Improve auth flow to prevent refresh token loops

- Remove refresh trigger from LrmAuthStateProvider (single source principle)
- Add ShouldAttemptRefresh() to check coordinator state before refresh
- Add permanent failure flag to stop retries after 401
- Add 500ms cache to GetAuthenticationStateAsync to prevent concurrent evaluations
- Increase MinRefreshInterval to 10s and add MaxRefreshWaitTime of 15s
- Show user-friendly session expired message on login page

Author: nickprotop

cloud/src/LrmCloud.Web/Pages/Auth/Login.razor

@@ -2,6 +2,7 @@
 @layout AuthLayout
 @inject AuthService AuthService
 @inject NavigationManager Navigation
+@inject TokenRefreshCoordinator RefreshCoordinator
 
 <PageTitle>Login - LRM Cloud</PageTitle>
 
@@ -12,6 +13,13 @@
         <RadzenText TextStyle="TextStyle.Body2" class="rz-color-secondary">Sign in to your account</RadzenText>
     </div>
 
+    @if (!string.IsNullOrEmpty(_sessionExpiredMessage))
+    {
+        <RadzenAlert AlertStyle="AlertStyle.Warning" Shade="Shade.Lighter" AllowClose="true" Close="@(() => _sessionExpiredMessage = null)">
+            <RadzenIcon Icon="schedule" class="rz-me-2" />@_sessionExpiredMessage
+        </RadzenAlert>
+    }
+
     @if (!string.IsNullOrEmpty(_errorMessage))
     {
         <RadzenAlert AlertStyle="AlertStyle.Danger" Shade="Shade.Lighter" AllowClose="false">
@@ -79,13 +87,22 @@
     private readonly LoginRequest _model = new();
     private bool _isLoading;
     private string? _errorMessage;
+    private string? _sessionExpiredMessage;
 
     [Parameter]
     [SupplyParameterFromQuery(Name = "returnUrl")]
     public string? ReturnUrl { get; set; }
 
     protected override async Task OnInitializedAsync()
     {
+        // Check if we were redirected here due to session expiry
+        if (RefreshCoordinator.IsRefreshPermanentlyFailed && !string.IsNullOrEmpty(RefreshCoordinator.FailureReason))
+        {
+            _sessionExpiredMessage = RefreshCoordinator.FailureReason;
+            // Reset so the message only shows once
+            RefreshCoordinator.ResetFailureState();
+        }
+
         // Use IsTokenValidAsync instead of IsAuthenticatedAsync to check both:
         // 1. Token exists
         // 2. Token is not expired

cloud/src/LrmCloud.Web/Services/AuthService.cs

@@ -35,6 +35,9 @@ public async Task<AuthResult> LoginAsync(LoginRequest request)
                 var result = await response.Content.ReadFromJsonAsync<ApiResponse<LoginResponse>>();
                 if (result?.Data != null)
                 {
+                    // Reset any previous auth failure state
+                    _refreshCoordinator.ResetFailureState();
+
                     await _tokenStorage.StoreTokensAsync(
                         result.Data.Token,
                         result.Data.RefreshToken,
@@ -145,7 +148,7 @@ public async Task<bool> RefreshTokenAsync()
         {
             // Another refresh is in progress or was recently attempted
             // Wait for it to complete and check if tokens are now valid
-            await _refreshCoordinator.WaitForRefreshAsync(TimeSpan.FromSeconds(5));
+            await _refreshCoordinator.WaitForRefreshAsync(TokenRefreshCoordinator.MaxRefreshWaitTime);
 
             // Check if we now have valid tokens (from the other refresh)
             var token = await _tokenStorage.GetAccessTokenAsync();
@@ -182,6 +185,10 @@ await _tokenStorage.StoreTokensAsync(
             if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized ||
                 response.StatusCode == System.Net.HttpStatusCode.Forbidden)
             {
+                // Mark as permanently failed to prevent retry loops
+                _refreshCoordinator.MarkRefreshPermanentlyFailed(
+                    "Your session has expired. Please log in again.");
+
                 await _tokenStorage.ClearTokensAsync();
                 _authStateProvider.NotifyUserLogout();
             }
@@ -246,10 +253,27 @@ public async Task<bool> IsAuthenticatedAsync()
         return !string.IsNullOrEmpty(token);
     }
 
+    /// <summary>
+    /// Checks if a refresh attempt should be made.
+    /// Returns false if refresh has permanently failed or is already in progress.
+    /// </summary>
+    public bool ShouldAttemptRefresh()
+    {
+        // Don't attempt if permanently failed (e.g., token was revoked)
+        if (_refreshCoordinator.IsRefreshPermanentlyFailed)
+            return false;
+
+        // Don't attempt if already in progress
+        if (_refreshCoordinator.IsRefreshInProgress)
+            return false;
+
+        return true;
+    }
+
     /// <summary>
     /// Checks if the user has a valid (non-expired) token.
     /// Unlike IsAuthenticatedAsync, this also verifies the token hasn't expired
-    /// and handles the case where tokens are being cleared.
+    /// and handles the case where tokens are being cleared or auth has permanently failed.
     /// </summary>
     public async Task<bool> IsTokenValidAsync()
     {
@@ -258,6 +282,11 @@ public async Task<bool> IsTokenValidAsync()
         if (_tokenStorage.IsClearing)
             return false;
 
+        // Don't report as authenticated if refresh has permanently failed
+        // This means the session is invalid and user needs to login again
+        if (_refreshCoordinator.IsRefreshPermanentlyFailed)
+            return false;
+
         var token = await _tokenStorage.GetAccessTokenAsync();
         if (string.IsNullOrEmpty(token))
             return false;

cloud/src/LrmCloud.Web/Services/AuthenticatedHttpHandler.cs

@@ -37,11 +37,15 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
             var coordinator = _serviceProvider.GetService<TokenRefreshCoordinator>();
             if (coordinator?.IsRefreshInProgress == true)
             {
-                await coordinator.WaitForRefreshAsync(TimeSpan.FromSeconds(10), cancellationToken);
+                await coordinator.WaitForRefreshAsync(TokenRefreshCoordinator.MaxRefreshWaitTime, cancellationToken);
             }
 
             // Proactive refresh: if token is expired or about to expire, refresh before sending
-            if (await _tokenStorage.IsTokenExpiredAsync() && await _tokenStorage.CanRefreshAsync())
+            // Check coordinator state first to avoid unnecessary attempts
+            var authService = _serviceProvider.GetService<AuthService>();
+            if (await _tokenStorage.IsTokenExpiredAsync() &&
+                await _tokenStorage.CanRefreshAsync() &&
+                authService?.ShouldAttemptRefresh() == true)
             {
                 await TryRefreshTokenAsync();
             }
@@ -51,10 +55,11 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
 
         var response = await base.SendAsync(request, cancellationToken);
 
-        // Handle 401 Unauthorized - try to refresh token
+        // Handle 401 Unauthorized - try to refresh token (if not permanently failed)
         if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized && !isAuthEndpoint)
         {
-            if (await TryRefreshTokenAsync())
+            var authSvc = _serviceProvider.GetService<AuthService>();
+            if (authSvc?.ShouldAttemptRefresh() == true && await TryRefreshTokenAsync())
             {
                 // Retry the request with new token
                 request = await CloneRequestAsync(request);

cloud/src/LrmCloud.Web/Services/LrmAuthStateProvider.cs

@@ -16,6 +16,12 @@ public class LrmAuthStateProvider : AuthenticationStateProvider
     private UserDto? _cachedUser;
     private bool _isInitialized;
 
+    // Cache auth state to prevent multiple simultaneous evaluations
+    private AuthenticationState? _cachedAuthState;
+    private DateTime _cacheExpiry = DateTime.MinValue;
+    private static readonly TimeSpan CacheDuration = TimeSpan.FromMilliseconds(500);
+    private readonly SemaphoreSlim _cacheLock = new(1, 1);
+
     public LrmAuthStateProvider(TokenStorageService tokenStorage, HttpClient httpClient, IServiceProvider serviceProvider)
     {
         _tokenStorage = tokenStorage;
@@ -24,6 +30,35 @@ public LrmAuthStateProvider(TokenStorageService tokenStorage, HttpClient httpCli
     }
 
     public override async Task<AuthenticationState> GetAuthenticationStateAsync()
+    {
+        // Return cached state if still valid (prevents multiple simultaneous evaluations)
+        if (_cachedAuthState != null && DateTime.UtcNow < _cacheExpiry)
+        {
+            return _cachedAuthState;
+        }
+
+        // Use lock to prevent concurrent cache population
+        await _cacheLock.WaitAsync();
+        try
+        {
+            // Double-check after acquiring lock
+            if (_cachedAuthState != null && DateTime.UtcNow < _cacheExpiry)
+            {
+                return _cachedAuthState;
+            }
+
+            var authState = await GetAuthenticationStateCoreAsync();
+            _cachedAuthState = authState;
+            _cacheExpiry = DateTime.UtcNow.Add(CacheDuration);
+            return authState;
+        }
+        finally
+        {
+            _cacheLock.Release();
+        }
+    }
+
+    private async Task<AuthenticationState> GetAuthenticationStateCoreAsync()
     {
         var token = await _tokenStorage.GetAccessTokenAsync();
 
@@ -33,39 +68,13 @@ public override async Task<AuthenticationState> GetAuthenticationStateAsync()
         }
 
