From 4761e3f3d01493dcaebf7c9f8f1ea8b05a733f32 Mon Sep 17 00:00:00 2001
From: Tao Zhou <taoalpha@google.com>
Date: Thu, 9 Jan 2020 13:59:45 +0100
Subject: [PATCH] Convert gr-auth to class and use new API for auth check

auth-check API is available since: https://gerrit-review.googlesource.com/c/gerrit/+/185990

Change-Id: Icd5e0183ee42e746c32bfd7929af9796ab752627
---
 .../gr-error-manager/gr-error-manager.html    |  10 +
 .../core/gr-error-manager/gr-error-manager.js | 132 ++--
 .../gr-error-manager_test.html                | 563 ++++++++++--------
 .../gr-js-api-interface_test.html             |   6 +-
 .../shared/gr-rest-api-interface/gr-auth.js   | 120 +++-
 .../gr-rest-api-interface/gr-auth_test.html   | 250 +++++++-
 .../gr-rest-api-interface.js                  |  61 +-
 .../gr-rest-api-interface_test.html           | 129 +---
 .../gr-rest-apis/gr-rest-api-helper.js        |  48 +-
 .../gr-rest-apis/gr-rest-api-helper_test.html |   3 +-
 10 files changed, 758 insertions(+), 564 deletions(-)

diff --git a/polygerrit-ui/app/elements/core/gr-error-manager/gr-error-manager.html b/polygerrit-ui/app/elements/core/gr-error-manager/gr-error-manager.html
index 048d39227e..03d8d6a350 100644
--- a/polygerrit-ui/app/elements/core/gr-error-manager/gr-error-manager.html
+++ b/polygerrit-ui/app/elements/core/gr-error-manager/gr-error-manager.html
@@ -23,6 +23,9 @@ limitations under the License.
 <link rel="import" href="../../shared/gr-alert/gr-alert.html">
 <link rel="import" href="../../shared/gr-overlay/gr-overlay.html">
 <link rel="import" href="../../shared/gr-rest-api-interface/gr-rest-api-interface.html">
+<!-- Import to get Gerrit interface -->
+<!-- TODO(taoalpha): decouple gr-gerrit from gr-js-api-interface -->
+<link rel="import" href="../../shared/gr-js-api-interface/gr-js-api-interface.html">
 
 <dom-module id="gr-error-manager">
   <template>
@@ -33,6 +36,13 @@ limitations under the License.
           confirm-label="Dismiss"
           confirm-on-enter></gr-error-dialog>
     </gr-overlay>
+    <gr-overlay
+      id="noInteractionOverlay"
+      with-backdrop
+      always-on-top
+      no-cancel-on-esc-key
+      no-cancel-on-outside-click>
+    </gr-overlay>
     <gr-rest-api-interface id="restAPI"></gr-rest-api-interface>
     <gr-reporting id="reporting"></gr-reporting>
   </template>
diff --git a/polygerrit-ui/app/elements/core/gr-error-manager/gr-error-manager.js b/polygerrit-ui/app/elements/core/gr-error-manager/gr-error-manager.js
index 506cb73540..2a87708472 100644
--- a/polygerrit-ui/app/elements/core/gr-error-manager/gr-error-manager.js
+++ b/polygerrit-ui/app/elements/core/gr-error-manager/gr-error-manager.js
@@ -64,15 +64,29 @@
       };
     }
 
+    constructor() {
+      super();
+
+      /** @type {!Gerrit.Auth} */
+      this._authService = Gerrit.Auth;
+
+      /** @type {?Function} */
+      this._authErrorHandlerDeregistrationHook;
+    }
+
     attached() {
       super.attached();
       this.listen(document, 'server-error', '_handleServerError');
       this.listen(document, 'network-error', '_handleNetworkError');
-      this.listen(document, 'auth-error', '_handleAuthError');
       this.listen(document, 'show-alert', '_handleShowAlert');
       this.listen(document, 'show-error', '_handleShowErrorDialog');
       this.listen(document, 'visibilitychange', '_handleVisibilityChange');
       this.listen(document, 'show-auth-required', '_handleAuthRequired');
+
+      this._authErrorHandlerDeregistrationHook = Gerrit.on('auth-error',
+          event => {
+            this._handleAuthError(event.message, event.action);
+          });
     }
 
     detached() {
@@ -80,10 +94,11 @@
       this._clearHideAlertHandle();
       this.unlisten(document, 'server-error', '_handleServerError');
       this.unlisten(document, 'network-error', '_handleNetworkError');
-      this.unlisten(document, 'auth-error', '_handleAuthError');
       this.unlisten(document, 'show-auth-required', '_handleAuthRequired');
       this.unlisten(document, 'visibilitychange', '_handleVisibilityChange');
       this.unlisten(document, 'show-error', '_handleShowErrorDialog');
+
+      this._authErrorHandlerDeregistrationHook();
     }
 
     _shouldSuppressError(msg) {
@@ -95,32 +110,41 @@
           'Log in is required to perform that action.', 'Log in.');
     }
 
-    _handleAuthError() {
-      this._showAuthErrorAlert('Auth error', 'Refresh credentials.');
+    _handleAuthError(msg, action) {
+      this.$.noInteractionOverlay.open().then(() => {
+        this._showAuthErrorAlert(msg, action);
+      });
     }
 
     _handleServerError(e) {
       const {request, response} = e.detail;
-      Promise.all([response.text(), this._getLoggedIn()])
-          .then(([errorText, loggedIn]) => {
-            const url = request && (request.anonymizedUrl || request.url);
-            const {status, statusText} = response;
-            if (response.status === 403 &&
-                loggedIn &&
-                errorText === AUTHENTICATION_REQUIRED) {
-              // The app was logged at one point and is now getting auth errors.
-              // This indicates the auth token is no longer valid.
-              this._handleAuthError();
-            } else if (!this._shouldSuppressError(errorText)) {
-              this._showErrorDialog(this._constructServerErrorMsg({
-                status,
-                statusText,
-                errorText,
-                url,
-              }));
-            }
-            console.error(errorText);
-          });
+      response.text().then(errorText => {
+        const url = request && (request.anonymizedUrl || request.url);
+        const {status, statusText} = response;
+        if (response.status === 403
+                && !this._authService.isAuthed
+                && errorText === AUTHENTICATION_REQUIRED) {
+          // if not authed previously, this is trying to access auth required APIs
+          // show auth required alert
+          this._handleAuthRequired();
+        } else if (response.status === 403
+                && this._authService.isAuthed
+                && errorText === AUTHENTICATION_REQUIRED) {
+          // The app was logged at one point and is now getting auth errors.
+          // This indicates the auth token may no longer valid.
+          // Re-check on auth
+          this._authService.clearCache();
+          this.$.restAPI.getLoggedIn();
+        } else if (!this._shouldSuppressError(errorText)) {
+          this._showErrorDialog(this._constructServerErrorMsg({
+            status,
+            statusText,
+            errorText,
+            url,
+          }));
+        }
+        console.log(`server error: ${errorText}`);
+      });
     }
 
     _constructServerErrorMsg({errorText, status, statusText, url}) {
@@ -142,10 +166,6 @@
       console.error(e.detail.error.message);
     }
 
-    _getLoggedIn() {
-      return this.$.restAPI.getLoggedIn();
-    }
-
     /**
      * @param {string} text
      * @param {?string=} opt_actionText
@@ -222,7 +242,11 @@
           this.knownAccountId !== undefined &&
           timeSinceLastCheck > STALE_CREDENTIAL_THRESHOLD_MS) {
         this._lastCredentialCheck = Date.now();
-        this.$.restAPI.checkCredentials();
+
+        // check auth status in case:
+        // - user signed out
+        // - user switched account
+        this._checkSignedIn();
       }
     }
 
