fix: correctly handle MFA timeout

* If the MfaTimeoutError is thrown by backend, then we should force new authentication included
first factor and second factor

Author: HejdaJakub

libs/perun/services/src/lib/ApiInterceptor.ts

@@ -126,8 +126,12 @@ export class ApiInterceptor implements HttpInterceptor {
       catchError((err: HttpErrorResponse) => {
         const e = err.error as RPCError;
         // catch MFA required error and start MFA logic
-        if (e.type === 'MfaPrivilegeException' || e.type === 'MfaRolePrivilegeException') {
-          return this.mfaHandlerService.openMfaWindow(e.type === 'MfaRolePrivilegeException').pipe(
+        if (
+          e.type === 'MfaPrivilegeException' ||
+          e.type === 'MfaRolePrivilegeException' ||
+          e.type === 'MfaTimeoutException'
+        ) {
+          return this.mfaHandlerService.openMfaWindow(e.type).pipe(
             switchMap((verified) => {
               if (verified) {
                 if (e.type === 'MfaRolePrivilegeException') {

libs/perun/services/src/lib/auth.service.ts

@@ -114,7 +114,8 @@ export class AuthService {
     if (sessionStorage.getItem('mfa_route') || localStorage.getItem('mfaProcessed')) {
       customQueryParams['acr_values'] = 'https://refeds.org/profile/mfa';
     }
-    if (sessionStorage.getItem('mfa_route')) {
+    if (sessionStorage.getItem('mfa_route') || localStorage.getItem('mfaTimeout')) {
+      // mfaTimeout = force new authentication if mfaTimeoutError is thrown by Perun
       if (customQueryParams['prompt']) {
         customQueryParams['prompt'] += ' login';
       } else {

libs/perun/services/src/lib/mfa-handler.service.ts

@@ -11,6 +11,11 @@ import { OAuthService } from 'angular-oauth2-oidc';
 import { AuthService } from './auth.service';
 import { StoreService } from './store.service';
 
+export type MfaExceptionType =
+  | 'MfaPrivilegeException'
+  | 'MfaRolePrivilegeException'
+  | 'MfaTimeoutException';
+
 @Injectable({
   providedIn: 'root',
 })
@@ -30,20 +35,24 @@ export class MfaHandlerService {
    * opened another window and the user cannot continue in the original application
    * without finishing authentication/closing the second window
    */
-  openMfaWindow(mfaRoleException: boolean): Observable<boolean> {
+  openMfaWindow(mfaExceptionType: MfaExceptionType): Observable<boolean> {
     let newWindow: Window = null;
     let dialogRef: MatDialogRef<FocusOnMfaWindowComponent, void> = null;
 
     const configVerify = getDefaultDialogConfig();
     configVerify.width = '450px';
     configVerify.data = {
-      mfaRoleException: mfaRoleException,
+      mfaRoleException: mfaExceptionType === 'MfaRolePrivilegeException',
     };
     const dialogVerifyRef = this.dialog.open(MfaRequiredDialogComponent, configVerify);
     let verificationSkipped = false;
 
     dialogVerifyRef.afterClosed().subscribe((result) => {
       if (result) {
+        if (mfaExceptionType === 'MfaTimeoutException') {
+          localStorage.setItem('mfaTimeout', 'true');
+        }
+
         localStorage.setItem('mfaRequired', 'true');
 
         // save tokens - if MFA will NOT be successful, we will need to give them back to oauth storage
@@ -82,6 +91,7 @@ export class MfaHandlerService {
           dialogRef.close();
           localStorage.removeItem('mfaRequired');
           localStorage.removeItem('mfaProcessed');
+          localStorage.removeItem('mfaTimeout');
           // if the window is closed without successful MFA, then give back previous tokens to the oauth storage
           if (this.oauthService.getAccessToken() === null) {
             localStorage.setItem('access_token', sessionStorage.getItem('oldAccessToken'));
@@ -132,6 +142,7 @@ export class MfaHandlerService {
   closeMfaWindow(): void {
     if (localStorage.getItem('mfaProcessed') && !localStorage.getItem('mfaRequired')) {
       localStorage.removeItem('mfaProcessed');
+      localStorage.removeItem('mfaTimeout');
       window.close();
     }
   }