps in deciding whether to proceed with authentication.

---

56-60: Proper normalization of appState in authentication callback

The logic to reset appState from PATH_LOGIN or PATH_RWELL to PATH_ROOT ensures users are redirected appropriately after authentication. Setting the PATH_RWELL flag in localStorage is a good approach to handle specific connection requirements.

---

76-81: Dynamic configuration of Auth0 parameters

Updating the redirect_uri and conditionally setting the connection parameter based on localStorage enhances the flexibility of the authentication flow.

---

88-90: Improved logout process with proper token clearance

By setting token to null and redirecting to PATH_LOGOUT, the logout function ensures that both local state and server-side sessions are properly terminated.

---

92-95: Encapsulation of login redirection logic

The new loginWithRedirect function simplifies the login process by encapsulating redirect options, improving code readability and maintainability.

---

96-116: Enhanced login flow with prompt handling

The updated login function provides an iframe buster and respects the disableLoginPrompt configuration, offering a seamless user experience by conditionally displaying the login prompt.

---

127-142: Comprehensive handling of authentication routes

The additions in the auth function to handle PATH_LOGOUT, PATH_RWELL, and PATH_AUTHD improve the application's ability to manage different authentication scenarios effectively.

---

167-167: Exporting should function for external use

Exporting the should function allows other modules to determine if authentication should be initialized, promoting modularity and reusability.

[coderabbitai]

💡 Codebase verification

⚠️ Placeholder clientId Found in public/appconfig.json

The clientId is still set to the placeholder value "<< id here >>". Please replace it with the actual WorkOS client ID before deploying to any environment.

• File: public/appconfig.json
• Line: 30

🔗 Analysis chain

Remember to replace the clientId placeholder before deployment.

The clientId is currently set to a placeholder value "<< id here >>". Ensure this is replaced with the actual WorkOS client ID before deploying to any environment.

To ensure this placeholder is not accidentally deployed, you can run the following check:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for placeholder clientId in appconfig.json

if grep -q '"clientId": "<< id here >>"' public/appconfig.json; then
  echo "Warning: Placeholder clientId found in appconfig.json"
  exit 1
else
  echo "No placeholder clientId found in appconfig.json"
fi

Length of output: 2264

---

Script:

#!/bin/bash
# Description: Re-check for placeholder clientId in appconfig.json

if grep -q '"clientId": "<< id here >>"' public/appconfig.json; then
  echo "Warning: Placeholder clientId found in appconfig.json"
  exit 1
else
  echo "No placeholder clientId found in appconfig.json"
fi

Length of output: 187

[coderabbitai]

⚠️ Potential issue

Review the return value 'no-token' in getToken

In the getToken function, if none of the should() methods return true, the function returns the string 'no-token'. Ensure that this return value is handled correctly throughout the application. If a null or undefined value is more appropriate, consider modifying the return statement.

Consider this change:

   if (auth0.should()) return auth0.getToken();

-  return 'no-token';
+  // Return null if no authentication provider is active
+  return null;
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	return 'no-token';
	if (auth0.should()) return auth0.getToken();
	// Return null if no authentication provider is active
	return null;

[coderabbitai]

💡 Codebase verification

Fallback logout URL '/logout' is not properly handled

The PATH_LOGOUT is correctly defined as /logout, but there are no route handlers found for this path. Please ensure that the /logout route is properly defined to handle user logout when no authentication provider matches.

🔗 Analysis chain

Confirm the fallback logout URL is correct

In the logout function, if no authentication provider matches, the code redirects the user to PATH_LOGOUT. Please ensure that PATH_LOGOUT is correctly defined and that this fallback URL appropriately handles user logout in the absence of a specific authentication provider.