@@ -232,22 +256,36 @@
     }
 
     _checkSignedIn() {
-      this.$.restAPI.checkCredentials().then(account => {
-        const isLoggedIn = !!account;
-        this._lastCredentialCheck = Date.now();
-        if (this._refreshingCredentials) {
-          if (isLoggedIn) {
-            // If the credentials were refreshed but the account is different
-            // then reload the page completely.
-            if (account._account_id !== this.knownAccountId) {
-              this._reloadPage();
-              return;
-            }
+      this._lastCredentialCheck = Date.now();
 
-            this._handleCredentialRefreshed();
-          } else {
-            this._requestCheckLoggedIn();
-          }
+      // force to refetch account info
+      this.$.restAPI.invalidateAccountsCache();
+      this._authService.clearCache();
+
+      this.$.restAPI.getLoggedIn().then(isLoggedIn => {
+        // do nothing if its refreshing
+        if (!this._refreshingCredentials) return;
+
+        if (!isLoggedIn) {
+          // check later
+          // 1. guest mode
+          // 2. or signed out
+          // in case #2, auth-error is taken care of separately
+          this._requestCheckLoggedIn();
+        } else {
+          // check account
+          this.$.restAPI.getAccount().then(account => {
+            if (this._refreshingCredentials) {
+              // If the credentials were refreshed but the account is different
+              // then reload the page completely.
+              if (account._account_id !== this.knownAccountId) {
+                this._reloadPage();
+                return;
+              }
+
+              this._handleCredentialRefreshed();
+            }
+          });
         }
       });
     }
@@ -277,6 +315,10 @@
       this._refreshingCredentials = false;
       this._hideAlert();
       this._showAlert('Credentials refreshed.');
+      this.$.noInteractionOverlay.close();
+
+      // Clear the cache for auth
+      this._authService.clearCache();
     }
 
     _handleWindowFocus() {
@@ -299,4 +341,4 @@
   }
 
   customElements.define(GrErrorManager.is, GrErrorManager);
-})();
+})();
\ No newline at end of file
diff --git a/polygerrit-ui/app/elements/core/gr-error-manager/gr-error-manager_test.html b/polygerrit-ui/app/elements/core/gr-error-manager/gr-error-manager_test.html
index 84b6717fe7..af978199f8 100644
--- a/polygerrit-ui/app/elements/core/gr-error-manager/gr-error-manager_test.html
+++ b/polygerrit-ui/app/elements/core/gr-error-manager/gr-error-manager_test.html
@@ -23,10 +23,10 @@ limitations under the License.
 
 <script src="/bower_components/webcomponentsjs/webcomponents-lite.js"></script>
 <script src="/bower_components/web-component-tester/browser.js"></script>
-<link rel="import" href="../../../test/common-test-setup.html"/>
+<link rel="import" href="../../../test/common-test-setup.html" />
 <link rel="import" href="gr-error-manager.html">
 
-<script>void(0);</script>
+<script>void (0);</script>
 
 <test-fixture id="basic">
   <template>
@@ -41,285 +41,324 @@ limitations under the License.
 
     setup(() => {
       sandbox = sinon.sandbox.create();
-      stub('gr-rest-api-interface', {
-        getLoggedIn() { return Promise.resolve(true); },
-      });
-      element = fixture('basic');
     });
 
     teardown(() => {
       sandbox.restore();
     });
 
-    test('does not show auth error on 403 by default', done => {
-      const showAuthErrorStub = sandbox.stub(element, '_showAuthErrorAlert');
-      const responseText = Promise.resolve('server says no.');
-      element.fire('server-error',
-          {response: {status: 403, text() { return responseText; }}}
-      );
-      Promise.all([
-        element.$.restAPI.getLoggedIn.lastCall.returnValue,
-        responseText,
-      ]).then(() => {
-        assert.isFalse(showAuthErrorStub.calledOnce);
-        done();
+    suite('when authed', () => {
+      setup(() => {
+        sandbox.stub(window, 'fetch')
+            .returns(Promise.resolve({ok: true, status: 204}));
+        element = fixture('basic');
       });
-    });
 
-    test('shows auth error on 403 and Authentication required', done => {
-      const showAuthErrorStub = sandbox.stub(element, '_showAuthErrorAlert');
-      const responseText = Promise.resolve('Authentication required\n');
-      element.fire('server-error',
-          {response: {status: 403, text() { return responseText; }}}
-      );
-      Promise.all([
-        element.$.restAPI.getLoggedIn.lastCall.returnValue,
-        responseText,
-      ]).then(() => {
-        assert.isTrue(showAuthErrorStub.calledOnce);
-        done();
-      });
-    });
-
-    test('show logged in error', () => {
-      sandbox.stub(element, '_showAuthErrorAlert');
-      element.fire('show-auth-required');
-      assert.isTrue(element._showAuthErrorAlert.calledWithExactly(
-          'Log in is required to perform that action.', 'Log in.'));
-    });
-
-    test('show normal Error', done => {
-      const showErrorStub = sandbox.stub(element, '_showErrorDialog');
-      const textSpy = sandbox.spy(() => { return Promise.resolve('ZOMG'); });
-      element.fire('server-error', {response: {status: 500, text: textSpy}});
-
-      assert.isTrue(textSpy.called);
-      Promise.all([
-        element.$.restAPI.getLoggedIn.lastCall.returnValue,
-        textSpy.lastCall.returnValue,
-      ]).then(() => {
-        assert.isTrue(showErrorStub.calledOnce);
-        assert.isTrue(showErrorStub.lastCall.calledWithExactly(
-            'Error 500: ZOMG'));
-        done();
-      });
-    });
-
-    test('_constructServerErrorMsg', () => {
-      const errorText = 'change conflicts';
-      const status = 409;
-      const statusText = 'Conflict';
-      const url = '/my/test/url';
-
-      assert.equal(element._constructServerErrorMsg({status}),
-          'Error 409');
-      assert.equal(element._constructServerErrorMsg({status, url}),
-          'Error 409: \nEndpoint: /my/test/url');
-      assert.equal(element._constructServerErrorMsg({status, statusText, url}),
-          'Error 409 (Conflict): \nEndpoint: /my/test/url');
-      assert.equal(element._constructServerErrorMsg({
-        status,
-        statusText,
-        errorText,
-        url,
-      }), 'Error 409 (Conflict): change conflicts' +
-          '\nEndpoint: /my/test/url');
-    });
-
-    test('suppress TOO_MANY_FILES error', done => {
-      const showAlertStub = sandbox.stub(element, '_showAlert');
-      const textSpy = sandbox.spy(() => {
-        return Promise.resolve('too many files to find conflicts');
-      });
-      element.fire('server-error', {response: {status: 500, text: textSpy}});
-
-      assert.isTrue(textSpy.called);
-      Promise.all([
-        element.$.restAPI.getLoggedIn.lastCall.returnValue,
-        textSpy.lastCall.returnValue,
-      ]).then(() => {
-        assert.isFalse(showAlertStub.called);
-        done();
-      });
-    });
-
-    test('show network error', done => {
-      const consoleErrorStub = sandbox.stub(console, 'error');
-      const showAlertStub = sandbox.stub(element, '_showAlert');
-      element.fire('network-error', {error: new Error('ZOMG')});
-      flush(() => {
-        assert.isTrue(showAlertStub.calledOnce);
-        assert.isTrue(showAlertStub.lastCall.calledWithExactly(
-            'Server unavailable'));
-        assert.isTrue(consoleErrorStub.calledOnce);
-        assert.isTrue(consoleErrorStub.lastCall.calledWithExactly('ZOMG'));
-        done();
-      });
-    });
-
-    test('show auth refresh toast', done => {
-      const refreshStub = sandbox.stub(element.$.restAPI, 'checkCredentials',
-          () => { return Promise.resolve(true); });
-      const toastSpy = sandbox.spy(element, '_createToastAlert');
-      const windowOpen = sandbox.stub(window, 'open');
-      const responseText = Promise.resolve('Authentication required\n');
-      element.fire('server-error',
-          {response: {status: 403, text() { return responseText; }}}
-      );
-      Promise.all([
-        element.$.restAPI.getLoggedIn.lastCall.returnValue,
-        responseText,
-      ]).then(() => {
-        assert.isTrue(toastSpy.called);
-        let toast = toastSpy.lastCall.returnValue;
-        assert.isOk(toast);
-        assert.include(
-            Polymer.dom(toast.root).textContent, 'Auth error');
-        assert.include(
-            Polymer.dom(toast.root).textContent, 'Refresh credentials.');
-
-        assert.isFalse(windowOpen.called);
-        MockInteractions.tap(toast.$$('gr-button.action'));
-        assert.isTrue(windowOpen.called);
-
-        // @see Issue 5822: noopener breaks closeAfterLogin
-        assert.equal(windowOpen.lastCall.args[2].indexOf('noopener=yes'),
-            -1);
-
-        const hideToastSpy = sandbox.spy(toast, 'hide');
-
-        element._handleWindowFocus();
-        assert.isTrue(refreshStub.called);
-        element.flushDebouncer('checkLoggedIn');
+      test('does not show auth error on 403 by default', done => {
+        const showAuthErrorStub = sandbox.stub(element, '_showAuthErrorAlert');
+        const responseText = Promise.resolve('server says no.');
+        element.fire('server-error',
+            {response: {status: 403, text() { return responseText; }}}
+        );
         flush(() => {
-          assert.isTrue(refreshStub.called);
-          assert.isTrue(hideToastSpy.called);
+          assert.isFalse(showAuthErrorStub.calledOnce);
+          done();
+        });
+      });
 
