Improve handling of errors when refreshing tokens

[garronej]

Summary by CodeRabbit

• Bug Fixes
  • Session tokens are now properly cleared on authentication failures
  • Silent authentication flows provide better error handling with improved distinction between timeout and refresh errors
  • Enhanced error recovery in token refresh operations with more reliable state cleanup
  • Improved session state management during failed authentication attempts

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes enhance error handling in the OIDC silent login flow by introducing sessionStorage cleanup for persisted tokens, extending error outcome types with ErrorTimeout and ErrorResponse, and implementing new defensive error-handling paths for refresh token failures and iframe-based authentication.

Changes

Cohort / File(s)	Summary
OIDC Silent Login Flow src/core/createOidc.ts, src/core/loginSilent.ts	Adds sessionStorage cleanup logic via clearPersistedTokensIfSessionStorageIfAny. Introduces new error outcome "got error auth response using refresh token" with error details. Enhances error handling in silent login and iframe token refresh paths using new ErrorTimeout and ErrorResponse types, replacing prior message-based error inspection and assumptions.
Vendor Type Exports src/vendor/frontend/oidc-client-ts.ts	Extends public exports to include ErrorTimeout and ErrorResponse from oidc-client-ts library, enabling their use in downstream error-handling logic.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Better diagnostic for CSP interfering with session restoration via if… #124: Modifies silent-login timeout and error handling in createOidc.ts with enhanced diagnostic calls.
• Iframe response protection #78: Modifies loginSilent iframe auth-response handling and related error outcome types.
• Get rid of asym encryption for iframe messaging, rely on a protected #111: Modifies iframe-based silent-login paths and sessionStorage persistence handling across createOidc.ts and loginSilent.ts.

Poem

🐰 Silent logins whisper quiet and true,
Error types caught in timeout's debut,
SessionStorage scrubbed when refresh goes wrong,
Defensive assertions keep us strong! 🌙✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Improve handling of errors when refreshing tokens' directly summarizes the main changes across all three files, which focus on enhanced error handling, defensive assertions, and cleanup logic in token refresh flows.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch improve_error_managment

---

No actionable comments were generated in the recent review. 🎉

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[garronej]

@coderabbitai no review here? This looks good to you?

[coderabbitai]

@garronej I'll review the changes in this PR right away. Let me analyze the error handling improvements for token refresh.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.