Skip to main content

Auth: hbf-console

How this application handles authentication. Full flows: docs/architecture/auth-flows.md

This is a React SPA (browser application), not a backend service.

Tokens This Service Accepts

N/A. This is a frontend application. It does not expose an API or validate incoming tokens.

Tokens This Service Sends

CallingToken usedHow attached
hbf-core (all authenticated API calls)User JWT from localStorage (hbf/token)Authorization: Bearer <token> header via fetch interceptor in _fetch.js. Skipped when withAuth: false (login, registration).

Tokens This Service Issues

None.

Token Storage

All auth state is stored in localStorage:

KeyContents
hbf/tokenUser JWT
hbf/rfrRefresh token
hbf/userSerialized user JSON
hbf/orgIdCurrently selected organization ID

Login Flow

  1. User submits credentials (or initiates OAuth) on the login page.
  2. Console calls POST /login on hbf-core (or /login/google, /login/microsoft, /login/teams, /login/integration).
  3. Response: { token, refreshToken, user }.
  4. All three values are stored in localStorage. Redux state is hydrated.

Supported login methods: email/password, Google OAuth, Microsoft OAuth, Teams, OIDC/custom integrations.

Token Refresh

  • Runs every 1 hour (REFRESH_TOKEN_INTERVAL_MILLISECONDS = 3600000).
  • Checks if the current JWT is about to expire, then calls POST /login/refresh on hbf-core.
  • On 401 with an expired refresh token: clears all localStorage auth keys, resets Redux state, redirects to /login.

Protected Routes

  • PrivateRoute component checks isAuthenticated (derived from !!currentUser in Redux).
  • Unauthenticated users are redirected to /login.

Roles / Scopes Enforced

Client-side role checks are performed by decoding the JWT payload (base64 decode of the middle segment) and reading the authorities array. This controls UI visibility only. Actual enforcement happens server-side in hbf-core.

Auth Notes

  • Logout calls POST /logout on hbf-core, then clears localStorage and Redux state before redirecting to /login.
  • OIDC auto-login is supported: if only a single integration is enabled, the user is redirected automatically.
  • Organization switching updates the hbf/orgId localStorage key.
  • A "LiveChat-only" console mode exists that filters visible organizations to those with livechat access.