Fix session timeout warning#1576
Merged
Merged
Conversation
Three bugs in the session-timeout warning introduced by #1557: 1. selectSessionTimeout selector used ?? 86400 as fallback — if the backend omits sessionTimeout (old operator), the modal activated with a spurious 24 h timeout instead of staying disabled. Changed to ?? -1 so the modal only activates when the backend explicitly provides a positive value. 2. The idle timer reset on UI events (mousemove/click/keydown) but not on authenticated HTTP requests. The OAuth proxy refreshes the session cookie on every request (including background workspace polling), so the JS clock diverged from the real session expiry. Added an Axios response interceptor that resets the idle timer on each successful response, keeping both clocks in sync. 3. Sessions shorter than 90 s leave less than 30 s of usable warning time (WARNING_LEAD_SECONDS = 60). Added a MIN_SESSION_TIMEOUT_SECONDS = 90 guard that suppresses the modal for such short timeouts. Assisted-by: Claude Sonnet 4.5 Signed-off-by: Oleksii Orel <oorel@redhat.com>
Users reported session expiry while actively using the dashboard (mousemove, keydown, click). Activity events reset the JS idle timer but do NOT refresh the actual OAuth cookie — so sessions could silently expire on pages with no background API requests (e.g. GitConfig tab). Add a throttled keep-alive mechanism in the activity handler: - Compute keepAliveThresholdMs = max(30, (sessionTimeout-60)/2)*1000. For a 120 s session this is 30 s; for a 24 h session ~12 h. - On every activity event, capture elapsed time since the last idle- timer reset, then synchronously restart the JS idle timer. - If elapsed >= threshold, ALSO fire a silent GET /dashboard/api/user/id. The OAuth proxy refreshes the session cookie on this request and the Axios response interceptor resets the idle timer from that point. Result: active users on pages with no polling never see unexpected sign-outs; the warning modal only appears for truly idle sessions. Also add MIN_SESSION_TIMEOUT_SECONDS = 90 guard to suppress the modal for sessions that are too short to show a meaningful warning. Assisted-by: Claude Sonnet 4.5 Signed-off-by: Oleksii Orel <oorel@redhat.com>
Contributor
|
Click here to review and test in web IDE: |
- /dashboard/api/user/id does not exist in the dashboard backend (404); the Axios success interceptor never fired so keep-alive was a no-op. - Split keep-alive into backgroundPing (silent, no Redux dispatch) and pingKeepAlive (explicit extend via onExtend, dispatches serverConfigReceiveAction to keep sessionTimeout in sync). Avoids unexpected config-driven UI changes mid-session from background pings. - isPingingRef guard prevents concurrent background pings from rapid activity events near the threshold. - Move the response interceptor from the default axios instance to getAxiosInstance() — all dashboard API calls use the shared instance. - Move AUTO_EXTEND_BUFFER_SECONDS to module-level constant. - MIN_SESSION_TIMEOUT_SECONDS = 90 ensures keepAliveThresholdMs is always positive. - Log keep-alive errors with console.warn instead of silencing them. - Interceptor is installed only when sessionTimeout >= 90 s (disabled sessions skip the useEffect body entirely). - 3 new tests: interceptor-not-installed-when-disabled, concurrent-ping guard, background-ping uses fetchServerConfig. Assisted-by: Claude Sonnet 4.5 Signed-off-by: Oleksii Orel <oorel@redhat.com>
olexii4
force-pushed
the
fix_session_timeout_warning
branch
from
9f62345 to
36fb786
Compare
|
Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1576 (linux/amd64, linux/arm64) kubectl patch commandkubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1576", name: che-dashboard}]}}]" |
1 similar comment
|
Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1576 (linux/amd64, linux/arm64) kubectl patch commandkubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1576", name: che-dashboard}]}}]" |
|
@olexii4: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Contributor
|
@SkorikSergey please take a look |
SkorikSergey
approved these changes
May 28, 2026
Contributor
SkorikSergey
left a comment
SkorikSergey
left a comment
There was a problem hiding this comment.
Looks good to merge.
|
@SkorikSergey: changing LGTM is restricted to collaborators DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: olexii4, SkorikSergey, svor The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
artaleks9
pushed a commit
that referenced
this pull request
May 29, 2026
Three bugs in the session-timeout warning introduced by #1557: 1. selectSessionTimeout selector used ?? 86400 as fallback — if the backend omits sessionTimeout (old operator), the modal activated with a spurious 24 h timeout instead of staying disabled. Changed to ?? -1 so the modal only activates when the backend explicitly provides a positive value. 2. The idle timer reset on UI events (mousemove/click/keydown) but not on authenticated HTTP requests. The OAuth proxy refreshes the session cookie on every request (including background workspace polling), so the JS clock diverged from the real session expiry. Added an Axios response interceptor that resets the idle timer on each successful response, keeping both clocks in sync. 3. Sessions shorter than 90 s leave less than 30 s of usable warning time (WARNING_LEAD_SECONDS = 60). Added a MIN_SESSION_TIMEOUT_SECONDS = 90 guard that suppresses the modal for such short timeouts. Assisted-by: Claude Sonnet 4.5 Signed-off-by: Oleksii Orel <oorel@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Fixes several bugs in the session-timeout warning modal (#1557) and adds silent
auto-extend for active users so they never experience unexpected sign-outs.
Bug 1 — Wrong selector fallback
selectSessionTimeoutused?? 86400— if the backend omitssessionTimeout,the modal activated with a 24 h timeout instead of staying disabled.
Changed to
?? -1.Bug 2 — JS idle timer vs OAuth cookie mismatch
The hook reset the idle timer on UI events (
mousemove,keydown, …) but theOAuth cookie is refreshed by HTTP requests through the gateway (including
background workspace polling). Added an Axios response interceptor that calls
startIdleTimer()on every successful response, keeping both clocks in sync.Bug 3 — No guard for very short sessions
Added
MIN_SESSION_TIMEOUT_SECONDS = 90. The modal is suppressed for sessionsshorter than 90 s (< 30 s of warning time — not useful).
Bug 4 — Broken keep-alive URL
KEEP_ALIVE_URLwas set to/dashboard/api/server-config, which always returns 200, is alightweight read, and passes through the OAuth proxy (which refreshes the session
cookie on the request).### Screenshot/screencast of this PR
What issues does this PR fix or reference?
Is it tested? How?
kubectl patch checluster/eclipse-che -n eclipse-che --type=merge \ -p '{"spec":{"networking":{"auth":{"gateway":{"oAuthProxy":{"cookieExpireSeconds":120}}}}}}'Modal appears at 60 s; sign-out at 120 s.
No modal; session silently extended every time idle exceeds 45 s.
Release Notes
Docs PR