-          assert.notStrictEqual(toastSpy.lastCall.returnValue, toast);
-          toast = toastSpy.lastCall.returnValue;
-          assert.isOk(toast);
-          assert.include(
-              Polymer.dom(toast.root).textContent, 'Credentials refreshed');
+      test('show auth required for 403 with auth error and not authed before',
+          done => {
+            const showAuthErrorStub = sandbox.stub(
+                element, '_showAuthErrorAlert'
+            );
+            const responseText = Promise.resolve('Authentication required\n');
+            sinon.stub(element.$.restAPI, 'getLoggedIn')
+                .returns(Promise.resolve(true));
+            element.fire('server-error',
+                {response: {status: 403, text() { return responseText; }}}
+            );
+            flush(() => {
+              assert.isTrue(showAuthErrorStub.calledOnce);
+              done();
+            });
+          });
+
+      test('recheck auth for 403 with auth error if authed before', done => {
+        // starts with authed state
+        element.$.restAPI.getLoggedIn();
+        const responseText = Promise.resolve('Authentication required\n');
+        sinon.stub(element.$.restAPI, 'getLoggedIn')
+            .returns(Promise.resolve(true));
+        element.fire('server-error',
+            {response: {status: 403, text() { return responseText; }}}
+        );
+        flush(() => {
+          assert.isTrue(element.$.restAPI.getLoggedIn.calledOnce);
+          done();
+        });
+      });
+
+      test('show logged in error', () => {
+        sandbox.stub(element, '_showAuthErrorAlert');
+        element.fire('show-auth-required');
+        assert.isTrue(element._showAuthErrorAlert.calledWithExactly(
+            'Log in is required to perform that action.', 'Log in.'));
+      });
+
+      test('show normal Error', done => {
+        const showErrorStub = sandbox.stub(element, '_showErrorDialog');
+        const textSpy = sandbox.spy(() => { return Promise.resolve('ZOMG'); });
+        element.fire('server-error', {response: {status: 500, text: textSpy}});
+
+        assert.isTrue(textSpy.called);
+        flush(() => {
+          assert.isTrue(showErrorStub.calledOnce);
+          assert.isTrue(showErrorStub.lastCall.calledWithExactly(
+              'Error 500: ZOMG'));
+          done();
+        });
+      });
+
+      test('_constructServerErrorMsg', () => {
+        const errorText = 'change conflicts';
+        const status = 409;
+        const statusText = 'Conflict';
+        const url = '/my/test/url';
+
+        assert.equal(element._constructServerErrorMsg({status}),
+            'Error 409');
+        assert.equal(element._constructServerErrorMsg({status, url}),
+            'Error 409: \nEndpoint: /my/test/url');
+        assert.equal(element._constructServerErrorMsg({status, statusText, url}),
+            'Error 409 (Conflict): \nEndpoint: /my/test/url');
+        assert.equal(element._constructServerErrorMsg({
+          status,
+          statusText,
+          errorText,
+          url,
+        }), 'Error 409 (Conflict): change conflicts' +
+        '\nEndpoint: /my/test/url');
+      });
+
+      test('suppress TOO_MANY_FILES error', done => {
+        const showAlertStub = sandbox.stub(element, '_showAlert');
+        const textSpy = sandbox.spy(() => {
+          return Promise.resolve('too many files to find conflicts');
+        });
+        element.fire('server-error', {response: {status: 500, text: textSpy}});
+
+        assert.isTrue(textSpy.called);
+        flush(() => {
+          assert.isFalse(showAlertStub.called);
+          done();
+        });
+      });
+
+      test('show network error', done => {
+        const consoleErrorStub = sandbox.stub(console, 'error');
+        const showAlertStub = sandbox.stub(element, '_showAlert');
+        element.fire('network-error', {error: new Error('ZOMG')});
+        flush(() => {
+          assert.isTrue(showAlertStub.calledOnce);
+          assert.isTrue(showAlertStub.lastCall.calledWithExactly(
+              'Server unavailable'));
+          assert.isTrue(consoleErrorStub.calledOnce);
+          assert.isTrue(consoleErrorStub.lastCall.calledWithExactly('ZOMG'));
+          done();
+        });
+      });
+
+      test('show auth refresh toast', done => {
+        // starts with authed state
+        element.$.restAPI.getLoggedIn();
+        const refreshStub = sandbox.stub(element.$.restAPI, 'getAccount',
+            () => { return Promise.resolve({}); });
+        const toastSpy = sandbox.spy(element, '_createToastAlert');
+        const windowOpen = sandbox.stub(window, 'open');
+        const responseText = Promise.resolve('Authentication required\n');
+        // fake failed auth
+        window.fetch.returns(Promise.resolve({status: 403}));
+        element.fire('server-error',
+            {response: {status: 403, text() { return responseText; }}}
+        );
+        assert.equal(window.fetch.callCount, 1);
+        flush(() => {
+          // auth check again
+          assert.equal(window.fetch.callCount, 2);
+          flush(() => {
+            // auth-error fired
+            assert.isTrue(toastSpy.called);
+
+            // toast
+            let toast = toastSpy.lastCall.returnValue;
+            assert.isOk(toast);
+            assert.include(
+                Polymer.dom(toast.root).textContent, 'Credentails expired.');
+            assert.include(
+                Polymer.dom(toast.root).textContent, 'Refresh credentials');
+
+            // noInteractionOverlay
+            const noInteractionOverlay = element.$.noInteractionOverlay;
+            assert.isOk(noInteractionOverlay);
+            sinon.spy(noInteractionOverlay, 'close');
+            assert.equal(
+                noInteractionOverlay.backdropElement.getAttribute('opened'),
+                '');
+            assert.isFalse(windowOpen.called);
+            MockInteractions.tap(toast.$$('gr-button.action'));
+            assert.isTrue(windowOpen.called);
+
+            // @see Issue 5822: noopener breaks closeAfterLogin
+            assert.equal(windowOpen.lastCall.args[2].indexOf('noopener=yes'),
+                -1);
+
+            const hideToastSpy = sandbox.spy(toast, 'hide');
+
+            // now fake authed
+            window.fetch.returns(Promise.resolve({status: 204}));
+            element._handleWindowFocus();
+            element.flushDebouncer('checkLoggedIn');
+            flush(() => {
+              assert.isTrue(refreshStub.called);
+              assert.isTrue(hideToastSpy.called);
+
+              // toast update
+              assert.notStrictEqual(toastSpy.lastCall.returnValue, toast);
+              toast = toastSpy.lastCall.returnValue;
+              assert.isOk(toast);
+              assert.include(
+                  Polymer.dom(toast.root).textContent, 'Credentials refreshed');
+
+              // close overlay
+              assert.isTrue(noInteractionOverlay.close.called);
+              done();
+            });
+          });
+        });
+      });
+
+      test('show alert', () => {
+        const alertObj = {message: 'foo'};
+        sandbox.stub(element, '_showAlert');
+        element.fire('show-alert', alertObj);
+        assert.isTrue(element._showAlert.calledOnce);
+        assert.equal(element._showAlert.lastCall.args[0], 'foo');
+        assert.isNotOk(element._showAlert.lastCall.args[1]);
+        assert.isNotOk(element._showAlert.lastCall.args[2]);
+      });
+
+      test('checks stale credentials on visibility change', () => {
+        const refreshStub = sandbox.stub(element,
+            '_checkSignedIn');
+        sandbox.stub(Date, 'now').returns(999999);
+        element._lastCredentialCheck = 0;
+        element._handleVisibilityChange();
+
+        // Since there is no known account, it should not test credentials.
+        assert.isFalse(refreshStub.called);
+        assert.equal(element._lastCredentialCheck, 0);
+
+        element.knownAccountId = 123;
+        element._handleVisibilityChange();
+
+        // Should test credentials, since there is a known account.
+        assert.isTrue(refreshStub.called);
+        assert.equal(element._lastCredentialCheck, 999999);
+      });
+
+      test('refreshes with same credentials', done => {
+        const accountPromise = Promise.resolve({_account_id: 1234});
+        sandbox.stub(element.$.restAPI, 'getAccount')
+            .returns(accountPromise);
+        const requestCheckStub = sandbox.stub(element, '_requestCheckLoggedIn');
+        const handleRefreshStub = sandbox.stub(element,
+            '_handleCredentialRefreshed');
+        const reloadStub = sandbox.stub(element, '_reloadPage');
+
+        element.knownAccountId = 1234;
+        element._refreshingCredentials = true;
+        element._checkSignedIn();
+
+        flush(() => {
+          assert.isFalse(requestCheckStub.called);
+          assert.isTrue(handleRefreshStub.called);
+          assert.isFalse(reloadStub.called);
+          done();
+        });
+      });
+
+      test('_showAlert hides existing alerts', () => {
+        element._alertElement = element._createToastAlert();
+        const hideStub = sandbox.stub(element, '_hideAlert');
+        element._showAlert();
+        assert.isTrue(hideStub.calledOnce);
+      });
+
+      test('show-error', () => {
+        const openStub = sandbox.stub(element.$.errorOverlay, 'open');
+        const closeStub = sandbox.stub(element.$.errorOverlay, 'close');
+        const reportStub = sandbox.stub(element.$.reporting, 'reportErrorDialog');
+
+        const message = 'test message';
+        element.fire('show-error', {message});
+        flushAsynchronousOperations();
+
+        assert.isTrue(openStub.called);
+        assert.isTrue(reportStub.called);
+        assert.equal(element.$.errorDialog.text, message);
+
+        element.$.errorDialog.fire('dismiss');
+        flushAsynchronousOperations();
+
+        assert.isTrue(closeStub.called);
+      });
+
+      test('reloads when refreshed credentials differ', done => {
+        const accountPromise = Promise.resolve({_account_id: 1234});
+        sandbox.stub(element.$.restAPI, 'getAccount')
+            .returns(accountPromise);
+        const requestCheckStub = sandbox.stub(element, '_requestCheckLoggedIn');
+        const handleRefreshStub = sandbox.stub(element,
+            '_handleCredentialRefreshed');
+        const reloadStub = sandbox.stub(element, '_reloadPage');
+
+        element.knownAccountId = 4321; // Different from 1234
+        element._refreshingCredentials = true;
+        element._checkSignedIn();
+
+        flush(() => {
+          assert.isFalse(requestCheckStub.called);
+          assert.isFalse(handleRefreshStub.called);
+          assert.isTrue(reloadStub.called);
           done();
         });
       });
     });
 
