Skip to content

feat: enforce IPSIE session_expiry ceiling on local session lifetime#1126

Merged
yogeshchoudhary147 merged 2 commits into
mainfrom
feat/ipsie-session-expiry
Jul 1, 2026
Merged

feat: enforce IPSIE session_expiry ceiling on local session lifetime#1126
yogeshchoudhary147 merged 2 commits into
mainfrom
feat/ipsie-session-expiry

Conversation

@yogeshchoudhary147

@yogeshchoudhary147 yogeshchoudhary147 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Bumps @auth0/auth0-spa-js to ^2.22.0 to pick up IPSIE session_expiry enforcement
  • Adds one unit test covering mid-session ceiling breach via getAccessTokenSilently
  • Adds Session Expiry from Upstream IdP (IPSIE) section to EXAMPLES.md

No provider code changes are needed. Enforcement is fully handled by auth0-spa-js. The React layer already propagates the undefined user/token responses into isAuthenticated: false state transitions. Routes wrapped with withAuthenticationRequired require no code changes; components calling getAccessTokenSilently() imperatively need an explicit null check (documented in EXAMPLES.md).

Test plan

  • All existing unit tests pass
  • New session_expiry ceiling (IPSIE SL1) test passes
  • Manual: deploy a Post-Login Action with api.idToken.setCustomClaim('session_expiry', Math.floor(Date.now() / 1000) + 120), log in, wait 2 minutes. The app should redirect to login without any code changes.

Summary by CodeRabbit

  • Documentation

    • Added a new guide section covering upstream IdP session expiry, including claim setup and a walkthrough of resulting SDK behavior.
    • Documented how protected routes behave when authentication/session limits are reached, plus upgrade guidance for apps that assume tokens/users are always present.
  • Bug Fixes

    • Improved handling when silent token retrieval resolves to no value, ensuring auth state is cleared and getAccessTokenSilently() returns undefined.
  • Tests

    • Added coverage to verify the new silent-token/clearing behavior.

@yogeshchoudhary147 yogeshchoudhary147 requested a review from a team as a code owner June 29, 2026 11:04
@yogeshchoudhary147 yogeshchoudhary147 force-pushed the feat/ipsie-session-expiry branch 3 times, most recently from 63added to 6814d11 Compare June 29, 2026 13:16
Comment thread EXAMPLES.md Outdated
- `user` becomes `undefined`
- `getAccessTokenSilently()` returns `undefined` (no error thrown)

If your routes are wrapped with `withAuthenticationRequired`, no code changes are required — the state change triggers a redirect to login automatically. Components that call `getAccessTokenSilently()` imperatively (e.g. in a click handler or `useEffect`) need an explicit null check; see [Upgrading existing apps](#upgrading-existing-apps) below.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ceiling is only checked when something calls getAccessTokenSilently, getUser, or getIdTokenClaims again , there's no timer or background re-check in the provider, and isAuthenticated only changes when one of those runs and re-reads the user. So a user sitting on an already-rendered protected page past the ceiling stays authenticated until the next such call; the withAuthenticationRequired redirect fires off the isAuthenticated change, which won't happen on a passive page.

Could we soften "reflects the expired state on the next render" and "automatically" here so it reads as "on the next token/user call" rather than real-time? Otherwise it sets an expectation the SDK doesn't hold.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch — updated. Changed "on the next render" to "on the next call to getAccessTokenSilently, getUser, or getIdTokenClaims" and added a note that a passive page won't trigger the state change. Dropped "automatically" from the withAuthenticationRequired description too.

Comment thread EXAMPLES.md
Comment thread EXAMPLES.md
Comment thread EXAMPLES.md
Comment thread __tests__/auth-provider.test.tsx Outdated
});

describe('session_expiry ceiling (IPSIE SL1)', () => {
it('should return undefined and clear auth state when session ceiling is breached during getAccessTokenSilently', async () => {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I doesn't mock a token call actually happened ,a regression that short-circuits before calling getTokenSilently would still pass. It also doesn't exercise the ceiling itself, since enforcement lives in the underlying SDK.

Can we add an expect(clientMock.getTokenSilently).toHaveBeenCalled() and rename the test to say that, rather than "session_expiry ceiling" which implies it tests detection?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair — renamed the describe/it away from "ceiling" since we're not testing detection (that's spa-js's job), and added expect(clientMock.getTokenSilently).toHaveBeenCalled().

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: e72bc562-0447-44bf-a3c1-6d3dc4175b24

📥 Commits

Reviewing files that changed from the base of the PR and between 06c5a16 and be018e1.

📒 Files selected for processing (3)
  • EXAMPLES.md
  • __tests__/auth-provider.test.tsx
  • package.json
🚧 Files skipped from review as they are similar to previous changes (2)
  • package.json
  • tests/auth-provider.test.tsx

📝 Walkthrough

Walkthrough

This PR bumps @auth0/auth0-spa-js to ^2.22.0, adds test coverage for getAccessTokenSilently() returning undefined and clearing auth state, and adds EXAMPLES.md documentation for upstream IdP session expiry behavior.

Changes

Session Expiry Support

Layer / File(s) Summary
Dependency update and test coverage
package.json, __tests__/auth-provider.test.tsx
Updates @auth0/auth0-spa-js to ^2.22.0 and adds a test case confirming getAccessTokenSilently() returns undefined and clears isAuthenticated, user, and error when getTokenSilently resolves to undefined.
Session expiry documentation
EXAMPLES.md
Adds a table-of-contents entry and a new “Session Expiry from Upstream IdP (IPSIE)” section describing the session_expiry claim, Post-Login Action setup, runtime behavior, redirect behavior, and token null-checking guidance.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: enforcing IPSIE session_expiry on local session lifetime.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/ipsie-session-expiry

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
EXAMPLES.md (1)

1623-1623: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Minor redundancy flagged by static analysis.

"this point in time" — consider trimming to "this point" or "this time".

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@EXAMPLES.md` at line 1623, The sentence in EXAMPLES.md contains a small
redundancy in the `session_expiry` description. Update the text in the relevant
enterprise connection explanation to trim “this point in time” to a shorter
phrasing like “this point” or “this time,” keeping the meaning unchanged and
preserving the surrounding `id_token_session_expiry_supported` and
`session_expiry` context.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@EXAMPLES.md`:
- Line 1623: The sentence in EXAMPLES.md contains a small redundancy in the
`session_expiry` description. Update the text in the relevant enterprise
connection explanation to trim “this point in time” to a shorter phrasing like
“this point” or “this time,” keeping the meaning unchanged and preserving the
surrounding `id_token_session_expiry_supported` and `session_expiry` context.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 4c526e11-06d3-4592-b4eb-cd7390fcdef7

📥 Commits

Reviewing files that changed from the base of the PR and between c899362 and 06c5a16.

📒 Files selected for processing (3)
  • EXAMPLES.md
  • __tests__/auth-provider.test.tsx
  • package.json

@kishore7snehil kishore7snehil left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@yogeshchoudhary147 yogeshchoudhary147 force-pushed the feat/ipsie-session-expiry branch from 06c5a16 to be018e1 Compare July 1, 2026 13:05
@yogeshchoudhary147 yogeshchoudhary147 merged commit 2cd530b into main Jul 1, 2026
15 checks passed
@yogeshchoudhary147 yogeshchoudhary147 deleted the feat/ipsie-session-expiry branch July 1, 2026 13:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants