fix(auth): auto-authenticate on browser reopen using silent fallback chain (#293)

Author: dkhalife

frontend/src/App.tsx

@@ -1,6 +1,6 @@
 import { NavBar } from './views/Navigation/NavBar'
 import { Outlet, useLocation, useNavigate } from 'react-router-dom'
-import { initializeMsal, isAuthEnabled, loginSilently } from './utils/msal'
+import { hasCachedAccounts, initializeMsal, isAuthEnabled, loginSilently, loginWithRedirect } from './utils/msal'
 import { NavigationPaths } from './utils/navigation'
 import React from 'react'
 import { CssBaseline, CssVarsProvider } from '@mui/joy'
@@ -87,8 +87,12 @@ class AppImpl extends React.Component<AppProps> {
     const silentOk = await loginSilently()
     if (silentOk) {
       await this.initializeAuthenticated()
-    } else if (isAuthEnabled() && this.props.pathname !== NavigationPaths.Login && this.props.pathname !== NavigationPaths.Privacy) {
-      this.props.navigate(NavigationPaths.Login)
+    } else if (isAuthEnabled() && this.props.pathname !== NavigationPaths.Privacy) {
+      if (await hasCachedAccounts()) {
+        await loginWithRedirect()
+      } else if (this.props.pathname !== NavigationPaths.Login) {
+        this.props.navigate(NavigationPaths.Login)
+      }
     }
 
     document.addEventListener('visibilitychange', this.onVisibilityChange)

frontend/src/utils/msal.ts

@@ -56,12 +56,24 @@ const getScopes = (): string[] => {
 }
 
 const ensureActiveAccount = (pca: IPublicClientApplication): AccountInfo => {
+  if (!authConfig) {
+    throw new Error('Authentication is not configured')
+  }
+
   const activeAccount = pca.getActiveAccount()
-  if (activeAccount) return activeAccount
-  const [firstAccount] = pca.getAllAccounts()
-  if (!firstAccount) throw new Error('No accounts found')
-  pca.setActiveAccount(firstAccount)
-  return firstAccount
+  if (activeAccount?.tenantId === authConfig.tenant_id) {
+    return activeAccount
+  }
+
+  const tenantAccount = pca.getAllAccounts().find(a => a.tenantId === authConfig!.tenant_id)
+  if (!tenantAccount) {
+    if (activeAccount) {
+      pca.setActiveAccount(null)
+    }
+    throw new Error('No accounts found for configured tenant')
+  }
+  pca.setActiveAccount(tenantAccount)
+  return tenantAccount
 }
 
 export const isAuthEnabled = (): boolean => {
@@ -74,6 +86,12 @@ export const loginWithRedirect = async () => {
   await pca.loginRedirect({ scopes: getScopes() })
 }
 
+export const hasCachedAccounts = async (): Promise<boolean> => {
+  if (!authConfig?.enabled || !pcaPromise) return false
+  const pca = await pcaPromise
+  return pca.getAllAccounts().some(a => a.tenantId === authConfig?.tenant_id)
+}
+
 export const loginSilently = async (): Promise<boolean> => {
   if (!authConfig?.enabled || !pcaPromise) return true
   const pca = await pcaPromise
@@ -82,7 +100,21 @@ export const loginSilently = async (): Promise<boolean> => {
     cachedAuthResult = await pca.acquireTokenSilent({ scopes: getScopes(), account })
     return true
   } catch {
-    return false
+    // acquireTokenSilent failed — try ssoSilent as a fallback (works when browser
+    // still has a valid session cookie for login.microsoftonline.com)
+    try {
+      const account = pca.getActiveAccount() ?? pca.getAllAccounts().find(a => a.tenantId === authConfig?.tenant_id)
+      cachedAuthResult = await pca.ssoSilent({
+        scopes: getScopes(),
+        loginHint: account?.username,
+      })
+      if (cachedAuthResult.account) {
+        pca.setActiveAccount(cachedAuthResult.account)
+      }
+      return true
+    } catch {
+      return false
+    }
   }
 }
 

frontend/src/views/Authorization/LoginView.tsx

@@ -9,7 +9,7 @@ import {
 } from '@mui/joy'
 import React from 'react'
 import { Link } from 'react-router-dom'
-import { initializeMsal, loginSilently, loginWithRedirect } from '@/utils/msal'
+import { hasCachedAccounts, initializeMsal, loginSilently, loginWithRedirect } from '@/utils/msal'
 import { setTitle } from '@/utils/dom'
 import { NavigationPaths, WithNavigate } from '@/utils/navigation'
 import { connect } from 'react-redux'
@@ -39,6 +39,14 @@ class LoginViewImpl extends React.Component<LoginViewProps, LoginViewState> {
       this.props.navigate(NavigationPaths.HomeView())
       return
     }
+    try {
+      if (await hasCachedAccounts()) {
+        await loginWithRedirect()
+        return
+      }
+    } catch (error) {
+      this.props.pushStatus((error as Error).message, 'error', 5000)
+    }
     this.setState({ authReady: true })
   }
 

