mirror of
https://github.com/netbirdio/netbird.git
synced 2026-06-10 18:09:56 +00:00
6e23ed4da7
* [client] Surface session deadline rejections via SystemEvent and add timer arm debug logs When sessionwatch.Watcher.Update rejects a deadline (pre-epoch, too far in the future, or past the clock-skew tolerance) it silently zeroes the status recorder, leaving the UI with no "expires in" row and no indication of why. Publish a SystemEvent_ERROR on the AUTHENTICATION channel so the rejection appears in the UI event feed and the user knows re-login may be required. Also add Debugf log lines in armTimerLocked so that warning and final-warning timer fire-times are visible in logs without having to add instrumentation after the fact. https://claude.ai/code/session_01Y3bQoNgcVjTD4zDTvv7a8u * [client] Remove verbose arm-timer debug logs from sessionwatch The per-arm Debugf lines added noise on every deadline update. Rejection logging already happens at the call site in engine_authsession.go; the watcher itself needs no extra instrumentation. https://claude.ai/code/session_01Y3bQoNgcVjTD4zDTvv7a8u * [client] Leave userMessage empty on deadline-rejected event; use metadata key Daemon-layer PublishEvent userMessage strings are not localized — the UI reads metadata keys and builds its own locale-aware copy (same pattern as the session-warning events in event.go). Drop the hardcoded English sentence from the deadline-rejected event and instead surface the rejection reason via a new MetaSessionDeadlineRejected metadata key so the UI can detect and localize it. https://claude.ai/code/session_01Y3bQoNgcVjTD4zDTvv7a8u * [client] Revert silent deadline-rejected event; restore userMessage MetaSessionDeadlineRejected had no UI consumer: the tray only does metadata-driven localisation for MetaSessionWarning events; all other SystemEvents display userMessage directly (tray_events.go). Leaving userMessage empty made the rejection invisible to the user. Restore the English userMessage so the generic event path shows something, and remove the unused MetaSessionDeadlineRejected constant. https://claude.ai/code/session_01Y3bQoNgcVjTD4zDTvv7a8u * [client] Localize session deadline rejected notification via metadata key Follow the same pattern as session-warning events: the daemon emits an empty userMessage and puts the signal in a typed metadata key (MetaSessionDeadlineRejected); the UI tray detects the key and builds a locale-aware OS notification from i18n strings. Changes: - sessionwatch/event.go: add MetaSessionDeadlineRejected constant - engine_authsession.go: empty userMessage, use the new metadata key - ui/authsession/warning.go: re-export MetaDeadlineRejected for UI consumers - ui/tray_events.go: gate on isDeadlineRejected alongside isSessionWarning; new branch calls t.notify with localized title/body - i18n locales (en/de/hu): add notify.sessionDeadlineRejected.{title,body} https://claude.ai/code/session_01Y3bQoNgcVjTD4zDTvv7a8u --------- Co-authored-by: Claude <noreply@anthropic.com>
109 lines
3.8 KiB
Go
109 lines
3.8 KiB
Go
package internal
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"time"
|
|
|
|
log "github.com/sirupsen/logrus"
|
|
"google.golang.org/protobuf/types/known/timestamppb"
|
|
|
|
cProto "github.com/netbirdio/netbird/client/proto"
|
|
"github.com/netbirdio/netbird/client/internal/auth/sessionwatch"
|
|
"github.com/netbirdio/netbird/client/system"
|
|
)
|
|
|
|
// ApplySessionDeadline propagates the absolute SSO session deadline carried on
|
|
// LoginResponse / SyncResponse to both the watcher (for the edge-triggered
|
|
// warning) and the status recorder (for the SubscribeStatus / Status RPC
|
|
// snapshot the UI consumes).
