[BUG] keepSessionAlive does not behave as expected

[barakshelef-oasis]

Describe the bug
From the documentation:

const authOptions = {
 // keepSessionAlive: true // Uncomment this in order to maintain the session alive
};

I understood that this should maintain the authenticated session across refreshes and browser restarts.
However, this doesn't seem to work. The app always restarts with no data in the auth store.

To Reproduce
Steps to reproduce the behavior:

1. Follow the Login Box Integration Tutorial
2. Login to application
3. Refresh the "logged in as" view.
4. Login page shows up again.

Expected behavior
After refresh you still see the "logged in as" view.

Additional context
At the moment I implemented a workaround which manually stores the user object in storage at point of login:

    const isAuthenticated = useIsAuthenticated();
    const user = useAuthUserOrNull();
    if (localStorage.getItem('TEST-USER') === null && isAuthenticated && user) {
        localStorage.setItem('TEST-USER', JSON.stringify(user));
    }

And uses it when available in construction of the provider:

    const localUser = localStorage.getItem('TEST-USER');
    const isAuthenticated = localUser !== null;

    const authOptions = {
        user: isAuthenticated ? JSON.parse(localUser) : null,
        isAuthenticated,
    };
...
    return (
        <FronteggProvider
            contextOptions={contextOptions}
            hostedLoginBox={true}
            authOptions={authOptions}
        >
            {children}
        </FronteggProvider>
    );

I also invalidated the storage when logging out:

    const logout = () => {
        localStorage.removeItem('TEST-USER')
        const baseUrl = ContextHolder.getContext().baseUrl;
        window.location.href = `${baseUrl}/oauth/logout?post_logout_redirect_uri=${window.location}`;
    };

but since I don't have a hook on 401s from the session endpoint, I cannot invalidate it when it expires or is malformed.

[aviadmizrachi]

Hi @barakshelef-oasis.

Thanks for the info!
After browser restart, in the empyt state, are you redirecting to the login dialog and redirected immediately back OR does the user has to actually login?

[barakshelef-oasis]

Yah I see what you mean. It indeed keeps the session when I call useLoginWithRedirect the 2nd time, and automatically logs in and redirects me back. I have two problems here:

1. If I want to provide some views to an unauthenticated user, then I don't have a clean way to determine whether this session has signed in already or not. I can't just login with redirect everyone, because some of my views should be visible for unauthenticated users. Yet I still want to maintain the login info to provide things such as user avatar at the corner, and navigation options according to permissions.
2. Even if I separate authenticated views and unauthenticated views, and redirect only on the former. The screen redirection every refresh looks bad, and takes quite a bit of time.

I'm completely fine with storing these short term JWTs in my local storage to avoid these redirections and slowness.

[aviadmizrachi]

Hi @barakshelef-oasis.

We are now introducing a silent refresh mode for our hosted login mode. This will keep the isAuthenticated mode enabled when the cookie is available for a refresh on the client side.

Overall we are against storing JWT on local storage due to XSS attack vectors. This is why we are not doing it on our end.
I will update this ticket once this is pushed

[quesodev]

Just want to +1 this issue. It's slow to have to redirect to the hosted login and back on every page load even if the user is already logged in.