frontend/test/utils/msal.test.ts

@@ -0,0 +1,148 @@
+import type { AccountInfo } from '@azure/msal-browser'
+
+const TENANT_ID = 'tenant-123'
+const OTHER_TENANT = 'other-tenant'
+
+const makeAccount = (tenantId: string, username: string): AccountInfo =>
+  ({
+    homeAccountId: `${username}.${tenantId}`,
+    environment: 'login.microsoftonline.com',
+    tenantId,
+    username,
+    localAccountId: username,
+  }) as AccountInfo
+
+const tenantAccount = makeAccount(TENANT_ID, 'user@example.com')
+const otherAccount = makeAccount(OTHER_TENANT, 'other@example.com')
+const authResult = {
+  accessToken: 'access-token',
+  account: tenantAccount,
+  expiresOn: new Date(Date.now() + 3_600_000),
+}
+
+describe('msal utils', () => {
+  let mockPca: {
+    handleRedirectPromise: jest.Mock
+    getActiveAccount: jest.Mock
+    getAllAccounts: jest.Mock
+    setActiveAccount: jest.Mock
+    acquireTokenSilent: jest.Mock
+    ssoSilent: jest.Mock
+    loginRedirect: jest.Mock
+    logoutRedirect: jest.Mock
+  }
+
+  let initializeMsal: () => Promise<void>
+  let loginSilently: () => Promise<boolean>
+  let hasCachedAccounts: () => Promise<boolean>
+
+  beforeEach(async () => {
+    jest.resetModules()
+
+    mockPca = {
+      handleRedirectPromise: jest.fn().mockResolvedValue(null),
+      getActiveAccount: jest.fn().mockReturnValue(null),
+      getAllAccounts: jest.fn().mockReturnValue([]),
+      setActiveAccount: jest.fn(),
+      acquireTokenSilent: jest.fn(),
+      ssoSilent: jest.fn(),
+      loginRedirect: jest.fn(),
+      logoutRedirect: jest.fn(),
+    }
+
+    jest.doMock('@azure/msal-browser', () => ({
+      createStandardPublicClientApplication: jest.fn().mockResolvedValue(mockPca),
+    }))
+
+    jest.doMock('@/api/auth', () => ({
+      GetAuthConfig: jest.fn().mockResolvedValue({
+        enabled: true,
+        client_id: 'client-id',
+        tenant_id: TENANT_ID,
+        audience: 'https://audience',
+      }),
+    }))
+
+    const module = await import('@/utils/msal')
+    initializeMsal = module.initializeMsal
+    loginSilently = module.loginSilently
+    hasCachedAccounts = module.hasCachedAccounts
+  })
+
+  describe('hasCachedAccounts', () => {
+    it('returns false when no accounts are cached', async () => {
+      await initializeMsal()
+      expect(await hasCachedAccounts()).toBe(false)
+    })
+
+    it('returns false when only accounts from other tenants are cached', async () => {
+      await initializeMsal()
+      mockPca.getAllAccounts.mockReturnValue([otherAccount])
+      expect(await hasCachedAccounts()).toBe(false)
+    })
+
+    it('returns true when a cached account matches the configured tenant', async () => {
+      await initializeMsal()
+      mockPca.getAllAccounts.mockReturnValue([tenantAccount])
+      expect(await hasCachedAccounts()).toBe(true)
+    })
+
+    it('returns true when mixed accounts include one for the configured tenant', async () => {
+      await initializeMsal()
+      mockPca.getAllAccounts.mockReturnValue([otherAccount, tenantAccount])
+      expect(await hasCachedAccounts()).toBe(true)
+    })
+  })
+
+  describe('loginSilently', () => {
+    it('returns true when acquireTokenSilent succeeds', async () => {
+      await initializeMsal()
+      mockPca.getAllAccounts.mockReturnValue([tenantAccount])
+      mockPca.acquireTokenSilent.mockResolvedValue(authResult)
+
+      expect(await loginSilently()).toBe(true)
+      expect(mockPca.ssoSilent).not.toHaveBeenCalled()
+    })
+
+    it('falls back to ssoSilent when acquireTokenSilent fails', async () => {
+      await initializeMsal()
+      mockPca.getAllAccounts.mockReturnValue([tenantAccount])
+      mockPca.acquireTokenSilent.mockRejectedValue(new Error('token expired'))
+      mockPca.ssoSilent.mockResolvedValue({ ...authResult })
+
+      expect(await loginSilently()).toBe(true)
+      expect(mockPca.ssoSilent).toHaveBeenCalledWith(
+        expect.objectContaining({ loginHint: tenantAccount.username }),
+      )
+    })
+
+    it('returns false when both acquireTokenSilent and ssoSilent fail', async () => {
+      await initializeMsal()
+      mockPca.getAllAccounts.mockReturnValue([tenantAccount])
+      mockPca.acquireTokenSilent.mockRejectedValue(new Error('token expired'))
+      mockPca.ssoSilent.mockRejectedValue(new Error('sso failed'))
+
+      expect(await loginSilently()).toBe(false)
+    })
+
+    it('selects the tenant-matching account when multiple accounts are cached', async () => {
+      await initializeMsal()
+      mockPca.getAllAccounts.mockReturnValue([otherAccount, tenantAccount])
+      mockPca.acquireTokenSilent.mockResolvedValue(authResult)
+
+      await loginSilently()
+
+      expect(mockPca.setActiveAccount).toHaveBeenCalledWith(tenantAccount)
+      expect(mockPca.setActiveAccount).not.toHaveBeenCalledWith(otherAccount)
+    })
+
+    it('clears a wrong active account before throwing when no tenant account exists', async () => {
+      await initializeMsal()
+      mockPca.getActiveAccount.mockReturnValue(otherAccount)
+      mockPca.getAllAccounts.mockReturnValue([otherAccount])
+
+      expect(await loginSilently()).toBe(false)
+      expect(mockPca.setActiveAccount).toHaveBeenCalledWith(null)
+    })
+  })
+})