Run the following script to check the definition of PATH_LOGOUT:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that PATH_LOGOUT is properly defined in './auth/config.js'

# Test: Search for the definition of PATH_LOGOUT. Expect: A valid URL assignment.
rg --type javascript 'export\s+const\s+PATH_LOGOUT\s*=\s*.*;' ./auth/config.js

Length of output: 647

---

Script:

#!/bin/bash
# Description: Search for the definition of PATH_LOGOUT across the codebase

# Test: Search for the definition of PATH_LOGOUT. Expect: A valid URL assignment.
rg 'export\s+const\s+PATH_LOGOUT\s*=\s*.*;'

Length of output: 105

---

Script:

#!/bin/bash
# Description: Verify that the '/logout' route is properly handled in the codebase

# Test: Search for the definition and handling of the '/logout' route.
rg '/logout' --glob '*.{js,jsx,ts,tsx}'

Length of output: 445

---

Script:

#!/bin/bash
# Description: Search for route handlers or functions associated with the '/logout' path

# Test: Identify any routing configurations, middleware, or functions that handle '/logout'.
rg "['\"]/logout['\"]\s*,\s*\(.*\)\s*=>" --glob '*.{js,jsx,ts,tsx}' .

Length of output: 75

[coderabbitai]

⚠️ Potential issue

Handle potential errors during authentication

In the auth function, if any of the asynchronous calls fail (e.g., createKinde(success) or kinde.getUser()), the errors are not caught, which could lead to unhandled promise rejections.

Consider adding error handling to catch and handle any exceptions during the authentication process. Here's an example:

 async function auth(success) {
   // NOTE: Set path before await create to avoid redirect replaceState changing the value
   const pathName = location.pathname;

-  kinde = await createKinde(success);
+  try {
+    kinde = await createKinde(success);
+  } catch (error) {
+    console.error('Error creating Kinde client:', error);
+    logout();
+    return;
+  }

   if (pathName === PATH_AUTHD) return;

   if (pathName === PATH_LOGOUT) {
     kinde.logout();
     return;
   }

   // RWell specific login
   if (pathName === PATH_RWELL || localStorage.getItem(PATH_RWELL)) {
     login(PATH_RWELL, config.connections.roundingwell);
     return;
   }

-  if (!await kinde.getUser()) {
+  let user;
+  try {
+    user = await kinde.getUser();
+  } catch (error) {
+    console.error('Error getting user:', error);
+    logout();
+    return;
+  }
+
+  if (!user) {
     login(pathName);
     return;
   }

   success();
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	async function auth(success) {
	// NOTE: Set path before await create to avoid redirect replaceState changing the value
	const pathName = location.pathname;
	kinde = await createKinde(success);
	if (pathName === PATH_AUTHD) return;
	if (pathName === PATH_LOGOUT) {
	kinde.logout();
	return;
	}
	// RWell specific login
	if (pathName === PATH_RWELL || localStorage.getItem(PATH_RWELL)) {
	login(PATH_RWELL, config.connections.roundingwell);
	return;
	}
	if (!await kinde.getUser()) {
	login(pathName);
	return;
	}
	success();
	}
	async function auth(success) {
	// NOTE: Set path before await create to avoid redirect replaceState changing the value
	const pathName = location.pathname;
	try {
	kinde = await createKinde(success);
	} catch (error) {
	console.error('Error creating Kinde client:', error);
	logout();
	return;
	}
	if (pathName === PATH_AUTHD) return;
	if (pathName === PATH_LOGOUT) {
	kinde.logout();
	return;
	}
	// RWell specific login
	if (pathName === PATH_RWELL || localStorage.getItem(PATH_RWELL)) {
	login(PATH_RWELL, config.connections.roundingwell);
	return;
	}
	let user;
	try {
	user = await kinde.getUser();
	} catch (error) {
	console.error('Error getting user:', error);
	logout();
	return;
	}
	if (!user) {
	login(pathName);
	return;
	}
	success();
	}

[coderabbitai]

⚠️ Potential issue

Improve error handling in getToken() function

In the getToken() function, if kinde.getToken() fails, the .catch() block calls logout() but does not inform the caller about the error. This might lead to silent failures and make debugging difficult for functions relying on getToken().

Consider modifying the error handling to properly handle or propagate the error. Here's a suggested change:

 function getToken() {
   if (token) return token;
   if (!kinde || !navigator.onLine) return;

   return kinde
     .getToken()
-    .catch(() => {
+    .catch((error) => {
+      console.error('Error retrieving token:', error);
       logout();
+      // Optionally rethrow the error or return a rejected promise
+      throw error;
     });
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	function getToken() {
	if (token) return token;
	if (!kinde || !navigator.onLine) return;
	return kinde
	.getToken()
	.catch(() => {
	logout();
	});
	}
	function getToken() {
	if (token) return token;
	if (!kinde || !navigator.onLine) return;
	return kinde
	.getToken()
	.catch((error) => {
	console.error('Error retrieving token:', error);
	logout();
	// Optionally rethrow the error or return a rejected promise
	throw error;
	});
	}

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (1)

src/js/auth.js (1)

Line range hint 1-56: Overall assessment: Good improvements with some suggestions for enhancement

The changes to src/js/auth.js significantly improve the authentication system by supporting multiple providers (WorkOS, Kinde, Auth0) and introducing more robust checks. The consistent use of the should() method for provider selection is a good practice.

