Authentication and API
The frontend authenticates users with OIDC and then uses the resulting bearer token to call the backend API.
OIDC configuration
The app configures oidc-client-ts with:
authorityfromVITE_OIDC_AUTHORITYclient_idfromVITE_OIDC_CLIENT_ID, defaulting tocodecurate-frontendresponse_typefixed tocodescopefromVITE_OIDC_SCOPE, defaulting toopenid profile email- redirect URIs derived from the browser origin unless explicit variables override them
- local storage as the browser-side user store
- automatic silent renew enabled
Login flow
The protected route guard is RequireAuth.
Behavior:
- wait for
AuthContextto finish initial session resolution - if a valid non-expired user exists, render the protected app
- if no valid user exists, trigger
signinRedirect - throttle redirects to reduce tight redirect loops during misconfiguration or callback failure
The app stores the intended return path before redirecting so users land back on the page they were trying to reach.
Callback flow
/auth/callback completes the OIDC redirect flow by calling signinRedirectCallback().
On success it:
- clears auth redirect bookkeeping from session storage
- restores the stored
returnToroute if present - otherwise sends the user to
/
On failure it:
- records a callback error timestamp to help throttle loops
- logs the error to the console
- navigates back to the stored destination or
/
Silent renew and token expiry handling
The app enables automaticSilentRenew and also handles expiry events in AuthContext.
When a token is expiring or expired, the frontend tries to renew silently. If renewal succeeds, the current access token is refreshed in the token store. If it fails, the app does not immediately hard-fail the session; instead, unauthorized API responses trigger the next step in the recovery flow.
API client structure
Most backend integration goes through the generated OpenAPI client under src/api.
The shared createApiConfiguration() function sets:
basePathfromVITE_API_BASE_URLor its default- a pre-request middleware that attaches the
Authorizationheader when a token exists - a post-response middleware that retries one
401after silent renew - an interactive login redirect when renewal cannot recover the session
Unauthorized retry behavior
When the backend returns 401:
- the middleware checks whether the request has already been retried
- it attempts silent renew
- if a new token is available, it retries the request once
- if retry is impossible or still unauthorized, it removes the local user and redirects to login
This is a practical middle layer between passive token expiry handling and a full session reset.
Custom request paths
Two areas use direct fetch helpers instead of generated client methods alone.
Uploads
src/services/media.ts uses fetch with FormData to send multipart uploads to /media/upload.
This helper:
- requires a bearer token
- attaches
path, optionalsubfolder, and one or morefiles - normalizes the response into
uploaded_files,skipped_files, andfailed_files
Downloads
Downloads are a two-step flow:
- request a ticket from
/media/download-ticketwith bearer auth - construct the anonymous
/media/downloadURL withpathandticket
The frontend then triggers a browser download by creating a temporary anchor element.
Service-layer responsibilities
The service files are intentionally thin:
media.ts: rename, delete, download, upload, and total count helperscommands.ts: preset CRUD, run command, list processes, kill, remove, clear completedcompare.ts: metadata compare, VMAF jobs, and compare historyobtain.ts: obtain list CRUD, TMDB search, titles, translations, and file-path helpers
That keeps most pages focused on UI flow while preserving one place to normalize API error messages.
Backend coupling to keep in mind
The frontend assumes the backend rules already documented in the backend section, especially:
- JWT bearer auth plus allowed-client enforcement
- secure download ticket flow
- queue-based command and VMAF execution
- query and filter behavior for media browsing
Related backend pages: