feat: SSO implementation using session details

[bhavanakarwade]

What?

• Added session manager component for handling session details and session status
• Integrated signout API and synchronised with nextAuth's signOut function
• Handled redirection conditions

---

Important

Implements SSO using session details with a new SessionManager, integrates sign-out with NextAuth, and updates session handling logic.

• Session Management:
  • Replaces SessionCheck and SessionSyncer with SessionManager in layout.tsx.
  • SessionManager in SessionManager.tsx handles session details and redirection.
  • Updates authSlice.ts to include sessionId.
• Sign-out Integration:
  • Integrates sign-out API with NextAuth's signOut in user-nav.tsx.
  • Implements logoutUser function for API and local sign-out.
• API Routes:
  • Adds signOut and fetchSessionDetails to apiRoutes.ts.
• Miscellaneous:
  • Changes authOptions.ts to handle session ID.
  • Updates Loader.tsx to include isExpand prop.
  • Modifies GetHeaderConfigs.ts to include withCredentials.

^{This description was created by for 2e69a2b. You can customize this summary. It will automatically update as commits are pushed.}

[ellipsis-dev]

Caution

Changes requested ❌

Reviewed everything up to 2045aae in 1 minute and 49 seconds. Click for details.

• Reviewed 757 lines of code in 17 files
• Skipped 0 files when reviewing.
• Skipped posting 8 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. nextjs/next.config.js:18

• Draft comment:
  Consider enabling reactStrictMode for better warning/error detection unless its disablement is intentional.
• Reason this comment was not posted:
  Comment looked like it was already resolved.

2. nextjs/src/lib/authSlice.ts:28

• Draft comment:
  Reset sessionId in the logout reducer to avoid retaining stale session data.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% This comment is purely informative, explaining what the code does without suggesting any changes or asking for clarification. It doesn't align with the rules for useful comments.

3. nextjs/types/next-auth.d.ts:20

• Draft comment:
  Consider extending the JWT interface to include 'sessionId' for type consistency with what is used in authOptions callbacks.
• Reason this comment was not posted:
  Comment was not on a location in the diff, so it can't be submitted as a review comment.

4. nextjs/src/features/components/UserInfoForm.tsx:130

• Draft comment:
  Verify if changing the redirect route from sign-up to sign-in after account creation is intentional.
• Reason this comment was not posted:
  Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 0% vs. threshold = 50% This comment violates the rule about not asking authors to verify their intentions. The comment starts with "Verify if..." which is explicitly called out as likely not useful. The change appears to be intentional since it's consistent with the success path in the if branch which also redirects to /sign-in. Both paths include fidoFlag=false and method=password parameters. The route change could potentially break the user flow if sign-in requires different parameters than sign-up. There may be important context about the authentication flow that I'm missing. Even if there are authentication flow concerns, asking the author to verify their intention is not helpful - we should trust they understand their own auth flow. If there was a specific technical issue, that should be called out directly. Delete this comment as it violates the rule about asking authors to verify their intentions. The change appears intentional and consistent.

5. nextjs/src/features/components/SessionManager.tsx:92

• Draft comment:
  Avoid using setTimeout for session validation as it might be fragile; consider using more reliable async state change handlers.
• Reason this comment was not posted:
  Confidence changes required: 50% <= threshold 50% None

6. nextjs/src/features/components/user-auth-form.tsx:215

• Draft comment:
  Ensure that the token from Redux is set and valid before using it to fetch user details; consider handling missing token more explicitly.
• Reason this comment was not posted:
  Comment looked like it was already resolved.

7. nextjs/src/components/layout/providers.tsx:27

• Draft comment:
  Ensure that 'session?.user.id' is reliably defined when used as a key; if it can be undefined, it may lead to unnecessary re-mounts.
• Reason this comment was not posted:
  Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 20% vs. threshold = 50% Using undefined values as React keys can cause issues. However, this is a high-level provider component and session?.user.id being undefined likely represents a valid unauthenticated state. The key is probably intentionally used to force remounts when the user changes. Adding a fallback could prevent desired remounting behavior. I could be wrong about the intention behind the key - maybe undefined keys really are unintentional. The current code could cause unnecessary remounts if session.user.id is sometimes undefined for logged-in users. Given this is a SessionProvider, undefined user.id likely represents intentional unauthenticated state. If there were issues with unnecessary remounts, they would likely be obvious during testing. Delete the comment. The suggestion could interfere with intentional remounting behavior and the current code appears intentional.

8. nextjs/src/config/apiRoutes.ts:4

• Draft comment:
  Typo detected: The key 'sinIn' appears to be a misspelling. It likely should be 'signIn'.
• Reason this comment was not posted:
  Comment was on unchanged code.

Workflow ID: wflow_9nYGRn1zjxHBQXvj

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[ellipsis-dev]

Fetch the refresh token inside the refreshAccessToken function instead of caching it outside to ensure you always use the latest value.