Main points for further improvement:

1. Ensure consistent order of provider checks across all functions (setToken, getToken, logout, auth).
2. Add appropriate fallback handling for cases where no provider matches in setToken and auth functions.
3. Consider changing the fallback return value in getToken from 'no-token' to null or undefined.
4. Add logging for fallback cases to aid in debugging and monitoring.

These enhancements will further improve the robustness and maintainability of the authentication system.

Consider creating a factory or strategy pattern for provider selection to centralize the logic and make it easier to add or remove providers in the future.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 1f389e6 and d16b9f4.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (5)

• package.json (2 hunks)
• public/appconfig.json (2 hunks)
• src/js/auth.js (2 hunks)
• src/js/auth/workos.js (1 hunks)
• src/js/config.js (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• package.json
• public/appconfig.json
• src/js/auth/workos.js
• src/js/config.js

🔇 Additional comments (4)

src/js/auth.js (4)

3-3: LGTM: New imports support multi-provider authentication

The addition of imports for multiple authentication providers (WorkOS, Kinde, Auth0) and the PATH_LOGOUT constant from a separate config file aligns well with the new multi-provider authentication approach. This change improves modularity and centralized configuration.

Also applies to: 5-7, 9-9

---

29-33: LGTM: Improved logout function with fallback

The logout function now supports multiple providers and includes a fallback to PATH_LOGOUT, which ensures a consistent logout experience. This is a good improvement.

Suggestions for further enhancement:

1. Ensure the order of provider checks is consistent with setToken and getToken functions.
2. Consider logging a warning when falling back to PATH_LOGOUT.

Consider adding a warning log:

 function logout() {
   if (workos.should()) return workos.logout();
   if (kinde.should()) return kinde.logout();
   if (auth0.should()) return auth0.logout();
 
+  console.warn('No matching authentication provider found, falling back to PATH_LOGOUT');
   window.location = PATH_LOGOUT;
 }

To ensure consistency across functions, please run:

#!/bin/bash
# Description: Compare provider order across functions

# Test: Extract and compare the order of provider checks
for func in setToken getToken logout; do
  echo "${func} order:"
  rg --type javascript "if \((workos|kinde|auth0)\.should\(\)\)" src/js/auth.js | grep "${func}" | awk '{print $2}'
done

---

43-47: 🛠️ Refactor suggestion

Improve error handling in auth function

The auth function now includes checks for Cypress testing and online status, which improves its robustness. The support for multiple providers is also a good addition. However, consider the following improvements:

1. Add a fallback case to handle scenarios where no provider matches.
2. Ensure the order of provider checks is consistent with other functions (setToken, getToken, logout).

Consider adding a fallback case:

 async function auth(success) {
   if (appConfig.cypress || !navigator.onLine) return success();
 
   if (workos.should()) return workos.auth(success);
   if (kinde.should()) return kinde.auth(success);
   if (auth0.should()) return auth0.auth(success);
+  console.error('No matching authentication provider found for auth');
+  // Consider how to handle this case - throw an error, call success(), etc.
 }

To ensure consistency across all authentication functions, please run:

#!/bin/bash
# Description: Compare provider order across all auth functions

# Test: Extract and compare the order of provider checks
for func in setToken getToken logout auth; do
  echo "${func} order:"
  rg --type javascript "if \((workos|kinde|auth0)\.should\(\)\)" src/js/auth.js | grep "${func}" | awk '{print $2}'
done

---

21-25: 🛠️ Refactor suggestion

Improve getToken fallback and ensure consistency

The function now supports multiple providers, which is good. However, consider the following improvements:

1. The fallback value 'no-token' might be confusing. Consider returning null or undefined instead.
2. Ensure the order of provider checks is consistent with the setToken function.