-    test('show alert', () => {
-      const alertObj = {message: 'foo'};
-      sandbox.stub(element, '_showAlert');
-      element.fire('show-alert', alertObj);
-      assert.isTrue(element._showAlert.calledOnce);
-      assert.equal(element._showAlert.lastCall.args[0], 'foo');
-      assert.isNotOk(element._showAlert.lastCall.args[1]);
-      assert.isNotOk(element._showAlert.lastCall.args[2]);
-    });
-
-    test('checks stale credentials on visibility change', () => {
-      const refreshStub = sandbox.stub(element.$.restAPI,
-          'checkCredentials');
-      sandbox.stub(Date, 'now').returns(999999);
-      element._lastCredentialCheck = 0;
-      element._handleVisibilityChange();
-
-      // Since there is no known account, it should not test credentials.
-      assert.isFalse(refreshStub.called);
-      assert.equal(element._lastCredentialCheck, 0);
-
-      element.knownAccountId = 123;
-      element._handleVisibilityChange();
-
-      // Should test credentials, since there is a known account.
-      assert.isTrue(refreshStub.called);
-      assert.equal(element._lastCredentialCheck, 999999);
-    });
-
-    test('refresh loop continues on credential fail', done => {
-      const accountPromise = Promise.resolve(null);
-      sandbox.stub(element.$.restAPI, 'checkCredentials')
-          .returns(accountPromise);
-      const requestCheckStub = sandbox.stub(element, '_requestCheckLoggedIn');
-      const handleRefreshStub = sandbox.stub(element,
-          '_handleCredentialRefreshed');
-      const reloadStub = sandbox.stub(element, '_reloadPage');
-
-      element._refreshingCredentials = true;
-      element._checkSignedIn();
-
-      accountPromise.then(() => {
-        assert.isTrue(requestCheckStub.called);
-        assert.isFalse(handleRefreshStub.called);
-        assert.isFalse(reloadStub.called);
-        done();
+    suite('when not authed', () => {
+      setup(() => {
+        stub('gr-rest-api-interface', {
+          getLoggedIn() { return Promise.resolve(false); },
+        });
+        element = fixture('basic');
       });
-    });
 
-    test('refreshes with same credentials', done => {
-      const accountPromise = Promise.resolve({_account_id: 1234});
-      sandbox.stub(element.$.restAPI, 'checkCredentials')
-          .returns(accountPromise);
-      const requestCheckStub = sandbox.stub(element, '_requestCheckLoggedIn');
-      const handleRefreshStub = sandbox.stub(element,
-          '_handleCredentialRefreshed');
-      const reloadStub = sandbox.stub(element, '_reloadPage');
+      test('refresh loop continues on credential fail', done => {
+        const requestCheckStub = sandbox.stub(element, '_requestCheckLoggedIn');
+        const handleRefreshStub = sandbox.stub(element,
+            '_handleCredentialRefreshed');
+        const reloadStub = sandbox.stub(element, '_reloadPage');
 
-      element.knownAccountId = 1234;
-      element._refreshingCredentials = true;
-      element._checkSignedIn();
+        element._refreshingCredentials = true;
+        element._checkSignedIn();
 
-      accountPromise.then(() => {
-        assert.isFalse(requestCheckStub.called);
-        assert.isTrue(handleRefreshStub.called);
-        assert.isFalse(reloadStub.called);
-        done();
+        flush(() => {
+          assert.isTrue(requestCheckStub.called);
+          assert.isFalse(handleRefreshStub.called);
+          assert.isFalse(reloadStub.called);
+          done();
+        });
       });
     });
-
-    test('reloads when refreshed credentials differ', done => {
-      const accountPromise = Promise.resolve({_account_id: 1234});
-      sandbox.stub(element.$.restAPI, 'checkCredentials')
-          .returns(accountPromise);
-      const requestCheckStub = sandbox.stub(element, '_requestCheckLoggedIn');
-      const handleRefreshStub = sandbox.stub(element,
-          '_handleCredentialRefreshed');
-      const reloadStub = sandbox.stub(element, '_reloadPage');
-
-      element.knownAccountId = 4321; // Different from 1234
-      element._refreshingCredentials = true;
-      element._checkSignedIn();
-
-      accountPromise.then(() => {
-        assert.isFalse(requestCheckStub.called);
-        assert.isFalse(handleRefreshStub.called);
-        assert.isTrue(reloadStub.called);
-        done();
-      });
-    });
-
-    test('_showAlert hides existing alerts', () => {
-      element._alertElement = element._createToastAlert();
-      const hideStub = sandbox.stub(element, '_hideAlert');
-      element._showAlert();
-      assert.isTrue(hideStub.calledOnce);
-    });
-
-    test('show-error', () => {
-      const openStub = sandbox.stub(element.$.errorOverlay, 'open');
-      const closeStub = sandbox.stub(element.$.errorOverlay, 'close');
-      const reportStub = sandbox.stub(element.$.reporting, 'reportErrorDialog');
-
-      const message = 'test message';
-      element.fire('show-error', {message});
-      flushAsynchronousOperations();
-
-      assert.isTrue(openStub.called);
-      assert.isTrue(reportStub.called);
-      assert.equal(element.$.errorDialog.text, message);
-
-      element.$.errorDialog.fire('dismiss');
-      flushAsynchronousOperations();
-
-      assert.isTrue(closeStub.called);
-    });
   });
-</script>
+</script>
\ No newline at end of file
diff --git a/polygerrit-ui/app/elements/shared/gr-js-api-interface/gr-js-api-interface_test.html b/polygerrit-ui/app/elements/shared/gr-js-api-interface/gr-js-api-interface_test.html
index bdce91f15d..71d38bff5b 100644
--- a/polygerrit-ui/app/elements/shared/gr-js-api-interface/gr-js-api-interface_test.html
+++ b/polygerrit-ui/app/elements/shared/gr-js-api-interface/gr-js-api-interface_test.html
@@ -324,7 +324,11 @@ limitations under the License.
       element.handleEvent(element.EventType.HIGHLIGHTJS_LOADED, {hljs: testHljs});
     });
 
-    test('getAccount', done => {
+    test('getLoggedIn', done => {
+      // fake fetch for authCheck
+      sandbox.stub(window, 'fetch', () => {
+        return Promise.resolve({status: 204});
+      });
       plugin.restApi().getLoggedIn().then(loggedIn => {
         assert.isTrue(loggedIn);
         done();
diff --git a/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-auth.js b/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-auth.js
index 0084932cfb..0af1d9746e 100644
--- a/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-auth.js
+++ b/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-auth.js
@@ -20,22 +20,86 @@
   // Prevent redefinition.
   if (window.Gerrit.Auth) { return; }
 
+  const MAX_AUTH_CHECK_WAIT_TIME_MS = 1000 * 30; // 30s
   const MAX_GET_TOKEN_RETRIES = 2;
 
-  Gerrit.Auth = {
-    TYPE: {
-      XSRF_TOKEN: 'xsrf_token',
-      ACCESS_TOKEN: 'access_token',
-    },
+  /**
+   * Auth class.
+   *
+   * Gerrit.Auth is an instance of this class.
+   */
+  class Auth {
+    constructor() {
+      this._type = null;
+      this._cachedTokenPromise = null;
+      this._defaultOptions = {};
+      this._retriesLeft = MAX_GET_TOKEN_RETRIES;
+      this._status = Auth.STATUS.UNDETERMINED;
+      this._authCheckPromise = null;
+      this._last_auth_check_time = Date.now();
+    }
 
-    _type: null,
-    _cachedTokenPromise: null,
-    _defaultOptions: {},
-    _retriesLeft: MAX_GET_TOKEN_RETRIES,
+    /**
+     * Returns if user is authed or not.
+     *
+     * @returns {!Promise<boolean>}
+     */
+    authCheck() {
+      if (!this._authCheckPromise ||
+        (Date.now() - this._last_auth_check_time > MAX_AUTH_CHECK_WAIT_TIME_MS)
+      ) {
+        // Refetch after last check expired
+        this._authCheckPromise = fetch('/auth-check');
+        this._last_auth_check_time = Date.now();
+      }
+
+      return this._authCheckPromise.then(res => {
+        // auth-check will return 204 if authed
+        // treat the rest as unauthed
+        if (res.status === 204) {
+          this._setStatus(Auth.STATUS.AUTHED);
+          return true;
+        } else {
+          this._setStatus(Auth.STATUS.NOT_AUTHED);
+          return false;
+        }
+      }).catch(e => {
+        this._setStatus(Auth.STATUS.ERROR);
+        // Reset _authCheckPromise to avoid caching the failed promise
+        this._authCheckPromise = null;
+        return false;
+      });
+    }
+
+    clearCache() {
+      this._authCheckPromise = null;
+    }
+
+    /**
+     * @param {string} status
+     */
+    _setStatus(status) {
+      if (this._status === status) return;
+
+      if (this._status === Auth.STATUS.AUTHED) {
+        Gerrit.emit('auth-error', {
+          message: Auth.CREDS_EXPIRED_MSG, action: 'Refresh credentials',
+        });
+      }
+      this._status = status;
+    }
+
+    get status() {
+      return this._status;
+    }
+
+    get isAuthed() {
+      return this._status === Auth.STATUS.AUTHED;
+    }
 
     _getToken() {
       return Promise.resolve(this._cachedTokenPromise);
-    },
+    }
 
     /**
      * Enable cross-domain authentication using OAuth access token.
@@ -51,7 +115,7 @@
     setup(getToken, defaultOptions) {
       this._retriesLeft = MAX_GET_TOKEN_RETRIES;
       if (getToken) {
-        this._type = Gerrit.Auth.TYPE.ACCESS_TOKEN;
+        this._type = Auth.TYPE.ACCESS_TOKEN;
         this._cachedTokenPromise = null;
         this._getToken = getToken;
       }
@@ -61,7 +125,7 @@
           this._defaultOptions[p] = defaultOptions[p];
         }
       }
-    },
+    }
 
     /**
      * Perform network fetch with authentication.
@@ -74,7 +138,7 @@
       const options = Object.assign({
         headers: new Headers(),
       }, this._defaultOptions, opt_options);
-      if (this._type === Gerrit.Auth.TYPE.ACCESS_TOKEN) {
+      if (this._type === Auth.TYPE.ACCESS_TOKEN) {
         return this._getAccessToken().then(
             accessToken =>
               this._fetchWithAccessToken(url, options, accessToken)
@@ -82,7 +146,7 @@
       } else {
         return this._fetchWithXsrfToken(url, options);
       }
-    },
+    }
 
