UI token refreshing

[foot]

Closes #3832

What changed?

Token refreshing is now handled by the UI, not in-request by the server.

Why was this change made?

We cannot lock the refresh process on the server well, new requests will still come in and re-trigger it etc.

How was this change implemented?

Add more logic the UI to deal with expired tokens

• Extend the UnAuthorizedInterceptor to try and refresh the token if we get a 401
• Keep track of inflight tokenRefreshes so we only have a single one at a time
• Wait for token refresh to complete before retrying requests

On the server we remove the inline token refresh logic

How did you validate the change?

Manual testing mainly:

1. Setup up weave-gitops + OIDC w/ a provider that supports offline-access
2. Login
3. delete id_token cookie
4. Watch 401s return and a single refresh request made that restores the id_token

kind create cluster
kubectl create secret generic oidc-auth \
  --namespace default \
  --from-literal=issuerURL=<your-issuer-url> \
  --from-literal=clientID=<your-client-id> \
  --from-literal=clientSecret=<your-oidc-client-secret> \
  --from-literal=redirectURL=http://localhost:4567/oauth2/callback
FAST_AND_FURIOUSER=1 SKIP_UI_BUILD=1 tilt up

npm install
npm start
open http://localhost:4567

Waterfall

Note 401s, single refresh, immediately followed by the 200s

Follow ups:

• The refresh token navigates away, but resolves the promise, it perhaps should not do that, so no new requests start.
• /userinfo should also be wrapped by the unauth'dwrapper the UI too, its the first endpoint we hit when loading the UI to see if the user is logged in. We don't do this yet, so if you have a refresh-token and navigate to the UI fresh, we don't try and get you a new token right now.

[bigkevmcd]

This looks great!

[AlinaGoaga]

Looks great, tested locally and it's working as expected!