Consider this change:

 function getToken() {
   if (workos.should()) return workos.getToken();
   if (kinde.should()) return kinde.getToken();
   if (auth0.should()) return auth0.getToken();
 
-  return 'no-token';
+  return null; // or undefined
 }

To ensure consistency, please run the following script:

✅ Verification successful

Provider order in setToken and getToken is consistent

Verified that both functions check providers in the following order:

• workos
• kinde
• auth0

No changes needed for provider order consistency.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Compare provider order in setToken and getToken

# Test: Extract and compare the order of provider checks
echo "setToken order:"
rg --type javascript "if \((workos|kinde|auth0)\.should\(\)\)" src/js/auth.js | grep "setToken" | awk '{print $2}'
echo "getToken order:"
rg --type javascript "if \((workos|kinde|auth0)\.should\(\)\)" src/js/auth.js | grep "getToken" | awk '{print $2}'

Length of output: 1142

---

Script:

#!/bin/bash
# Description: Compare provider order in setToken and getToken

# Test: Extract and compare the order of provider checks
echo "setToken order:"
rg "if \((workos|kinde|auth0)\.should\(\)\)" src/js/auth.js | grep "setToken" | awk '{print $2}'
echo "getToken order:"
rg "if \((workos|kinde|auth0)\.should\(\)\)" src/js/auth.js | grep "getToken" | awk '{print $2}'

Length of output: 379

[coderabbitai]

💡 Codebase verification

🛠️ Refactor suggestion

Add fallback handling in setToken

The current implementation lacks a fallback case when no authentication provider matches. Consider adding a fallback to handle such scenarios to ensure robust behavior.

• No fallback case to handle scenarios where no provider matches.

🔗 Analysis chain

Verify provider order and add fallback handling in setToken

The new implementation supports multiple providers, which is good. However, consider the following points:

1. Verify if the order of provider checks (WorkOS, Kinde, Auth0) is intentional and aligns with the expected priority.
2. Add a fallback case to handle scenarios where no provider matches.

To ensure the intended behavior, please run the following script:

Consider adding a fallback case:

 function setToken(tokenString) {
   if (workos.should()) return workos.setToken(tokenString);
   if (kinde.should()) return kinde.setToken(tokenString);
   if (auth0.should()) return auth0.setToken(tokenString);
+  console.error('No matching authentication provider found for setToken');
 }

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the order and presence of authentication providers

# Test: Check the order and presence of authentication provider imports and usage
rg --type javascript "import.*from './auth/(workos|kinde|auth0)'" src/js/auth.js
rg --type javascript "if \((workos|kinde|auth0)\.should\(\)\)" src/js/auth.js

Length of output: 238

---

Script:

#!/bin/bash
# Description: Verify the order and presence of authentication providers

# Test: Check the order and presence of authentication provider imports and usage
rg --type js "import.*from './auth/(workos|kinde|auth0)'" src/js/auth.js
rg --type js "if \((workos|kinde|auth0)\.should\(\)\)" src/js/auth.js

Length of output: 879

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (4)

src/js/auth/workos.js (4)

11-12: Consider the implications of using global variables

The use of global variables authkit and token could potentially lead to issues with state management and testing. Consider encapsulating these within a class or using a more robust state management solution to improve maintainability and testability.

---

47-50: Consider adding a comment explaining the iframe busting logic

The iframe busting logic is a good security measure. Consider adding a brief comment explaining why this check is necessary to improve code maintainability.

 // iframe buster
+// Prevent the application from running in an iframe to mitigate clickjacking attacks
 if (top !== self) {
   top.location = PATH_LOGIN;
   return;
 }

---

69-78: Consider adding error handling for localStorage access

The getClientId function uses localStorage.getItem(PATH_RWELL). While this is generally safe, it's good practice to wrap localStorage access in a try-catch block to handle potential exceptions, especially in private browsing modes or when storage is full.

 function getClientId(pathName) {
   const { clientId, rwClientId } = config;

+  let isRWell = false;
+  try {
+    isRWell = localStorage.getItem(PATH_RWELL) !== null;
+  } catch (error) {
+    console.warn('Failed to access localStorage:', error);
+  }

   // RWell specific login
-  if (rwClientId && (pathName === PATH_RWELL || localStorage.getItem(PATH_RWELL))) {
+  if (rwClientId && (pathName === PATH_RWELL || isRWell)) {
     return rwClientId;
   }

   return clientId;
 }

---

89-94: Consider handling all potential state values explicitly

The current implementation handles specific state values (PATH_LOGIN and PATH_RWELL) but doesn't explicitly handle other potential values. Consider adding a default case to ensure all scenarios are covered:

 if (state === PATH_LOGIN) state = PATH_ROOT;

 if (state === PATH_RWELL) {
   state = PATH_ROOT;
   localStorage.setItem(PATH_RWELL, 1);
 }
+
+// Ensure state is always a valid path
+if (![PATH_ROOT, PATH_LOGIN, PATH_RWELL, PATH_LOGOUT, PATH_AUTHD].includes(state)) {
+  console.warn(`Unexpected state value: ${state}. Defaulting to ${PATH_ROOT}`);
+  state = PATH_ROOT;
+}

This addition will help catch any unexpected state values and provide a fallback.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between d16b9f4 and 2dee411.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (5)

• package.json (1 hunks)
• public/appconfig.json (2 hunks)
• src/js/auth.js (2 hunks)
• src/js/auth/workos.js (1 hunks)
• src/js/config.js (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• package.json
• public/appconfig.json
• src/js/auth.js
• src/js/config.js

🧰 Additional context used

📓 Learnings (1)

src/js/auth/workos.js (1)

Learnt from: paulfalgout
PR: RoundingWell/care-ops-frontend#1325
File: src/js/auth/workos.js:22-31
Timestamp: 2024-09-30T15:47:11.415Z
Learning: The `logout()` function changes `window.location`, so when it's called, subsequent code execution does not occur, and the lack of a return value is acceptable.

🔇 Additional comments (4)

src/js/auth/workos.js (4)

14-20: LGTM: Simple and clear implementations

The should and setToken functions are concise and serve their purposes well.

---

22-31: LGTM: Token retrieval logic is sound

The getToken function correctly handles token retrieval and error cases. As per the previous discussion, the lack of a return value after logout() is intentional since logout() changes window.location, preventing further code execution.

---

132-138: LGTM: Appropriate exports

The exported functions (auth, logout, setToken, getToken, and should) provide a clear and appropriate interface for this authentication module.

---

1-138: Overall assessment: Solid implementation with room for minor improvements

The WorkOS authentication implementation is generally well-structured and covers the necessary functionality. The suggested improvements, including error handling for asynchronous operations, clarifying comments, and handling edge cases, will enhance the robustness and maintainability of the code. Consider implementing these changes to further strengthen the authentication module.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (3)

src/js/auth/workos.js (3)

18-20: Consider adding token validation.

The setToken(tokenString) function is simple and effective. However, consider adding a basic validation check for the tokenString parameter to ensure it's not null or empty before setting it.

Here's a suggested improvement:

 function setToken(tokenString) {
+  if (tokenString && typeof tokenString === 'string') {
     token = tokenString;
+  } else {
+    console.warn('Invalid token provided to setToken');
+  }
 }

---

80-103: LGTM: createAuthkit(success, pathName) function is well-implemented.

The createAuthkit(success, pathName) function effectively creates a WorkOS client with appropriate options:

• It uses getClientId() to determine the correct client ID.
• The redirect callback handles user verification and state management comprehensively.
• It properly manages the RWell-specific state using localStorage.

Consider adding a try-catch block around the createClient call to handle potential initialization errors:

 async function createAuthkit(success, pathName) {
   const createClientOptions = {
     // ... existing options ...
   };

+  try {
     return createClient(getClientId(pathName), extend(createClientOptions, config.createClientOptions));
+  } catch (error) {
+    console.error('Failed to create AuthKit client:', error);
+    throw error; // or handle it as appropriate for your application
+  }
 }

---

110-130: LGTM with suggestions: auth(success) function handles main authentication flow.

The auth(success) function effectively manages the main authentication flow:

• It creates the AuthKit instance and handles various paths appropriately.
• The logout path is properly managed, clearing the token and signing out.
• It checks for an authenticated user and initiates login if necessary.

Consider adding error handling for the asynchronous operations:

 async function auth(success) {
   const pathName = location.pathname;

+  try {
     authkit = await createAuthkit(success, pathName);

     if (pathName === PATH_AUTHD) return;

     if (pathName === PATH_LOGOUT) {
       token = null;
       authkit.signOut();
       return;
     }

     if (!await authkit.getUser()) {
       login(pathName);
       return;
     }

     success();
+  } catch (error) {
+    console.error('Authentication error:', error);
+    // Handle the error appropriately, e.g., redirect to an error page or retry
+  }
 }

This change will ensure that any errors during the authentication process are caught and handled gracefully.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 2dee411 and 06963f7.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (5)

• package.json (1 hunks)
• public/appconfig.json (2 hunks)
• src/js/auth.js (2 hunks)
• src/js/auth/workos.js (1 hunks)
• src/js/config.js (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• package.json
• public/appconfig.json
• src/js/auth.js
• src/js/config.js

🧰 Additional context used

📓 Learnings (1)

src/js/auth/workos.js (1)

Learnt from: paulfalgout
PR: RoundingWell/care-ops-frontend#1325
File: src/js/auth/workos.js:22-31
Timestamp: 2024-09-30T15:47:11.415Z
Learning: The `logout()` function changes `window.location`, so when it's called, subsequent code execution does not occur, and the lack of a return value is acceptable.

🔇 Additional comments (8)

src/js/auth/workos.js (8)

1-12: LGTM: Imports and global variables are well-structured.

The imports cover all necessary dependencies, including the WorkOS client, configuration settings, and required components. The global variables authkit and token are appropriately used to maintain the authentication state across the module.

---

14-16: LGTM: should() function is concise and effective.

The should() function efficiently checks if the config object is not empty using the isEmpty utility from underscore. This is a good practice for determining if the WorkOS configuration is available.

---

22-31: LGTM: getToken() function handles token retrieval effectively.

The getToken() function is well-structured:

• It returns the existing token if available.
• It checks for the presence of authkit and online status before attempting to fetch a new token.
• Error handling by calling logout() is appropriate, as it changes window.location and halts further execution.

The function effectively manages token retrieval and error scenarios.

---

36-38: LGTM: replaceState(state) function is well-implemented.

The replaceState(state) function effectively encapsulates the window.history.replaceState() API call. This is a good practice for managing browser history state changes throughout the application.

---

41-43: LGTM: logout() function is simple and effective.

The logout() function efficiently redirects the user to the logout path using the PATH_LOGOUT constant. This approach is clean and maintainable.

---

45-66: LGTM: login(state) function handles various scenarios effectively.

The login(state) function is well-implemented:

• It includes iframe busting for security.
• It checks appConfig.disableLoginPrompt to determine the login flow.
• It either uses authkit.signIn() directly or renders a login prompt view.

This implementation provides flexibility and covers different login scenarios effectively.

---

69-78: LGTM: getClientId(pathName) function handles client ID selection well.

The getClientId(pathName) function effectively determines the appropriate client ID:

• It handles a specific case for RWell, using both the path and localStorage.
• It falls back to the default client ID when necessary.

This approach provides flexibility for managing multiple client IDs within the same application.

---

132-138: LGTM: Module exports are appropriate.

The module exports the key functions necessary for managing authentication:

• auth: Main authentication flow
• logout: User logout
• setToken: Token management
• getToken: Token retrieval
• should: Configuration check

These exports provide a comprehensive interface for interacting with the WorkOS authentication system.

[nmajor25]

Nitpick: extra space here ☝️

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (4)

src/js/auth/workos.js (4)

44-65: LGTM: Comprehensive login function with good separation of concerns

The login function is well-implemented, covering various scenarios:

• Iframe busting for security.
• Conditional logic based on appConfig.disableLoginPrompt.
• Good use of LoginPromptView for user interaction.

Minor suggestion: Consider adding error handling for the authkit.signIn() call, as it might fail in certain scenarios.

---

68-77: LGTM: Flexible client ID selection logic

The getClientId function effectively handles different scenarios for client ID selection, including RWell-specific logic.

Suggestion: Consider adding a comment explaining the purpose of the localStorage check for PATH_RWELL, as it might not be immediately clear to other developers why this check is necessary.

---

79-102: LGTM: Comprehensive authkit creation with good state handling

The createAuthkit function is well-implemented, covering various authentication scenarios and state management.