         // Check if token is expired
+        // NOTE: We do NOT trigger refresh here - that's handled by AuthenticatedHttpHandler
+        // This prevents multiple refresh attempts from different components
         if (await _tokenStorage.IsTokenExpiredAsync())
         {
-            // Token expired, try to refresh if possible
-            if (await _tokenStorage.CanRefreshAsync())
-            {
-                try
-                {
-                    // Attempt to refresh the token using AuthService
-                    // AuthService uses TokenRefreshCoordinator internally to prevent concurrent refreshes
-                    var authService = _serviceProvider.GetService<AuthService>();
-                    if (authService != null && await authService.RefreshTokenAsync())
-                    {
-                        // Refresh succeeded - the AuthService already notified us
-                        // and updated the cached user, so we can proceed
-                        token = await _tokenStorage.GetAccessTokenAsync();
-                    }
-                    else
-                    {
-                        // Refresh failed - return unauthenticated
-                        return new AuthenticationState(new ClaimsPrincipal(new ClaimsIdentity()));
-                    }
-                }
-                catch
-                {
-                    // Error during refresh - return unauthenticated
-                    return new AuthenticationState(new ClaimsPrincipal(new ClaimsIdentity()));
-                }
-            }
-            else
-            {
-                // Can't refresh - return unauthenticated
-                return new AuthenticationState(new ClaimsPrincipal(new ClaimsIdentity()));
-            }
+            // Token expired - return unauthenticated
+            // The next API call via AuthenticatedHttpHandler will trigger refresh
+            return new AuthenticationState(new ClaimsPrincipal(new ClaimsIdentity()));
         }
 
         // Try to get user info from cache or fetch from API
@@ -87,6 +96,8 @@ public override async Task<AuthenticationState> GetAuthenticationStateAsync()
     public void NotifyUserAuthentication(UserDto user)
     {
         _cachedUser = user;
+        _cachedAuthState = null; // Invalidate cache
+        _cacheExpiry = DateTime.MinValue;
         var authenticatedUser = CreateClaimsPrincipal(user);
         NotifyAuthenticationStateChanged(Task.FromResult(new AuthenticationState(authenticatedUser)));
     }
@@ -95,6 +106,8 @@ public void NotifyUserLogout()
     {
         _cachedUser = null;
         _isInitialized = false;
+        _cachedAuthState = null; // Invalidate cache
+        _cacheExpiry = DateTime.MinValue;
         var anonymousUser = new ClaimsPrincipal(new ClaimsIdentity());
         NotifyAuthenticationStateChanged(Task.FromResult(new AuthenticationState(anonymousUser)));
     }

cloud/src/LrmCloud.Web/Services/TokenRefreshCoordinator.cs

@@ -9,18 +9,58 @@ public class TokenRefreshCoordinator
     private readonly SemaphoreSlim _refreshLock = new(1, 1);
     private bool _refreshInProgress;
     private DateTime? _lastRefreshAttempt;
+    private bool _refreshPermanentlyFailed;
+    private string? _failureReason;
 
     /// <summary>
     /// Minimum time between refresh attempts to prevent rapid-fire refreshes.
     /// </summary>
-    private static readonly TimeSpan MinRefreshInterval = TimeSpan.FromSeconds(5);
+    private static readonly TimeSpan MinRefreshInterval = TimeSpan.FromSeconds(10);
+
+    /// <summary>
+    /// Maximum time to wait for an in-progress refresh to complete.
+    /// </summary>
+    public static readonly TimeSpan MaxRefreshWaitTime = TimeSpan.FromSeconds(15);
+
+    /// <summary>
+    /// Indicates if refresh has permanently failed (e.g., token revoked/invalid).
+    /// When true, no further refresh attempts should be made.
+    /// </summary>
+    public bool IsRefreshPermanentlyFailed => _refreshPermanentlyFailed;
+
+    /// <summary>
+    /// The reason for permanent failure, if any.
+    /// </summary>
+    public string? FailureReason => _failureReason;
+
+    /// <summary>
+    /// Mark refresh as permanently failed. No further refresh attempts will be made.
+    /// </summary>
+    public void MarkRefreshPermanentlyFailed(string reason)
+    {
+        _refreshPermanentlyFailed = true;
+        _failureReason = reason;
+    }
+
+    /// <summary>
+    /// Reset the permanent failure state (called on successful login).
+    /// </summary>
+    public void ResetFailureState()
+    {
+        _refreshPermanentlyFailed = false;
+        _failureReason = null;
+    }
 
     /// <summary>
     /// Try to acquire the refresh lock. Returns true if this caller should perform the refresh.
-    /// Returns false if another refresh is in progress or was recently attempted.
+    /// Returns false if another refresh is in progress, was recently attempted, or has permanently failed.
     /// </summary>
     public async Task<bool> TryAcquireRefreshLockAsync(CancellationToken cancellationToken = default)
     {
+        // Don't attempt refresh if it has permanently failed
+        if (_refreshPermanentlyFailed)
+            return false;
+
         // Quick check before waiting for lock
         if (_refreshInProgress)
             return false;