     _getCookie(name) {
       const key = name + '=';
@@ -95,7 +159,7 @@
         }
       });
       return result;
-    },
+    }
 
     _isTokenValid(token) {
       if (!token) { return false; }
@@ -105,7 +169,7 @@
       if (Date.now() >= expiration.getTime()) { return false; }
 
       return true;
-    },
+    }
 
     _fetchWithXsrfToken(url, options) {
       if (options.method && options.method !== 'GET') {
@@ -116,7 +180,7 @@
       }
       options.credentials = 'same-origin';
       return fetch(url, options);
-    },
+    }
 
     /**
      * @return {!Promise<string>}
@@ -138,7 +202,7 @@
         // Fall back to anonymous access.
         return null;
       });
-    },
+    }
 
     _fetchWithAccessToken(url, options, accessToken) {
       const params = [];
@@ -180,8 +244,24 @@
         url = url + (url.indexOf('?') === -1 ? '?' : '&') + params.join('&');
       }
       return fetch(url, options);
-    },
+    }
+  }
+
+  Auth.TYPE = {
+    XSRF_TOKEN: 'xsrf_token',
+    ACCESS_TOKEN: 'access_token',
   };
 
-  window.Gerrit.Auth = Gerrit.Auth;
+  Auth.STATUS = {
+    UNDETERMINED: 0,
+    AUTHED: 1,
+    NOT_AUTHED: 2,
+    ERROR: 3,
+  };
+
+  Auth.CREDS_EXPIRED_MSG = 'Credentails expired.';
+
+  // TODO(taoalpha): this whole thing should be moved to a service
+  window.Auth = Auth;
+  Gerrit.Auth = new Auth();
 })(window);
diff --git a/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-auth_test.html b/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-auth_test.html
index 6c5c150320..20e8260d3b 100644
--- a/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-auth_test.html
+++ b/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-auth_test.html
@@ -35,7 +35,6 @@ limitations under the License.
 
     setup(() => {
       sandbox = sinon.sandbox.create();
-      sandbox.stub(window, 'fetch').returns(Promise.resolve({ok: true}));
       auth = Gerrit.Auth;
     });
 
@@ -43,29 +42,222 @@ limitations under the License.
       sandbox.restore();
     });
 
-    suite('default (xsrf token header)', () => {
-      test('GET', () => {
-        return auth.fetch('/url', {bar: 'bar'}).then(() => {
-          const [url, options] = fetch.lastCall.args;
-          assert.equal(url, '/url');
-          assert.equal(options.credentials, 'same-origin');
+    suite('Auth class methods', () => {
+      let fakeFetch;
+      setup(() => {
+        auth = new Auth();
+        fakeFetch = sandbox.stub(window, 'fetch');
+      });
+
+      test('auth-check returns 403', done => {
+        fakeFetch.returns(Promise.resolve({status: 403}));
+        auth.authCheck().then(authed => {
+          assert.isFalse(authed);
+          assert.equal(auth.status, Auth.STATUS.NOT_AUTHED);
+          done();
         });
       });
 
-      test('POST', () => {
+      test('auth-check returns 204', done => {
+        fakeFetch.returns(Promise.resolve({status: 204}));
+        auth.authCheck().then(authed => {
+          assert.isTrue(authed);
+          assert.equal(auth.status, Auth.STATUS.AUTHED);
+          done();
+        });
+      });
+
+      test('auth-check returns 502', done => {
+        fakeFetch.returns(Promise.resolve({status: 502}));
+        auth.authCheck().then(authed => {
+          assert.isFalse(authed);
+          assert.equal(auth.status, Auth.STATUS.NOT_AUTHED);
+          done();
+        });
+      });
+
+      test('auth-check failed', done => {
+        fakeFetch.returns(Promise.reject(new Error('random error')));
+        auth.authCheck().then(authed => {
+          assert.isFalse(authed);
+          assert.equal(auth.status, Auth.STATUS.ERROR);
+          done();
+        });
+      });
+    });
+
+    suite('cache and events behaivor', () => {
+      let fakeFetch;
+      let clock;
+      setup(() => {
+        auth = new Auth();
+        clock = sinon.useFakeTimers();
+        fakeFetch = sandbox.stub(window, 'fetch');
+      });
+
+      test('cache auth-check result', done => {
+        fakeFetch.returns(Promise.resolve({status: 403}));
+        auth.authCheck().then(authed => {
+          assert.isFalse(authed);
+          assert.equal(auth.status, Auth.STATUS.NOT_AUTHED);
+          fakeFetch.returns(Promise.resolve({status: 204}));
+          auth.authCheck().then(authed2 => {
+            assert.isFalse(authed);
+            assert.equal(auth.status, Auth.STATUS.NOT_AUTHED);
+            done();
+          });
+        });
+      });
+
+      test('clearCache should refetch auth-check result', done => {
+        fakeFetch.returns(Promise.resolve({status: 403}));
+        auth.authCheck().then(authed => {
+          assert.isFalse(authed);
+          assert.equal(auth.status, Auth.STATUS.NOT_AUTHED);
+          fakeFetch.returns(Promise.resolve({status: 204}));
+          auth.clearCache();
+          auth.authCheck().then(authed2 => {
+            assert.isTrue(authed2);
+            assert.equal(auth.status, Auth.STATUS.AUTHED);
+            done();
+          });
+        });
+      });
+
+      test('cache expired on auth-check after certain time', done => {
+        fakeFetch.returns(Promise.resolve({status: 403}));
+        auth.authCheck().then(authed => {
+          assert.isFalse(authed);
+          assert.equal(auth.status, Auth.STATUS.NOT_AUTHED);
+          clock.tick(1000 * 10000);
+          fakeFetch.returns(Promise.resolve({status: 204}));
+          auth.authCheck().then(authed2 => {
+            assert.isTrue(authed2);
+            assert.equal(auth.status, Auth.STATUS.AUTHED);
+            done();
+          });
+        });
+      });
+
+      test('no cache if auth-check failed', done => {
+        fakeFetch.returns(Promise.reject(new Error('random error')));
+        auth.authCheck().then(authed => {
+          assert.isFalse(authed);
+          assert.equal(auth.status, Auth.STATUS.ERROR);
+          assert.equal(fakeFetch.callCount, 1);
+          auth.authCheck().then(() => {
+            assert.equal(fakeFetch.callCount, 2);
+            done();
+          });
+        });
+      });
+
+      test('fire event when switch from authed to unauthed', done => {
+        fakeFetch.returns(Promise.resolve({status: 204}));
+        auth.authCheck().then(authed => {
+          assert.isTrue(authed);
+          assert.equal(auth.status, Auth.STATUS.AUTHED);
+          clock.tick(1000 * 10000);
+          fakeFetch.returns(Promise.resolve({status: 403}));
+          const emitStub = sinon.stub();
+          Gerrit.emit = emitStub;
+          auth.authCheck().then(authed2 => {
+            assert.isFalse(authed2);
+            assert.equal(auth.status, Auth.STATUS.NOT_AUTHED);
+            assert.isTrue(emitStub.called);
+            done();
+          });
+        });
+      });
+
+      test('fire event when switch from authed to error', done => {
+        fakeFetch.returns(Promise.resolve({status: 204}));
+        auth.authCheck().then(authed => {
+          assert.isTrue(authed);
+          assert.equal(auth.status, Auth.STATUS.AUTHED);
+          clock.tick(1000 * 10000);
+          fakeFetch.returns(Promise.reject(new Error('random error')));
+          const emitStub = sinon.stub();
+          Gerrit.emit = emitStub;
+          auth.authCheck().then(authed2 => {
+            assert.isFalse(authed2);
+            assert.isTrue(emitStub.called);
+            assert.equal(auth.status, Auth.STATUS.ERROR);
+            done();
+          });
+        });
+      });
+
+      test('no event from non-authed to other status', done => {
+        fakeFetch.returns(Promise.resolve({status: 403}));
+        auth.authCheck().then(authed => {
+          assert.isFalse(authed);
+          assert.equal(auth.status, Auth.STATUS.NOT_AUTHED);
+          clock.tick(1000 * 10000);
+          fakeFetch.returns(Promise.resolve({status: 204}));
+          const emitStub = sinon.stub();
+          Gerrit.emit = emitStub;
+          auth.authCheck().then(authed2 => {
+            assert.isTrue(authed2);
+            assert.isFalse(emitStub.called);
+            assert.equal(auth.status, Auth.STATUS.AUTHED);
+            done();
+          });
+        });
+      });
+
+      test('no event from non-authed to other status', done => {
+        fakeFetch.returns(Promise.resolve({status: 403}));
+        auth.authCheck().then(authed => {
+          assert.isFalse(authed);
+          assert.equal(auth.status, Auth.STATUS.NOT_AUTHED);
+          clock.tick(1000 * 10000);
+          fakeFetch.returns(Promise.reject(new Error('random error')));
+          const emitStub = sinon.stub();
+          Gerrit.emit = emitStub;
+          auth.authCheck().then(authed2 => {
+            assert.isFalse(authed2);
+            assert.isFalse(emitStub.called);
+            assert.equal(auth.status, Auth.STATUS.ERROR);
+            done();
+          });
+        });
+      });
+    });
+
+    suite('default (xsrf token header)', () => {
+      setup(() => {
+        sandbox.stub(window, 'fetch').returns(Promise.resolve({ok: true}));
+      });
+
+      test('GET', done => {
+        auth.fetch('/url', {bar: 'bar'}).then(() => {
+          const [url, options] = fetch.lastCall.args;
+          assert.equal(url, '/url');
+          assert.equal(options.credentials, 'same-origin');
+          done();
+        });
+      });
+
+      test('POST', done => {
         sandbox.stub(auth, '_getCookie')
             .withArgs('XSRF_TOKEN')
             .returns('foobar');
-        return auth.fetch('/url', {method: 'POST'}).then(() => {
+        auth.fetch('/url', {method: 'POST'}).then(() => {
           const [url, options] = fetch.lastCall.args;
           assert.equal(url, '/url');
           assert.equal(options.credentials, 'same-origin');
           assert.equal(options.headers.get('X-Gerrit-Auth'), 'foobar');
+          done();
         });
       });
     });
 
