From b9442c98ad47d8fa66d672573791483ece73d5c0 Mon Sep 17 00:00:00 2001
From: Karl Persson <kalle.persson@grafana.com>
Date: Wed, 5 Jul 2023 17:08:49 +0200
Subject: [PATCH] AuthN: Fix url token auth when clientTokenRotation is enabled
 (#71073)

* ContextSrv: No longer try to rotate token if we are using auth_token in url

Also extract the logic to check if we should schedule the job into its own function
---
 public/app/core/services/context_srv.ts | 34 +++++++++++++++++++++----
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/public/app/core/services/context_srv.ts b/public/app/core/services/context_srv.ts
index 52ba18b85ae..cddbc01ca76 100644
--- a/public/app/core/services/context_srv.ts
+++ b/public/app/core/services/context_srv.ts
@@ -89,7 +89,7 @@ export class ContextSrv {
     this.hasEditPermissionInFolders = this.user.hasEditPermissionInFolders;
     this.minRefreshInterval = config.minRefreshInterval;
 
-    if (this.isSignedIn) {
+    if (this.canScheduleRotation()) {
       this.scheduleTokenRotationJob();
     }
   }
@@ -206,10 +206,8 @@ export class ContextSrv {
 
   // schedules a job to perform token ration in the background
   private scheduleTokenRotationJob() {
-    const urlParams = new URLSearchParams(window.location.search);
-    const isRenderRequest = !!urlParams.get('render');
-    // only schedule job if feature toggle is enabled, user is signed in and it's not a render request
-    if (config.featureToggles.clientTokenRotation && this.isSignedIn && !isRenderRequest) {
+    // check if we can schedula the token rotation job
+    if (this.canScheduleRotation()) {
       // get the time token is going to expire
       let expires = this.getSessionExpiry();
 
@@ -241,6 +239,32 @@ export class ContextSrv {
     }
   }
 
+  private canScheduleRotation() {
+    // skip if user is not signed in, this happens on login page or when using anonymous auth
+    if (!this.isSignedIn) {
+      return false;
+    }
+
+    // skip if feature toggle is not enabled
+    if (!config.featureToggles.clientTokenRotation) {
+      return false;
+    }
+
+    const params = new URLSearchParams(window.location.search);
+
+    // skip if this is a render request
+    if (!!params.get('render')) {
+      return false;
+    }
+
+    // skip if we are using auth_token in url
+    if (!!params.get('auth_token')) {
+      return false;
+    }
+
+    return true;
+  }
+
   private cancelTokenRotationJob() {
     if (config.featureToggles.clientTokenRotation && this.tokenRotationJobId > 0) {
       clearTimeout(this.tokenRotationJobId);