Update frontend to work with updated access/refresh tokens

[briri]

• Will need to request a refresh token when receiving a 401 error from the backend
• Might want to incorporate webdriver.io for functional testing of login once the updates are made
• Update the handleLogout() function to make the request to the backend's logout endpoint to clear the HTTP-only cookies.
• When the app loads, check whether the user is authenticated

[briri]

The Apollo server now supports the following endpoints:

• GET /apollo-csrf which just generates a CSRF token (sets the X-CSRF-Token header)
• POST /apollo-signin for user sign in (sets access token dmspt and refresh token dmspr cookies, sets a new X-CSRF-Token header)
• POST /apollo-signup for user sign in (sets access token dmspt and refresh token dmspr cookies, sets a new X-CSRF-Token header)
• POST /apollo-signout for user sign out (deletes the access token dmspt and refresh token dmspr cookies)
• POST /apollo-refresh to refresh an access token (sets new access token dmspt and refresh token dmspr cookies, sets a new X-CSRF-Token header)

A successful sign up returns a 201.

A successful sign in, token refresh, csrf request and sign out all return a 200

All POST, PUT, PATCH and DELETE calls made to the backend require the X-CSRF-Token header. If it is missing or no longer valid a 403 error is returned with a error saying "Invalid CSRF token"

CSRF tokens are regenerated after every call

The access token now contains expiry information that could be used to perform checks to determine if a refresh request should be made.

If a request to refresh the access token is made, but the refresh token is no longer valid, the system will return a '400' error with a message that says 'Unable to refresh the access token at this time!'

If an access token is no longer valid or has been revoked, the system will return a 401 error with a message stating what the issue is.

The sign out controller will return a 200 under all circumstances. This will prevent issues if the use clicks 'logout' and there is something wrong with the state of their tokens.

[bofstein]

Comment from Brian to take a look at https://www.apollographql.com/docs/router/configuration/csrf/

[jupiter007]

I finished making most of my updates to the frontend: 1) Got rid of api endpoints for getting token, setting cookies and logging out, since the backend will be managing that 2) Added a CsrfContext to manage csrf token in state 3) Update /login and /signup pages, and associated unit tests, to pass the csrf token 4) Added a new, shared error handler for the /login and /signup pages to handle calls to /apollo-csrf and /apollo-refresh when receiving 401 and 403 errors 5) Created a shared errorLink file for Graphql and updated client instances 6) Added cypress functional tests for logging in, signing up, and logging out update-token-management

Made some small backend updates to get the csrf and access token: 1) Added corsOptions to allow frontend 2) Fixed an issue with query in MySQLModel 3) Updated csrf middleware to allow exposure of headers: 'Access-Control-Expose-Headers' 4) Made bug fix for passing acceptedTerms to database bug/fix-cors-and-other-small-issues

[jupiter007]

I noticed when testing my changes, that I could no longer access data for queries like "Sections" query in Apollo sandbox. I just get "Forbidden" errors.

I looks like the 'verifyToken' function in context was removed, which was setting the "token" data being used in the resolvers and models to verify whether the user has permissions to access the data.

The verifyToken function should be added back. The backend should be verifying the access token on every graphql request. If the access token is not valid or missing, but the refresh token is valid, it should refresh the auth tokens. Additionally, the backend should be checking whether the access token has almost expired. If so, it should also do a check to validate the refreshAuthTokens.

I'll discuss this more with the team at the next stand up.