Suggestions for improved readability:

1. Consider extracting the onRedirectCallback function to a separate named function for better clarity.
2. Add comments explaining the purpose of different state checks and modifications.

Example refactor:

function handleRedirectCallback({ user, state }) {
  if (!user) {
    login(state);
    return;
  }

  // Normalize state for root path
  if (state === PATH_LOGIN) state = PATH_ROOT;

  // Handle RWell-specific state
  if (state === PATH_RWELL) {
    state = PATH_ROOT;
    localStorage.setItem(PATH_RWELL, 1);
  }

  replaceState(state);
  success();
}

// ... in createAuthkit function
onRedirectCallback: handleRedirectCallback,

This refactoring would improve the function's readability and maintainability.

---

1-137: Overall: Solid authentication module with room for improvements

This WorkOS authentication module is well-implemented and covers various authentication scenarios effectively. Here's a summary of the review:

Strengths:

1. Comprehensive coverage of authentication flow.
2. Good separation of concerns in most functions.
3. Effective integration with WorkOS API.

Areas for improvement:

1. Consider using a more robust state management approach instead of global variables.
2. Enhance error handling, especially for asynchronous operations.
3. Refactor some functions (e.g., createAuthkit, auth) for improved readability and maintainability.
4. Add more comments to explain complex logic or business rules.

Overall, the module provides a solid foundation for authentication. Implementing the suggested improvements will enhance its reliability, maintainability, and developer-friendliness.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 06963f7 and 4c563b9.

📒 Files selected for processing (2)

• public/appconfig.json (2 hunks)
• src/js/auth/workos.js (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• public/appconfig.json

🧰 Additional context used

📓 Learnings (1)

src/js/auth/workos.js (1)

Learnt from: paulfalgout
PR: RoundingWell/care-ops-frontend#1325
File: src/js/auth/workos.js:22-31
Timestamp: 2024-09-30T15:47:11.415Z
Learning: The `logout()` function changes `window.location`, so when it's called, subsequent code execution does not occur, and the lack of a return value is acceptable.

🔇 Additional comments (4)

src/js/auth/workos.js (4)

14-16: LGTM: Simple and effective configuration check

The should function provides a clear and concise way to check if the WorkOS configuration is present. Good job!

---

18-31: LGTM: Token management functions look good

Both setToken and getToken functions are well-implemented:

• setToken is simple and effective.
• getToken includes proper checks and error handling.

The use of logout() in the catch block is appropriate, as it changes window.location, effectively handling the error scenario.

---

36-42: LGTM: History management and logout functions are well-implemented

The replaceState and logout functions are concise and effective:

• replaceState correctly modifies the browser history.
• logout performs a simple redirection to the logout path.

Both functions serve their purpose well.

---

131-137: LGTM: Appropriate and consistent exports

The module exports are well-defined and consistent with the functionality provided by the module. Good job on maintaining a clear public API for this authentication module.

[coderabbitai]

🛠️ Refactor suggestion

Consider using a more robust state management approach

The use of global variables authkit and token might introduce potential issues with state management, especially in a complex application. Consider using a more robust state management solution (e.g., Redux, MobX) or encapsulating these variables within a class or module to better control their access and modification.

[coderabbitai]

🛠️ Refactor suggestion

⚠️ Potential issue

Improve error handling and readability in the auth function

While the auth function effectively manages different authentication scenarios, it could benefit from improved error handling and readability:

1. Add try-catch blocks for asynchronous operations to handle potential errors gracefully.
2. Consider breaking down the function into smaller, more focused functions for better readability and maintainability.

Here's a suggested refactor:

async function handleAuthenticatedPath(pathName, success) {
  if (pathName === PATH_LOGOUT) {
    token = null;
    await authkit.signOut();
    return;
  }

  const user = await authkit.getUser();
  if (!user) {
    login(pathName);
    return;
  }

  success();
}

async function auth(success) {
  const pathName = location.pathname;

  try {
    authkit = await createAuthkit(success, pathName);

    if (pathName === PATH_AUTHD) return;

    await handleAuthenticatedPath(pathName, success);
  } catch (error) {
    console.error('Authentication error:', error);
    login(pathName);
  }
}

This refactoring improves error handling and separates concerns, making the code more readable and maintainable.