fix(services-bff): Fix refresh token condition

[snaerseljan]

Fix refresh token condition

Why

Wrong condition

Checklist:

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• Formatting passes locally with my changes
• I have rebased against main before asking for a review

Summary by CodeRabbit

• Bug Fixes

  • Adjusted the logic for refreshing access tokens to enhance control over token expiration scenarios. The system will now only refresh the token if it has expired and the refresh parameter is set to true.

• Improvements

  • Maintained robust error handling and logging for user retrieval processes, ensuring consistent feedback during operations.

[coderabbitai]

Walkthrough

The pull request introduces a modification to the getUser method in the UserService class, specifically altering the logic for refreshing the access token. The condition for refreshing the token has changed to only proceed if the access token has expired and the refresh parameter is set to true. This adjustment affects scenarios where the access token is expired but refresh is not desired. Error handling and logging mechanisms remain unchanged.

Changes

File Path	Change Summary
apps/services/bff/src/app/modules/user/user.service.ts	Modified the getUser method to change the logic for refreshing the access token based on the refresh parameter. Error handling and logging remain intact.

Possibly related PRs

• fix(native-app): Fix token refresh to logout #14798: This PR modifies the token refresh logic in the fetchUserInfo function, which is closely related to the changes made in the getUser method regarding token expiration and refresh behavior.
• fix(services-bff): Move params from ids par requests body to header #16761: This PR enhances security by moving the client ID and secret from the request body to the authorization header, which may relate to the overall handling of authentication and token management in the getUser method.
• fix(services-bff): Fix bff proxy download service aws cognito #16719: This PR addresses issues with the bff proxy download service, which may involve similar authentication flows and token handling as the changes in the getUser method.
• fix(services-bff): Remove log #16772: This PR involves modifications to the AuthService, which is likely related to the authentication processes that the getUser method is part of, particularly in terms of error handling and logging during authentication flows.

Suggested reviewers

• magnearun
• eirikurn

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

apps/services/bff/src/app/modules/user/user.service.ts (1)

Line range hint 82-85: Enhance error handling and logging security

While the error handling is functional, consider these security improvements:

1. Use specific error types instead of generic UnauthorizedException to help debugging while maintaining security
2. Ensure error logging doesn't expose sensitive token information

     } catch (error) {
-      this.logger.error('Get user error: ', error)
+      this.logger.error('Failed to get user', {
+        errorType: error.constructor.name,
+        // Avoid logging the full error object as it might contain sensitive data
+        message: error instanceof Error ? error.message : 'Unknown error'
+      })
       throw new UnauthorizedException()
     }

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 2401e53 and 1446b4e.

📒 Files selected for processing (1)

• apps/services/bff/src/app/modules/user/user.service.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

apps/services/bff/src/app/modules/user/user.service.ts (2)

Pattern apps/services/**/*: "Confirm that the code adheres to the following:

• NestJS architecture, including modules, services, and controllers.
• Dependency injection patterns and service encapsulation.
• Integration and unit testing coverage and practices."

---

Pattern apps/**/*: "Confirm that the code adheres to the following:

• NextJS best practices, including file structure, API routes, and static generation methods.
• Efficient state management and server-side rendering techniques.
• Optimal use of TypeScript for component and utility type safety."

🔇 Additional comments (2)

apps/services/bff/src/app/modules/user/user.service.ts (2)

58-58: Correct fix for refresh token condition

The condition change from !refresh to refresh fixes the core issue by only refreshing tokens when explicitly requested, rather than the opposite. This aligns with the intended behavior and the PR objectives.

---

Line range hint 44-44: Verify impact of changing default refresh behavior

Changing the default value of refresh from true to false is a breaking change that could affect existing callers. While this change improves security by preventing unnecessary token refreshes, we need to ensure all consumers are updated accordingly.

✅ Verification successful

Default 'refresh' Parameter Update Verified

The change of the default refresh parameter from true to false does not impact existing callers, as all calls to getUser explicitly set the refresh parameter.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for direct calls to getUser to identify affected code
ast-grep --pattern 'getUser($$$)'

# Search for potential test cases that might need updating
rg -l "getUser.*refresh" --type=test

Length of output: 287

---

Script:

#!/bin/bash
# Verify if 'refresh' parameter is explicitly set in getUser calls
rg 'getUser\s*\([^)]*refresh\s*=' apps/auth-admin-web/pages/admin/api-scope-user/[apiScopeUser].tsx apps/auth-admin-web/components/Admin/lists/UsersList.tsx

# Correct the file type for test files and search for getUser usages in tests
rg -l "getUser.*refresh" --type=js tests/

Length of output: 251

---

Script:

#!/bin/bash
# Find all test files in the repository
fd -t f -e test.js -e test.ts -e test.jsx -e test.tsx -e spec.js -e spec.ts -e spec.jsx -e spec.tsx

# Verify if 'refresh' parameter is explicitly set in all 'getUser' calls
rg 'getUser\s*\([^)]*refresh\s*='

Length of output: 71654

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

apps/services/bff/src/app/modules/user/user.service.ts (1)

Line range hint 44-83: Add tests for the token refresh logic.

This is a critical security-related change affecting authentication flows. Unit tests should be added to verify:

1. Token refresh occurs when access token is expired and refresh=true
2. Token refresh doesn't occur when access token is expired but refresh=false
3. Token refresh doesn't occur when access token is valid (regardless of refresh parameter)
4. Error handling for invalid/missing tokens

Would you like me to help generate comprehensive test cases for this authentication logic?

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 2401e53 and 1446b4e.

📒 Files selected for processing (1)

• apps/services/bff/src/app/modules/user/user.service.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

apps/services/bff/src/app/modules/user/user.service.ts (2)

Pattern apps/services/**/*: "Confirm that the code adheres to the following:

• NestJS architecture, including modules, services, and controllers.
• Dependency injection patterns and service encapsulation.
• Integration and unit testing coverage and practices."

---

Pattern apps/**/*: "Confirm that the code adheres to the following:

• NextJS best practices, including file structure, API routes, and static generation methods.
• Efficient state management and server-side rendering techniques.
• Optimal use of TypeScript for component and utility type safety."

🔇 Additional comments (1)

apps/services/bff/src/app/modules/user/user.service.ts (1)

58-58: LGTM! The refresh token condition is now correct.

The new condition if (accessTokenHasExpired && refresh) properly handles token refresh by only refreshing when both:

1. The access token has expired
2. The refresh parameter is explicitly set to true

This fixes the previous incorrect logic that would refresh tokens when told not to.

Let's verify the impact of this change on other parts of the codebase:

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 36.44%. Comparing base (8cf924e) to head (98974e4).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #16851   +/-   ##
=======================================
  Coverage   36.44%   36.44%           
=======================================
  Files        6852     6852           
  Lines      143530   143530           
  Branches    40963    40963           
=======================================
  Hits        52303    52303           
  Misses      91227    91227           

Flag	Coverage Δ
judicial-system-web	27.12% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8cf924e...98974e4. Read the comment docs.

[datadog-island-is]

Datadog Report

Branch report: fix/bff-refresh-token
Commit report: 3133742
Test service: judicial-system-web

✅ 0 Failed, 333 Passed, 0 Skipped, 57.51s Total Time
➡️ Test Sessions change in coverage: 1 no change