     suite('cors (access token)', () => {
+      setup(() => {
+        sandbox.stub(window, 'fetch').returns(Promise.resolve({ok: true}));
+      });
+
       let getToken;
 
       const makeToken = opt_accessToken => {
@@ -81,62 +273,68 @@ limitations under the License.
         auth.setup(getToken);
       });
 
-      test('base url support', () => {
+      test('base url support', done => {
         const baseUrl = 'http://foo';
         sandbox.stub(Gerrit.BaseUrlBehavior, 'getBaseUrl').returns(baseUrl);
-        return auth.fetch(baseUrl + '/url', {bar: 'bar'}).then(() => {
+        auth.fetch(baseUrl + '/url', {bar: 'bar'}).then(() => {
           const [url] = fetch.lastCall.args;
           assert.equal(url, 'http://foo/a/url?access_token=zbaz');
+          done();
         });
       });
 
-      test('fetch not signed in', () => {
+      test('fetch not signed in', done => {
         getToken.returns(Promise.resolve());
-        return auth.fetch('/url', {bar: 'bar'}).then(() => {
+        auth.fetch('/url', {bar: 'bar'}).then(() => {
           const [url, options] = fetch.lastCall.args;
           assert.equal(url, '/url');
           assert.equal(options.bar, 'bar');
           assert.equal(Object.keys(options.headers).length, 0);
+          done();
         });
       });
 
-      test('fetch signed in', () => {
-        return auth.fetch('/url', {bar: 'bar'}).then(() => {
+      test('fetch signed in', done => {
+        auth.fetch('/url', {bar: 'bar'}).then(() => {
           const [url, options] = fetch.lastCall.args;
           assert.equal(url, '/a/url?access_token=zbaz');
           assert.equal(options.bar, 'bar');
+          done();
         });
       });
 
-      test('getToken calls are cached', () => {
-        return Promise.all([
+      test('getToken calls are cached', done => {
+        Promise.all([
           auth.fetch('/url-one'), auth.fetch('/url-two')]).then(() => {
           assert.equal(getToken.callCount, 1);
+          done();
         });
       });
 
-      test('getToken refreshes token', () => {
+      test('getToken refreshes token', done => {
         sandbox.stub(auth, '_isTokenValid');
         auth._isTokenValid
             .onFirstCall().returns(true)
             .onSecondCall().returns(false)
             .onThirdCall().returns(true);
-        return auth.fetch('/url-one').then(() => {
+        auth.fetch('/url-one').then(() => {
           getToken.returns(Promise.resolve(makeToken('bzzbb')));
           return auth.fetch('/url-two');
         }).then(() => {
           const [[firstUrl], [secondUrl]] = fetch.args;
           assert.equal(firstUrl, '/a/url-one?access_token=zbaz');
           assert.equal(secondUrl, '/a/url-two?access_token=bzzbb');
+          done();
         });
       });
 
-      test('signed in token error falls back to anonymous', () => {
+      test('signed in token error falls back to anonymous', done => {
         getToken.returns(Promise.resolve('rubbish'));
-        return auth.fetch('/url', {bar: 'bar'}).then(() => {
+        auth.fetch('/url', {bar: 'bar'}).then(() => {
           const [url, options] = fetch.lastCall.args;
           assert.equal(url, '/url');
           assert.equal(options.bar, 'bar');
+          done();
         });
       });
 
@@ -154,12 +352,12 @@ limitations under the License.
         }));
       });
 
-      test('HTTP PUT with content type', () => {
+      test('HTTP PUT with content type', done => {
         const originalOptions = {
           method: 'PUT',
           headers: new Headers({'Content-Type': 'mail/pigeon'}),
         };
-        return auth.fetch('/url', originalOptions).then(() => {
+        auth.fetch('/url', originalOptions).then(() => {
           assert.isTrue(getToken.called);
           const [url, options] = fetch.lastCall.args;
           assert.include(url, '$ct=mail%2Fpigeon');
@@ -167,14 +365,15 @@ limitations under the License.
           assert.include(url, 'access_token=zbaz');
           assert.equal(options.method, 'POST');
           assert.equal(options.headers.get('Content-Type'), 'text/plain');
+          done();
         });
       });
 
-      test('HTTP PUT without content type', () => {
+      test('HTTP PUT without content type', done => {
         const originalOptions = {
           method: 'PUT',
         };
-        return auth.fetch('/url', originalOptions).then(() => {
+        auth.fetch('/url', originalOptions).then(() => {
           assert.isTrue(getToken.called);
           const [url, options] = fetch.lastCall.args;
           assert.include(url, '$ct=text%2Fplain');
@@ -182,6 +381,7 @@ limitations under the License.
           assert.include(url, 'access_token=zbaz');
           assert.equal(options.method, 'POST');
           assert.equal(options.headers.get('Content-Type'), 'text/plain');
+          done();
         });
       });
     });
diff --git a/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-api-interface.js b/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-api-interface.js
index fdb108f83f..5f5f700ae8 100644
--- a/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-api-interface.js
+++ b/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-api-interface.js
@@ -66,12 +66,6 @@
      * @event network-error
      */
 
