AUT-1462 Add logging to grant-attacher session expiry handling#23
Conversation
- console.error for all getGrant failures (unified at catch entry) - console.log on successful back-channel logout (session max lifespan) - Reformat .then(next).catch to separate lines for readability - Add ESLint indent rule (2 spaces) - Add buildRequest originalUrl param to test helpers for future use Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
| }); | ||
| }); | ||
|
|
||
| test('grant-attacher: SessionExpiredError redirect preserves the original deep-linked URL', t => { |
There was a problem hiding this comment.
I'm unhappy that this PR removes the test. For any change, I expect us to update existing tests or, better yet, add new regression tests (which may overlap).
There was a problem hiding this comment.
The point is, redirect no longer happens. For the async request, a different test was added in the previous PR.
There was a problem hiding this comment.
| next(); | ||
| return; |
There was a problem hiding this comment.
It seems we can simplify and remove these two lines because we have the next() right after this block.
There was a problem hiding this comment.
The reported URL carries error=temporarily_unavailable&error_description=authentication_expired, which is a different, well-documented Keycloak error class: it means Keycloak's own server-side authentication session (the login-flow session tied to the AUTH_SESSION_ID/KC_RESTART cookie) was not found or had expired when the login form was submitted - e.g. the user idled past the auth-session timeout, or a concurrent login in another tab restarted the shared root session. That's not a redirect_uri mismatch, and I found nothing in this codebase or the wider search that generates or handles temporarily_unavailable/authentication_expired - it comes straight from Keycloak.
So: this fix is adjacent (same general area - multi-tab login concurrency) but doesn't address this specific bug report. Stripping stale query params prevents redirect_uri corruption; it does nothing about Keycloak invalidating its own auth session.
…xt() Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Summary
console.error('Failed to get grant', err)now fires at catch-entry for all errors (includingSessionExpiredError), giving a single unified log point for anygetGrantfailure.console.log('Logged out due to session near maximum lifespan')fires after a successful back-channel logout, confirming the KC session was invalidated..then(next).catch(...)chain to separate lines for readability.indent: ["error", 2]rule toeslint.config.mjs.buildRequesttest helper with anoriginalUrlparameter for future test coverage.Test plan
node test/unit/grant-attacher-unit-test.js(20/20)console.errorappears in logs when a token refresh fails in stagingconsole.logappears after a session-max-lifespan logout in stagingRelates to AUT-1462
🤖 Generated with Claude Code