Auth integration (advanced)

Architecture

Design rules

1. OIDC in the browser — react-oidc-context + optional same-origin metadata proxy.
2. BFF session — Tokens exchanged for HttpOnly cookies; avoid new localStorage token storage.
3. CheckToken shell — Gates UI until GET /api/auth/session succeeds.
4. Server enforcement — APIs and BFF must authorize; client gate is UX only.

CheckTokenDeps

The host app implements CheckTokenPortalDeps:

• getPublicEnv, cookieUtils, useQueryClient
• fetchUserProfile, getProfile, permission query key
• Zustand stores for login / permissions / global filter

See portal build-check-token-portal-deps.ts.

Return path

Use @sumx/ssr-auth-core/return-path for allowlisted redirects after login. Never redirect to arbitrary ?return= URLs without validation.

Cross-tab session

When one tab logs out, others show the session timeout dialog (CheckTokenCrossTabSessionDialog via @sumx/ui).

Migrating from copied vendor code

Replace src/hoc/check-token/** with package imports + thin build-check-token-portal-deps.ts. Delete duplicated OIDC/cookie helpers that now live in @sumx/ssr-auth-core.

Legacy snapshot: packages/portal-auth-vendor (reference only, not published).