UI: remove renew self call after login (#28204)

hashishaw · web-flow · commit 872f31fa1de7 · 2024-08-28T10:05:29.000-05:00
* check for renewAfterEpoch before comparing it

* add test coverage for regression

* add comment. Fixes VAULT-4630

* throw error

* add changelog
diff --git a/changelog/28204.txt b/changelog/28204.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: fixes renew-self being called right after login for non-renewable tokens
+```
diff --git a/ui/app/components/auth-jwt.js b/ui/app/components/auth-jwt.js
@@ -87,6 +87,8 @@ export default Component.extend({
     this.onError(err);
   },
 
+  // NOTE TO DEVS: Be careful when updating the OIDC flow and ensure the updates
+  // work with implicit flow. See issue https://github.com/hashicorp/vault-plugin-auth-jwt/pull/192
   prepareForOIDC: task(function* (oidcWindow) {
     const thisWindow = this.getWindow();
     // show the loading animation in the parent
diff --git a/ui/app/services/auth.js b/ui/app/services/auth.js
@@ -390,7 +390,7 @@ export default Service.extend({
     const now = this.now();
     this.set('lastFetch', timestamp);
     // if expiration was allowed and we're over half the ttl we want to go ahead and renew here
-    if (this.allowExpiration && now >= this.renewAfterEpoch) {
+    if (this.allowExpiration && this.renewAfterEpoch && now >= this.renewAfterEpoch) {
       this.renew();
     }
     this.set('allowExpiration', false);
diff --git a/ui/tests/acceptance/auth-test.js b/ui/tests/acceptance/auth-test.js
@@ -6,15 +6,17 @@
 import { module, test } from 'qunit';
 import { setupApplicationTest } from 'ember-qunit';
 import { click, currentURL, visit, waitUntil, find, fillIn } from '@ember/test-helpers';
-import { allSupportedAuthBackends, supportedAuthBackends } from 'vault/helpers/supported-auth-backends';
 import { setupMirage } from 'ember-cli-mirage/test-support';
+import { allSupportedAuthBackends, supportedAuthBackends } from 'vault/helpers/supported-auth-backends';
+import VAULT_KEYS from 'vault/tests/helpers/vault-keys';
 
 const AUTH_FORM = {
   method: '[data-test-select=auth-method]',
   token: '[data-test-token]',
   login: '[data-test-auth-submit]',
 };
 const ENT_AUTH_METHODS = ['saml'];
+const { rootToken } = VAULT_KEYS;
 
 module('Acceptance | auth', function (hooks) {
   setupApplicationTest(hooks);
@@ -193,4 +195,17 @@ module('Acceptance | auth', function (hooks) {
     await fillIn(AUTH_FORM.method, 'token');
     await click('[data-test-auth-submit]');
   });
+
+  test('it does not call renew-self after successful login with non-renewable token', async function (assert) {
+    this.server.post(
+      '/auth/token/renew-self',
+      () => new Error('should not call renew-self directly after logging in')
+    );
+
+    await visit('/vault/auth');
+    await fillIn(AUTH_FORM.method, 'token');
+    await fillIn(AUTH_FORM.token, rootToken);
+    await click('[data-test-auth-submit]');
+    assert.strictEqual(currentURL(), '/vault/dashboard');
+  });
 });

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:bug
	`2`	`+ui: fixes renew-self being called right after login for non-renewable tokens`
	`3`	+```
Original file line number	Diff line number	Diff line change
`@@ -390,7 +390,7 @@ export default Service.extend({`
`390`	`390`	`const now = this.now();`
`391`	`391`	`this.set('lastFetch', timestamp);`
`392`	`392`	`// if expiration was allowed and we're over half the ttl we want to go ahead and renew here`
`393`		`- if (this.allowExpiration && now >= this.renewAfterEpoch) {`
	`393`	`+ if (this.allowExpiration && this.renewAfterEpoch && now >= this.renewAfterEpoch) {`
`394`	`394`	`this.renew();`
`395`	`395`	`}`
`396`	`396`	`this.set('allowExpiration', false);`