[ellipsis-dev]

Caution

Changes requested ❌

Reviewed 904083e in 1 minute and 48 seconds. Click for details.

• Reviewed 209 lines of code in 2 files
• Skipped 0 files when reviewing.
• Skipped posting 2 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. nextjs/src/features/components/SessionManager.tsx:24

• Draft comment:
  Duplicate '/agent-config' entry found in preventRedirectOnPaths. Remove the duplicate to avoid confusion.
• Reason this comment was not posted:
  Comment was not on a location in the diff, so it can't be submitted as a review comment.

2. nextjs/src/services/axiosIntercepter.ts:118

• Draft comment:
  In isTokenExpired, if the refresh token is expired, consider returning true immediately after calling logoutAndRedirect to clearly indicate the token is invalid. Also, avoid side effects in a utility check function.
• Reason this comment was not posted:
  Comment was on unchanged code.

Workflow ID: wflow_46Isw84oKYh5XPbB

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[ellipsis-dev]

In the request interceptor, logoutAndRedirect is invoked when the token is expired, but the interceptor still returns a config with the original (expired) token. Consider rejecting the request or halting further processing to prevent sending requests with an expired token.

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed 1337a01 in 1 minute and 11 seconds. Click for details.

• Reviewed 32 lines of code in 1 files
• Skipped 0 files when reviewing.
• Skipped posting 2 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. nextjs/src/features/components/SessionManager.tsx:44

• Draft comment:
  Remove dead code: commented out 'clientAlias' variable. If it's not used, consider removing it entirely.
• Reason this comment was not posted:
  Confidence changes required: 33% <= threshold 50% None

2. nextjs/src/features/components/SessionManager.tsx:101

• Draft comment:
  Commented-out sign-in redirection logic: verify if unauthenticated flow should redirect to sign-in.
• Reason this comment was not posted:
  Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 10% vs. threshold = 50% The comment asks to "verify" something, which violates our rules about not asking for verification. It's also not clearly indicating a problem - commenting out code is a deliberate change that the author made. Without more context about why this code was commented out, we can't assume it's a mistake. Maybe the removal of sign-in redirection creates a security issue by leaving unauthenticated users with access to protected routes? While security is important, we don't have enough context to know if this is actually an issue. The author may have moved the authentication logic elsewhere or implemented it differently. The comment should be deleted as it violates our rules by asking for verification and doesn't clearly identify a concrete issue that needs fixing.

Workflow ID: wflow_ycYyOcy8FnObmqxS

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed b31896d in 1 minute and 57 seconds. Click for details.

• Reviewed 46 lines of code in 1 files
• Skipped 0 files when reviewing.
• Skipped posting 3 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. nextjs/src/features/components/SessionManager.tsx:26

• Draft comment:
  Add an inline comment explaining the purpose of the 'excludeRouteForSessionCheck' constant. Also, consider if using startsWith for matching (e.g. '/verify-email-success') is appropriate or if an exact match would be safer.
• Reason this comment was not posted:
  Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 20% vs. threshold = 50% The first part about adding a comment is reasonable but not critical - the variable name is fairly self-descriptive. The second part about startsWith vs exact match is a valid security consideration, but without knowing the full routing structure and requirements, we can't be certain this is actually a problem. The current implementation might be intentional to catch sub-routes. I might be underestimating the security implications of using startsWith. Also, future maintainers might benefit from explicit documentation of the constant's purpose. While these suggestions could improve the code, neither rises to the level of requiring immediate action. The code is functional and reasonably clear as-is. This comment makes suggestions that could marginally improve the code but aren't critical issues that require changes. The suggestions are somewhat speculative without more context.

2. nextjs/src/features/components/SessionManager.tsx:102

• Draft comment:
  In the unauthenticated/session null branch, the new exclusion check using startsWith may match unintended routes. Consider whether this logic is robust enough and possibly extract the 500ms delay to a named constant for clarity.
• Reason this comment was not posted:
  Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 20% vs. threshold = 50% The startsWith concern is speculative - there's no evidence of actual problems, just a hypothetical. The array only contains one very specific path. The 500ms extraction suggestion is a minor code quality issue that doesn't impact functionality. Neither point seems critical enough to warrant a comment. The startsWith check could theoretically match '/verify-email-success-fake' which might be a real security concern. The magic number 500 does make the code slightly less maintainable. The security concern is highly theoretical and the path is very specific. The delay extraction is too minor to force a code change. Delete the comment as it raises speculative concerns without strong evidence of actual problems, and makes minor stylistic suggestions that aren't worth blocking the PR for.

3. nextjs/src/features/components/SessionManager.tsx:45

• Draft comment:
  The clientAlias is now actively extracted (uncommented). Ensure downstream logic properly handles cases where clientAlias might be null.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 40% <= threshold 50% The comment is asking the author to ensure that downstream logic handles null values for clientAlias. This is a request for confirmation of behavior, which violates the rules. However, it does point out a potential issue with null handling, which could be useful if rephrased as a suggestion or observation rather than a request for confirmation.

