Skip to content

feat: refresh jwt on navigate for admin register page #1714

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

feat: refresh jwt on navigate for admin register page #1714

wants to merge 6 commits into from
+34 −4

Conversation

@brobro10000
Copy link
Member

@brobro10000 brobro10000 commented Oct 30, 2025

This pull request introduces improvements to the authentication and user experience flows for enterprise admin registration and user activation. The main changes focus on ensuring the authentication state is refreshed, handling first-time visits to the registration page, and updating service methods to support these features.

Authentication and User Experience Enhancements:

  • Added a call to LmsApiService.loginRefresh() in AdminRegisterPage to refresh the authentication state before proceeding, and implemented logic to reload the page on the user's first visit to the registration page by setting a flag in localStorage. This helps ensure the user's session is up to date and avoids potential stale authentication issues.
  • Updated the admin authentication logic in AdminRegisterPage to use a freshly fetched authenticated user when checking for enterprise admin privileges, reducing the risk of using outdated user data.

Service Layer Updates:

  • Added a new endpoint URL loginRefreshUrl to LmsApiService for refreshing the login session.
  • Implemented the loginRefresh method in LmsApiService to call the new endpoint and return the refreshed authentication data in camelCase format.

User Activation Flow:

  • Minor refactor in UserActivationPage for consistency, removing an unnecessary blank line before the interval hook that checks user activation status.

For all changes

  • Ensure adequate tests are in place (or reviewed existing tests cover changes)

Only if submitting a visual change

  • Ensure to attach screenshots
  • Ensure to have UX team confirm screenshots

pwnage101
pwnage101 reviewed Oct 30, 2025
View reviewed changes
pwnage101
pwnage101 reviewed Oct 30, 2025
View reviewed changes
pwnage101
pwnage101 reviewed Oct 30, 2025
View reviewed changes
src/components/AdminRegisterPage/index.jsx Outdated
};
getEnterpriseBySlug();
LmsApiService.loginRefresh().then(_ => {
const obfuscatedId = uuidv5(String(_.userId), uuidv5.DNS);
Copy link
Contributor

@pwnage101 pwnage101 Oct 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain/comment why this needs to be obfuscated? Like, why not just put the user ID in the storageKey?

Copy link
Member Author

@brobro10000 brobro10000 Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to avoid have PII of the LMS user id on a potentially public browser if they are not using their own system or a public system. If its a local system, the user may not know that their LMS user id is saved on a public system.

Copy link
Contributor

@pwnage101 pwnage101 Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just to be clear, the LMS user ID is not PII, and it's already freely available unencrypted within the JWT token.I don't think there's any need to obfuscate it.

@codecov
Copy link

codecov bot commented Nov 3, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 75.00000% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.09%. Comparing base (f6883e8) to head (92dd00b).

Files with missing lines Patch % Lines
src/data/services/LmsApiService.ts 40.00% 3 Missing ⚠️
src/components/AdminRegisterPage/index.jsx 90.90% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #1714      +/-   ##
==========================================
- Coverage   87.10%   87.09%   -0.02%     
==========================================
  Files         780      780              
  Lines       17761    17775      +14     
  Branches     3638     3729      +91     
==========================================
+ Hits        15471    15481      +10     
- Misses       2226     2230       +4     
  Partials       64       64

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

pwnage101
pwnage101 reviewed Nov 5, 2025
View reviewed changes
src/components/AdminRegisterPage/index.jsx
Comment on lines +44 to +53
LmsApiService.loginRefresh().then(data => {
const obfuscatedId = uuidv5(String(data.userId), uuidv5.DNS);
const storageKey = `first_visit_register_page_${obfuscatedId}`;
if (!localStorage.getItem(storageKey)) {
localStorage.setItem(storageKey, 'true');
window.location.reload();
}
return data;
}).catch(error => logError(error));
getEnterpriseBySlug().catch(error => logError(error));
Copy link
Contributor

@pwnage101 pwnage101 Nov 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: This is a relatively important piece of business logic and IMO needs a correspondingly importing looking code comment.

Suggested change
LmsApiService.loginRefresh().then(data => {
const obfuscatedId = uuidv5(String(data.userId), uuidv5.DNS);
const storageKey = `first_visit_register_page_${obfuscatedId}`;
if (!localStorage.getItem(storageKey)) {
localStorage.setItem(storageKey, 'true');
window.location.reload();
}
return data;
}).catch(error => logError(error));
getEnterpriseBySlug().catch(error => logError(error));
// Force a fetch of a new JWT token and reload the page prior to any redirects.
// Importantly, only reload the page on first visit, or else risk infinite reloads.
LmsApiService.loginRefresh().then(data => {
const obfuscatedId = uuidv5(String(data.userId), uuidv5.DNS);
const storageKey = `first_visit_register_page_${obfuscatedId}`;
if (!localStorage.getItem(storageKey)) {
localStorage.setItem(storageKey, 'true');
window.location.reload();
}
return data;
}).catch(error => logError(error));
getEnterpriseBySlug().catch(error => logError(error));

pwnage101
pwnage101 approved these changes Nov 5, 2025
View reviewed changes
Copy link
Contributor

@pwnage101 pwnage101 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Otherwise, happy to merge if it fixes the issue, but it feels weird to need to reload the page if the POST already updates the JWT cookie.

pwnage101
pwnage101 approved these changes Nov 5, 2025
View reviewed changes
Copy link
Contributor

@pwnage101 pwnage101 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Otherwise, happy to merge if it fixes the issue, but it feels weird to need to reload the page if the POST already updates the JWT cookie.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pwnage101 pwnage101 pwnage101 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brobro10000 @pwnage101