|
|
//
|
|
// The wire field is 3-state:
|
|
// - nil → snapshot carries no info; keep the
|
|
// previously-anchored deadline (no-op)
|
|
// - explicit zero (s=0, n=0) → peer is not SSO-registered or expiry is
|
|
// disabled; clear both sinks
|
|
// - valid timestamp → new deadline; arm watcher, expose on
|
|
// status recorder
|
|
//
|
|
// Deadline sanity-checks live in sessionwatch.Watcher.Update. Any rejected
|
|
// value is treated as a clear on both sinks: the alternative — leaving the
|
|
// previously-known deadline in place — risks the UI confidently displaying
|
|
// a stale "expires in X" while the server has actually invalidated it.
|
|
func (e *Engine) ApplySessionDeadline(ts *timestamppb.Timestamp) {
|
|
if ts == nil {
|
|
return
|
|
}
|
|
var deadline time.Time
|
|
// Explicit zero (seconds=0 AND nanos=0) is the sentinel for "disabled".
|
|
// Everything else flows through Watcher.Update, whose sanity-checks
|
|
// reject out-of-range / pre-epoch / far-future / too-stale values and
|
|
// clear on rejection.
|
|
if ts.GetSeconds() != 0 || ts.GetNanos() != 0 {
|
|
deadline = ts.AsTime().UTC()
|
|
}
|
|
if e.sessionWatcher == nil {
|
|
return
|
|
}
|
|
// Watcher.Update owns the propagation to the status recorder (the
|
|
// SubscribeStatus / Status snapshot the UI reads): a set writes the
|
|
// deadline, a clear or a sanity-check rejection writes the zero value.
|
|
// Keeping a single writer is what stops the recorder from drifting out
|
|
// of sync with the warning timers.
|
|
if err := e.sessionWatcher.Update(deadline); err != nil {
|
|
log.Errorf("auth session deadline rejected: %v, clearing", err)
|
|
e.statusRecorder.PublishEvent(
|
|
cProto.SystemEvent_ERROR,
|
|
cProto.SystemEvent_AUTHENTICATION,
|
|
"session deadline rejected",
|
|
"",
|
|
map[string]string{sessionwatch.MetaSessionDeadlineRejected: err.Error()},
|
|
)
|
|
}
|
|
}
|
|
|
|
// DismissSessionWarning records the user's "Dismiss" click on the
|
|
// T-WarningLead interactive notification and suppresses the upcoming
|
|
// T-FinalWarningLead fallback for the current deadline. No-op when the
|
|
// watcher is not running or holds no deadline.
|
|
func (e *Engine) DismissSessionWarning() {
|
|
if e.sessionWatcher == nil {
|
|
return
|
|
}
|
|
e.sessionWatcher.Dismiss()
|
|
}
|
|
|
|
// ExtendAuthSession asks the management server to refresh the SSO session
|
|
// expiry deadline using the supplied JWT, then mirrors the new deadline into
|
|
// the daemon's state. The tunnel is untouched; no resync, no reconnect.
|
|
//
|
|
// Returns the new absolute UTC deadline (or zero time when the server
|
|
// reports the peer is not eligible for extension).
|
|
func (e *Engine) ExtendAuthSession(ctx context.Context, jwtToken string) (time.Time, error) {
|
|
if jwtToken == "" {
|
|
return time.Time{}, errors.New("jwt token is required")
|
|
}
|
|
if e.mgmClient == nil {
|
|
return time.Time{}, errors.New("management client is not initialised")
|
|
}
|
|
|
|
info, err := system.GetInfoWithChecks(ctx, e.checks)
|
|
if err != nil {
|
|
log.Warnf("failed to collect system info for session extend: %v", err)
|
|
info = system.GetInfo(ctx)
|
|
}
|
|
|
|
resp, err := e.mgmClient.ExtendAuthSession(info, jwtToken)
|
|
if err != nil {
|
|
return time.Time{}, fmt.Errorf("extend auth session on management: %w", err)
|
|
}
|
|
|
|
e.ApplySessionDeadline(resp.GetSessionExpiresAt())
|
|
|
|
if resp.GetSessionExpiresAt().IsValid() {
|
|
return resp.GetSessionExpiresAt().AsTime().UTC(), nil
|
|
}
|
|
return time.Time{}, nil
|
|
}
|