Workflow ID: wflow_uNCtk0ahmNOrLqMH

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed 0bcf1ce in 40 seconds. Click for details.

• Reviewed 13 lines of code in 1 files
• Skipped 0 files when reviewing.
• Skipped posting 1 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. nextjs/src/features/components/SessionManager.tsx:105

• Draft comment:
  Good: formatting update improves readability by adding a space in the if condition.
• Reason this comment was not posted:
  Confidence changes required: 0% <= threshold 50% None

Workflow ID: wflow_EVlrC47DwLf51RKg

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[ellipsis-dev]

Caution

Changes requested ❌

Reviewed f74fc22 in 1 minute and 45 seconds. Click for details.

• Reviewed 47 lines of code in 1 files
• Skipped 0 files when reviewing.
• Skipped posting 4 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. nextjs/src/services/axiosIntercepter.ts:4

• Draft comment:
  Remove unused AxiosRequestConfig import since it's no longer used.
• Reason this comment was not posted:
  Comment looked like it was already resolved.

2. nextjs/src/services/axiosIntercepter.ts:170

• Draft comment:
  Consider removing the commented retry logic in the response interceptor or add a TODO if intended for future use.
• Reason this comment was not posted:
  Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 20% vs. threshold = 50% Commented out code can make files harder to maintain and understand. However, in this case, it appears the code was intentionally commented out as part of the changes, possibly as part of refactoring the auth flow. The comment doesn't point out a clear issue that needs fixing - it's more of a code cleanliness suggestion. The author likely has a reason for keeping the code commented rather than deleted. The code could be valuable reference material for future auth flow changes. Maybe the author is in the middle of refactoring and needs this code temporarily. While keeping reference code can be useful, the proper way would be to keep it in version control history rather than as comments. However, this is a minor stylistic preference rather than a critical issue. The comment should be removed as it's more of a style suggestion than a critical issue requiring action. The author can decide how to handle commented code based on their needs.

3. nextjs/src/services/axiosIntercepter.ts:125

• Draft comment:
  Avoid side effects in a boolean check: calling logoutAndRedirect() inside isTokenExpired can be confusing. Consider separating the token check from the logout action.
• Reason this comment was not posted:
  Comment was not on a location in the diff, so it can't be submitted as a review comment.

4. nextjs/src/services/axiosIntercepter.ts:151

• Draft comment:
  If the token is expired, the request is still sent with the expired token. Consider canceling the request or throwing an error instead of simply logging out.
• Reason this comment was not posted:
  Comment was not on a location in the diff, so it can't be submitted as a review comment.

Workflow ID: wflow_rlSsqD256EiqBG0C

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[ellipsis-dev]

Remove or clean up the commented-out jwtDataPayload interface if it's no longer needed.

[ellipsis-dev]

Caution

Changes requested ❌

Reviewed e6b6f39 in 1 minute and 46 seconds. Click for details.

• Reviewed 66 lines of code in 2 files
• Skipped 0 files when reviewing.
• Skipped posting 1 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. nextjs/src/features/components/user-auth-form.tsx:97

• Draft comment:
  No explicit success handling is provided after calling signIn. If no error is returned, the code does not redirect or update the UI – confirm if this behavior is intended.
• Reason this comment was not posted:
  Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 10% vs. threshold = 50% The comment points out there's no explicit success handling after signIn(). However, next-auth's signIn() function typically handles session management automatically. The code intentionally sets redirect:false, suggesting there may be custom routing logic elsewhere. Without seeing the full next-auth configuration and routing setup, we can't definitively say this is a bug. I could be wrong about next-auth's default behavior. There could be a legitimate issue where successful logins aren't properly handled. While possible, the comment is speculative without more context. It's asking for confirmation rather than pointing out a clear issue, which violates our review rules. The comment should be deleted as it's asking for confirmation of intended behavior rather than pointing out a clear, actionable issue.

Workflow ID: wflow_hWVqsqy5o0ufn7b7

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[ellipsis-dev]

Using '${isExpand && "h-full w-full"}' can insert a 'false' string when isExpand is false. Use a ternary (e.g., isExpand ? 'h-full w-full' : '') instead.

Suggested change

	className={`flex ${isExpand && 'h-full w-full'} items-center justify-center`}
	className={`flex ${isExpand ? 'h-full w-full' : ''} items-center justify-center`

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed 2e69a2b in 31 seconds. Click for details.

• Reviewed 13 lines of code in 1 files
• Skipped 0 files when reviewing.
• Skipped posting 1 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. nextjs/src/components/Loader.tsx:11

• Draft comment:
  Good change! Using a ternary avoids concatenating a boolean into the class string when isExpand is false.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% This comment is purely informative and does not provide any actionable feedback or suggestions for improvement. It simply praises the change without offering any constructive criticism or questions.

Workflow ID: wflow_Hnr72JohmOOLTWx3

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[sonarqubecloud]

Quality Gate passed

Issues
11 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud