Merge branch 'hotfix/1.4.5'

SailReal · SailReal · commit de8c4bb4e5bc · 2025-08-09T12:33:40.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.4.5](https://github.com/cryptomator/hub/compare/1.4.4...1.4.5)
+
+### Fixed
+
+- Fix Session Expiration Not Enforced in Cryptomator Hub Web Client (GHSA-69fp-wc9g-5778)
+
 ## [1.4.4](https://github.com/cryptomator/hub/compare/1.4.3...1.4.4)
 
 ### Added
diff --git a/backend/pom.xml b/backend/pom.xml
@@ -4,7 +4,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>org.cryptomator</groupId>
   <artifactId>hub-backend</artifactId>
-  <version>1.4.4</version>
+  <version>1.4.5</version>
 
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
diff --git a/frontend/package.json b/frontend/package.json
@@ -1,7 +1,7 @@
 {
   "type": "module",
   "name": "cryptomator-hub",
-  "version": "1.4.4",
+  "version": "1.4.5",
   "description": "Web-Frontend for Cryptomator Hub",
   "author": "Skymatic GmbH",
   "license": "AGPL-3.0-or-later",
diff --git a/frontend/src/common/auth.ts b/frontend/src/common/auth.ts
@@ -1,4 +1,5 @@
 import Keycloak from 'keycloak-js';
+import { buildRedirectSyncMeUri } from '../router';
 import config, { ConfigDto } from './config';
 
 class Auth {
@@ -10,14 +11,19 @@ class Auth {
       realm: cfg.keycloakRealm,
       clientId: cfg.keycloakClientIdHub
     });
+
+    const auth = new Auth(keycloak);
+
     keycloak.onTokenExpired = () => {
-      keycloak.updateToken(30);
-    }; // TODO: show notification with .catch(() => notify-user-somehow);
+      auth.refreshToken(30);
+    };
+
     await keycloak.init({
       checkLoginIframe: false,
       pkceMethod: 'S256',
     });
-    return new Auth(keycloak);
+
+    return auth;
   }
 
   private constructor(keycloak: Keycloak) {
@@ -29,25 +35,42 @@ class Auth {
   }
 
   public async login(redirectUri: string): Promise<void> {
-    await this.keycloak.login({
-      redirectUri: (redirectUri)
-    });
+    await this.keycloak.login({ redirectUri });
   }
 
   public async logout(redirectUri?: string): Promise<void> {
-    return this.keycloak.logout({
-      redirectUri: redirectUri
-    });
+    await this.keycloak.logout({ redirectUri });
   }
 
   public async bearerToken(): Promise<string | undefined> {
-    await this.keycloak.updateToken(10);
+    await this.refreshToken(10);
     return this.keycloak.token;
   }
 
   public hasRole(role: string): boolean {
     return this.keycloak.tokenParsed?.realm_access?.roles.includes(role) ?? false;
   }
+
+  private async refreshToken(minValidity?: number, delay: number = 500): Promise<void> {
+    if (delay > 16000) { // max wait time of 16 seconds before giving up
+      console.error('Auth Token refresh failed after maximum retries. Clearing tokens & logging out.');
+      this.keycloak.clearToken();
+      return this.logout();
+    }
+    try {
+      await this.keycloak.updateToken(minValidity);
+      return; // success
+    } catch (err) {
+      if (!this.isAuthenticated()) {
+        const redirectUrl = buildRedirectSyncMeUri();
+        return this.login(redirectUrl);
+      } else {
+        console.warn(`Auth Token refresh failed, retrying in ${delay}ms`, err);
+        await new Promise(res => setTimeout(res, delay));
+        return this.refreshToken(minValidity, delay * 2); // exponential backoff
+      }
+    }
+  }
 }
 
 // this is a lazy singleton:
diff --git a/frontend/src/router/index.ts b/frontend/src/router/index.ts
@@ -1,4 +1,4 @@
-import { createRouter, createWebHistory, NavigationGuardWithThis, RouteLocationRaw, RouteRecordRaw } from 'vue-router';
+import { createRouter, createWebHistory, NavigationGuardWithThis, RouteLocationNormalized, RouteLocationRaw, RouteRecordRaw } from 'vue-router';
 import authPromise from '../common/auth';
 import backend from '../common/backend';
 import { baseURL } from '../common/config';
@@ -149,11 +149,7 @@ router.beforeEach((to, from, next) => {
       if (auth.isAuthenticated()) {
         next();
       } else {
-        // secondsSinceEpoch is required for legacy reasons, as caching headers were only introduced in #255
-        // as result, the redirect URI changes and caching does not break updates anymore
-        const secondsSinceEpoch = Math.round(new Date().getTime() / 1000);
-        const redirect: RouteLocationRaw = { query: { ...to.query, 'sync_me': secondsSinceEpoch } };
-        const redirectUri = `${location.origin}${router.resolve(redirect, to).href}`;
+        const redirectUri = buildRedirectSyncMeUri(to);
         auth.login(redirectUri);
       }
     });
@@ -205,4 +201,17 @@ router.beforeEach(async (to) => {
   }
 });
 
+export function buildRedirectSyncMeUri(route?: RouteLocationNormalized): string {
+  const targetRoute = route ?? router.currentRoute.value;
+  // secondsSinceEpoch is required for legacy reasons, as caching headers were only introduced in #255
+  const secondsSinceEpoch = Math.round(Date.now() / 1000);
+  const redirect: RouteLocationRaw = {
+    query: {
+      ...targetRoute.query,
+      sync_me: secondsSinceEpoch,
+    }
+  };
+  return `${location.origin}${router.resolve(redirect, targetRoute).href}`;
+}
+
 export default router;

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"type": "module",`
`3`	`3`	`"name": "cryptomator-hub",`
`4`		`- "version": "1.4.4",`
	`4`	`+ "version": "1.4.5",`
`5`	`5`	`"description": "Web-Frontend for Cryptomator Hub",`
`6`	`6`	`"author": "Skymatic GmbH",`
`7`	`7`	`"license": "AGPL-3.0-or-later",`