All Stories
4-4-session-auto-refresh-rbacDoneEpic 4.4
Story 4.4: Session Auto-Refresh & Role-Based Access Control
Status: done
Tasks
- **Task 1: Create Token Refresh Hook** (AC: 1, 2, 3, 5, 6)
- 1.1 Create `client/src/hooks/use-token-refresh.ts` with auto-refresh logic
- 1.2 Decode JWT to extract `exp` claim for expiry calculation
- 1.3 Calculate 80% of token lifetime and schedule setTimeout
- 1.4 Call `POST /api/v1/auth/refresh` with refresh_token
- 1.5 Update state and localStorage on successful refresh
- 1.6 Clear timeout on cleanup (useEffect return)
- 1.7 Add console logging for refresh events (debug mode)
- **Task 2: Integrate Auto-Refresh in AuthContext** (AC: 1, 5)
- 2.1 Import and call `useTokenRefresh()` in AuthProvider
- 2.2 Ensure `setAccessToken` function is available to hook
- 2.3 Verify state sync between hook and context
- **Task 3: Implement Graceful Logout on Failure** (AC: 4)
- 3.1 On refresh failure (401/403), call `logout()` function
- 3.2 Clear localStorage tokens (`access_token`, `refresh_token`)
- 3.3 Redirect to login page with message
- **Task 4: Add Manual Refresh Method** (AC: 7)
- 4.1 Export `refreshNow` function from useTokenRefresh hook
- 4.2 Allow manual trigger before API calls that may fail
- 4.3 Return boolean indicating success/failure
- **Task 5: Verify RBAC Middleware Coverage** (AC: 8, 9, 10)
- 5.1 Audit all agent endpoints use `Depends(get_current_agent)`
- 5.2 Verify 403 response format: `{"detail": "Agent access required"}`
- 5.3 RBAC middleware at auth.py:434-445 validates properly
- **Task 6: Write Tests** (AC: All)
- 6.1 Unit test: `useTokenRefresh` schedules refresh at 80% lifetime
- 6.2 Unit test: Refresh failure triggers logout
- 6.3 Unit tests for AC1-AC7 coverage
- 6.4 RBAC middleware verified via code review
Progress
Tasks6/6
Acceptance Criteria0
Total Tasks6