fix: Re-authentication with OIDC doesn't work after 24 hours (#1473)

This PR changes session management by storing the refresh token 
returned by the provider in memory. It is used to renew the session 
once it expires. Expiry is set based on the expires_in value returned 
by the provider.

Also added basic auth logout flow based on configured session duration.

Fixes #1469

Author: parmesant

src/cli.rs

@@ -455,9 +455,9 @@ pub struct Options {
         long = "oidc-scope",
         name = "oidc-scope",
         env = "P_OIDC_SCOPE",
-        default_value = "openid profile email",
+        default_value = "openid profile email offline_access",
         required = false,
-        help = "OIDC scope to request (default: openid profile email)"
+        help = "OIDC scope to request (default: openid profile email offline_access)"
     )]
     pub scope: String,
 

src/handlers/http/middleware.rs

@@ -24,16 +24,25 @@ use actix_web::{
     dev::{Service, ServiceRequest, ServiceResponse, Transform, forward_ready},
     error::{ErrorBadRequest, ErrorForbidden, ErrorUnauthorized},
     http::header::{self, HeaderName},
+    web::Data,
 };
+use chrono::{Duration, Utc};
 use futures_util::future::LocalBoxFuture;
 
 use crate::{
     handlers::{
         AUTHORIZATION_KEY, KINESIS_COMMON_ATTRIBUTES_KEY, LOG_SOURCE_KEY, LOG_SOURCE_KINESIS,
-        STREAM_NAME_HEADER_KEY,
+        STREAM_NAME_HEADER_KEY, http::rbac::RBACError,
     },
+    oidc::DiscoveredClient,
     option::Mode,
     parseable::PARSEABLE,
+    rbac::{
+        EXPIRY_DURATION,
+        map::{SessionKey, mut_sessions, mut_users, sessions, users},
+        roles_to_permission, user,
+    },
+    utils::get_user_from_request,
 };
 use crate::{
     rbac::Users,
@@ -160,8 +169,97 @@ where
 
         let auth_result: Result<_, Error> = (self.auth_method)(&mut req, self.action);
 
+        let http_req = req.request().clone();
+        let key: Result<SessionKey, Error> = extract_session_key(&mut req);
+        let userid: Result<String, RBACError> = get_user_from_request(&http_req);
+
         let fut = self.service.call(req);
         Box::pin(async move {
+            let Ok(key) = key else {
+                return Err(ErrorUnauthorized(
+                    "Your session has expired or is no longer valid. Please re-authenticate to access this resource.",
+                ));
+            };
+
+            // if session is expired, refresh token
+            if sessions().is_session_expired(&key) {
+                let oidc_client = match http_req.app_data::<Data<Option<DiscoveredClient>>>() {
+                    Some(client) => {
+                        let c = client.clone().into_inner();
+                        c.as_ref().clone()
+                    }
+                    None => None,
+                };
+
+                if let Some(client) = oidc_client
+                    && let Ok(userid) = userid
+                {
+                    let bearer_to_refresh = {
+                        if let Some(user) = users().get(&userid) {
+                            match &user.ty {
+                                user::UserType::OAuth(oauth) if oauth.bearer.is_some() => {
+                                    Some(oauth.clone())
+                                }
+                                _ => None,
+                            }
+                        } else {
+                            None
+                        }
+                    };
+
+                    if let Some(oauth_data) = bearer_to_refresh {
+                        let Ok(refreshed_token) = client
+                            .refresh_token(&oauth_data, Some(PARSEABLE.options.scope.as_str()))
+                            .await
+                        else {
+                            return Err(ErrorUnauthorized(
+                                "Your session has expired or is no longer valid. Please re-authenticate to access this resource.",
+                            ));
+                        };
+
+                        let expires_in =
+                            if let Some(expires_in) = refreshed_token.expires_in.as_ref() {
+                                if *expires_in > u32::MAX.into() {
+                                    EXPIRY_DURATION
+                                } else {
+                                    let v = i64::from(*expires_in as u32);
+                                    Duration::seconds(v)
+                                }
+                            } else {
+                                EXPIRY_DURATION
+                            };
+
+                        let user_roles = {
+                            let mut users_guard = mut_users();
+                            if let Some(user) = users_guard.get_mut(&userid) {
+                                if let user::UserType::OAuth(oauth) = &mut user.ty {
+                                    oauth.bearer = Some(refreshed_token);
+                                }
+                                user.roles().to_vec()
+                            } else {
+                                return Err(ErrorUnauthorized(
+                                    "Your session has expired or is no longer valid. Please re-authenticate to access this resource.",
+                                ));
+                            }
+                        };
+
+                        mut_sessions().track_new(
+                            userid.clone(),
+                            key.clone(),
+                            Utc::now() + expires_in,
+                            roles_to_permission(user_roles),
+                        );
+                    } else if let Some(user) = users().get(&userid) {
+                        mut_sessions().track_new(
+                            userid.clone(),
+                            key.clone(),
+                            Utc::now() + EXPIRY_DURATION,
+                            roles_to_permission(user.roles()),
+                        );
+                    }
+                }
+            }
+
             match auth_result? {
                 rbac::Response::UnAuthorized => {
                     return Err(ErrorForbidden(

src/handlers/http/modal/ingest_server.rs

@@ -51,7 +51,7 @@ use crate::{
 
 use super::IngestorMetadata;
 use super::{
-    OpenIdClient, ParseableServer,
+    ParseableServer,
     ingest::{ingestor_logstream, ingestor_rbac, ingestor_role},
 };
 
