UI: remove renew self call after login (#28204)

* check for renewAfterEpoch before comparing it * add test coverage for regression * add comment. Fixes VAULT-4630 * throw error * add changelog
2025-10-30 18:17:55 +00:00 · 2024-08-28 10:05:29 -05:00
parent de0c724d72
commit 872f31fa1d
4 changed files with 22 additions and 2 deletions
--- a/changelog/28204.txt
+++ b/changelog/28204.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: fixes renew-self being called right after login for non-renewable tokens
+```
--- a/ui/app/components/auth-jwt.js
+++ b/ui/app/components/auth-jwt.js
@@ -87,6 +87,8 @@ export default Component.extend({
    this.onError(err);
  },

+  // NOTE TO DEVS: Be careful when updating the OIDC flow and ensure the updates
+  // work with implicit flow. See issue https://github.com/hashicorp/vault-plugin-auth-jwt/pull/192
  prepareForOIDC: task(function* (oidcWindow) {
    const thisWindow = this.getWindow();
    // show the loading animation in the parent
--- a/ui/app/services/auth.js
+++ b/ui/app/services/auth.js
@@ -390,7 +390,7 @@ export default Service.extend({
    const now = this.now();
    this.set('lastFetch', timestamp);
    // if expiration was allowed and we're over half the ttl we want to go ahead and renew here
-    if (this.allowExpiration && now >= this.renewAfterEpoch) {
+    if (this.allowExpiration && this.renewAfterEpoch && now >= this.renewAfterEpoch) {
      this.renew();
    }
    this.set('allowExpiration', false);
--- a/ui/tests/acceptance/auth-test.js
+++ b/ui/tests/acceptance/auth-test.js
@@ -6,8 +6,9 @@
 import { module, test } from 'qunit';
 import { setupApplicationTest } from 'ember-qunit';
 import { click, currentURL, visit, waitUntil, find, fillIn } from '@ember/test-helpers';
-import { allSupportedAuthBackends, supportedAuthBackends } from 'vault/helpers/supported-auth-backends';
 import { setupMirage } from 'ember-cli-mirage/test-support';
+import { allSupportedAuthBackends, supportedAuthBackends } from 'vault/helpers/supported-auth-backends';
+import VAULT_KEYS from 'vault/tests/helpers/vault-keys';

 const AUTH_FORM = {
  method: '[data-test-select=auth-method]',
@@ -15,6 +16,7 @@ const AUTH_FORM = {
  login: '[data-test-auth-submit]',
 };
 const ENT_AUTH_METHODS = ['saml'];
+const { rootToken } = VAULT_KEYS;

 module('Acceptance | auth', function (hooks) {
  setupApplicationTest(hooks);
@@ -193,4 +195,17 @@ module('Acceptance | auth', function (hooks) {
    await fillIn(AUTH_FORM.method, 'token');
    await click('[data-test-auth-submit]');
  });
+
+  test('it does not call renew-self after successful login with non-renewable token', async function (assert) {
+    this.server.post(
+      '/auth/token/renew-self',
+      () => new Error('should not call renew-self directly after logging in')
+    );
+
+    await visit('/vault/auth');
+    await fillIn(AUTH_FORM.method, 'token');
+    await fillIn(AUTH_FORM.token, rootToken);
+    await click('[data-test-auth-submit]');
+    assert.strictEqual(currentURL(), '/vault/dashboard');
+  });
 });