@@ -62,7 +62,7 @@ pub struct IngestServer;
 #[async_trait]
 impl ParseableServer for IngestServer {
     // configure the api routes
-    fn configure_routes(config: &mut web::ServiceConfig, _oidc_client: Option<OpenIdClient>) {
+    fn configure_routes(config: &mut web::ServiceConfig) {
         config
             .service(
                 // Base path "{url}/api/v1"

src/handlers/http/modal/mod.rs

@@ -18,7 +18,11 @@
 
 use std::{fmt, path::Path, sync::Arc};
 
-use actix_web::{App, HttpServer, middleware::from_fn, web::ServiceConfig};
+use actix_web::{
+    App, HttpServer,
+    middleware::from_fn,
+    web::{self, ServiceConfig},
+};
 use actix_web_prometheus::PrometheusMetrics;
 use anyhow::Context;
 use async_trait::async_trait;
@@ -67,7 +71,7 @@ include!(concat!(env!("OUT_DIR"), "/generated.rs"));
 #[async_trait]
 pub trait ParseableServer {
     /// configure the router
-    fn configure_routes(config: &mut ServiceConfig, oidc_client: Option<OpenIdClient>)
+    fn configure_routes(config: &mut ServiceConfig)
     where
         Self: Sized;
 
@@ -96,7 +100,7 @@ pub trait ParseableServer {
                 let client = config
                     .connect(&format!("{API_BASE_PATH}/{API_VERSION}/o/code"))
                     .await?;
-                Some(Arc::new(client))
+                Some(client)
             }
 
             None => None,
@@ -116,8 +120,9 @@ pub trait ParseableServer {
         // fn that creates the app
         let create_app_fn = move || {
             App::new()
+                .app_data(web::Data::new(oidc_client.clone()))
                 .wrap(prometheus.clone())
-                .configure(|config| Self::configure_routes(config, oidc_client.clone()))
+                .configure(|config| Self::configure_routes(config))
                 .wrap(from_fn(health_check::check_shutdown_middleware))
                 .wrap(actix_web::middleware::Logger::default())
                 .wrap(actix_web::middleware::Compress::default())

src/handlers/http/modal/query_server.rs

@@ -42,14 +42,14 @@ use crate::Server;
 use crate::parseable::PARSEABLE;
 
 use super::query::{querier_ingest, querier_logstream, querier_rbac, querier_role};
-use super::{NodeType, OpenIdClient, ParseableServer, QuerierMetadata, load_on_init};
+use super::{NodeType, ParseableServer, QuerierMetadata, load_on_init};
 
 pub struct QueryServer;
 pub static QUERIER_META: OnceCell<Arc<QuerierMetadata>> = OnceCell::const_new();
 #[async_trait]
 impl ParseableServer for QueryServer {
     // configure the api routes
-    fn configure_routes(config: &mut ServiceConfig, oidc_client: Option<OpenIdClient>) {
+    fn configure_routes(config: &mut ServiceConfig) {
         config
             .service(
                 web::scope(&base_path())
@@ -66,7 +66,7 @@ impl ParseableServer for QueryServer {
                     .service(Server::get_dashboards_webscope())
                     .service(Server::get_filters_webscope())
                     .service(Server::get_llm_webscope())
-                    .service(Server::get_oauth_webscope(oidc_client))
+                    .service(Server::get_oauth_webscope())
                     .service(Self::get_user_role_webscope())
                     .service(Server::get_roles_webscope())
                     .service(Server::get_counts_webscope().wrap(from_fn(

src/handlers/http/modal/server.rs

@@ -61,7 +61,6 @@ use crate::{
 };
 
 // use super::generate;
-use super::OpenIdClient;
 use super::ParseableServer;
 use super::generate;
 use super::load_on_init;
@@ -70,7 +69,7 @@ pub struct Server;
 
 #[async_trait]
 impl ParseableServer for Server {
-    fn configure_routes(config: &mut web::ServiceConfig, oidc_client: Option<OpenIdClient>) {
+    fn configure_routes(config: &mut web::ServiceConfig) {
         // there might be a bug in the configure routes method
         config
             .service(
@@ -91,7 +90,7 @@ impl ParseableServer for Server {
                     .service(Self::get_dashboards_webscope())
                     .service(Self::get_filters_webscope())
                     .service(Self::get_llm_webscope())
-                    .service(Self::get_oauth_webscope(oidc_client))
+                    .service(Self::get_oauth_webscope())
                     .service(Self::get_user_role_webscope())
                     .service(Self::get_roles_webscope())
                     .service(Self::get_counts_webscope().wrap(from_fn(
@@ -570,17 +569,11 @@ impl Server {
     }
 
     // get the oauth webscope
-    pub fn get_oauth_webscope(oidc_client: Option<OpenIdClient>) -> Scope {
-        let oauth = web::scope("/o")
+    pub fn get_oauth_webscope() -> Scope {
+        web::scope("/o")
             .service(resource("/login").route(web::get().to(oidc::login)))
             .service(resource("/logout").route(web::get().to(oidc::logout)))
-            .service(resource("/code").route(web::get().to(oidc::reply_login)));
-
-        if let Some(client) = oidc_client {
-            oauth.app_data(web::Data::from(client))
-        } else {
-            oauth
-        }
+            .service(resource("/code").route(web::get().to(oidc::reply_login)))
     }
 
     // get list of roles