-    /**
-     * Fired when credentials were rejected by server (e.g. expired).
-     *
-     * @event auth-error
-     */
-
     /**
      * Fired after an RPC completes.
      *
@@ -89,10 +83,6 @@
           type: Object,
           value: new SiteBasedCache(), // Shared across instances.
         },
-        _credentialCheck: {
-          type: Object,
-          value: {checking: false}, // Shared across instances.
-        },
         _sharedFetchPromises: {
           type: Object,
           value: new FetchPromisesCache(), // Shared across instances.
@@ -112,40 +102,12 @@
           type: Object,
           value: {}, // Intentional to share the object across instances.
         },
-        _auth: {
-          type: Object,
-          value: Gerrit.Auth, // Share across instances.
-        },
       };
     }
 
     created() {
       super.created();
-      /* Polymer 1 and Polymer 2 have slightly different lifecycle.
-      * Differences are not very well documented (see
-      * https://github.com/Polymer/old-docs-site/issues/2322).
-      * In Polymer 1, created() is called when properties values is not set
-      * and ready() is always called later, even if element is not added
-      * to a DOM. I.e. in Polymer 1 _cache and other properties are undefined,
-      * while in Polymer 2 they are set to default values.
-      * In Polymer 2, created() is called after properties values set and
-      * ready() is called only after element is attached to a DOM.
-      * There are several places in the code, where element is created with
-      * document.createElement('gr-rest-api-interface') and is not added
-      * to a DOM.
-      * In such cases, Polymer 1 calls both created() and ready() methods,
-      * but Polymer 2 calls only created() method.
-      * To workaround these differences, we should try to create _restApiHelper
-      * in both methods.
-      */
-      //
-
-      this._initRestApiHelper();
-    }
-
-    ready() {
-      super.ready();
-      // See comments in created()
+      this._auth = Gerrit.Auth;
       this._initRestApiHelper();
     }
 
@@ -153,10 +115,9 @@
       if (this._restApiHelper) {
         return;
       }
-      if (this._cache && this._auth && this._sharedFetchPromises &&
-          this._credentialCheck) {
+      if (this._cache && this._auth && this._sharedFetchPromises) {
         this._restApiHelper = new GrRestApiHelper(this._cache, this._auth,
-            this._sharedFetchPromises, this._credentialCheck, this);
+            this._sharedFetchPromises, this);
       }
     }
 
@@ -850,11 +811,7 @@
     }
 
     getLoggedIn() {
-      return this.getAccount().then(account => {
-        return account != null;
-      }).catch(() => {
-        return false;
-      });
+      return this._auth.authCheck();
     }
 
     getIsAdmin() {
@@ -869,10 +826,6 @@
       });
     }
 
-    checkCredentials() {
-      return this._restApiHelper.checkCredentials();
-    }
-
     getDefaultPreferences() {
       return this._fetchSharedCacheURL({
         url: '/config/server/preferences',
@@ -1347,6 +1300,10 @@
       this._restApiHelper.invalidateFetchPromisesPrefix('/projects/?');
     }
 
+    invalidateAccountsCache() {
+      this._restApiHelper.invalidateFetchPromisesPrefix('/accounts/');
+    }
+
     /**
      * @param {string} filter
      * @param {number} groupsPerPage
@@ -2805,4 +2762,4 @@
   }
 
   customElements.define(GrRestApiInterface.is, GrRestApiInterface);
-})();
+})();
\ No newline at end of file
diff --git a/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-api-interface_test.html b/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-api-interface_test.html
index a598d0d543..586e304e1c 100644
--- a/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-api-interface_test.html
+++ b/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-api-interface_test.html
@@ -48,8 +48,6 @@ limitations under the License.
       window.CANONICAL_PATH = `test${ctr}`;
 
       sandbox = sinon.sandbox.create();
-      element = fixture('basic');
-      element._projectLookup = {};
       const testJSON = ')]}\'\n{"hello": "bonjour"}';
       sandbox.stub(window, 'fetch').returns(Promise.resolve({
         ok: true,
@@ -57,6 +55,10 @@ limitations under the License.
           return Promise.resolve(testJSON);
         },
       }));
+      // fake auth
+      sandbox.stub(Gerrit.Auth, 'authCheck').returns(Promise.resolve(true));
+      element = fixture('basic');
+      element._projectLookup = {};
     });
 
     teardown(() => {
@@ -365,117 +367,6 @@ limitations under the License.
       });
     });
 
-    test('auth failure', done => {
-      const fakeAuthResponse = {
-        ok: false,
-        status: 403,
-      };
-      window.fetch.onFirstCall().returns(
-          Promise.reject(new Error('Failed to fetch')));
-      window.fetch.onSecondCall().returns(Promise.resolve(fakeAuthResponse));
-      // Emulate logged in.
-      element._restApiHelper._cache.set('/accounts/self/detail', {});
-      const serverErrorStub = sandbox.stub();
-      element.addEventListener('server-error', serverErrorStub);
-      const authErrorStub = sandbox.stub();
-      element.addEventListener('auth-error', authErrorStub);
-      element._restApiHelper.fetchJSON({url: '/bar'}).finally(r => {
-        flush(() => {
-          assert.isTrue(authErrorStub.called);
-          assert.isFalse(serverErrorStub.called);
-          assert.isFalse(element._cache.has('/accounts/self/detail'));
-          done();
-        });
-      });
-    });
-
-    test('auth failure - test all failed to fetch', done => {
-      window.fetch.returns(
-          Promise.reject(new Error('Failed to fetch')));
-      // Emulate logged in.
-      element._cache.set('/accounts/self/detail', {});
-      const serverErrorStub = sandbox.stub();
-      element.addEventListener('server-error', serverErrorStub);
-      const authErrorStub = sandbox.stub();
-      element.addEventListener('auth-error', authErrorStub);
-      element._restApiHelper.fetchJSON({url: '/bar'}).finally(r => {
-        flush(() => {
-          assert.isTrue(authErrorStub.called);
-          assert.isFalse(serverErrorStub.called);
-          assert.isFalse(element._cache.has('/accounts/self/detail'));
-          done();
-        });
-      });
-    });
-
-    test('getLoggedIn returns false when network/auth failure', done => {
-      window.fetch.returns(
-          Promise.reject(new Error('Failed to fetch')));
-      element.getLoggedIn().then(isLoggedIn => {
-        assert.isFalse(isLoggedIn);
-        done();
-      });
-    });
-
-    test('checkCredentials', done => {
-      const responses = [
-        {
-          ok: false,
-          status: 403,
-          text() { return Promise.resolve(); },
-        },
-        {
-          ok: true,
-          status: 200,
-          text() { return Promise.resolve(')]}\'{}'); },
-        },
-      ];
-      window.fetch.restore();
-      sandbox.stub(window, 'fetch', url => {
-        if (url === window.CANONICAL_PATH + '/accounts/self/detail') {
-          return Promise.resolve(responses.shift());
-        }
-      });
-
-      element.getLoggedIn().then(account => {
-        assert.isNotOk(account);
-        element.checkCredentials().then(account => {
-          assert.isOk(account);
-          done();
-        });
-      });
-    });
-
-    test('checkCredentials promise rejection', () => {
-      window.fetch.restore();
-      element._cache.set('/accounts/self/detail', true);
-      const checkCredentialsSpy =
-          sandbox.spy(element._restApiHelper, 'checkCredentials');
-      sandbox.stub(window, 'fetch', url => {
-        return Promise.reject(new Error('Failed to fetch'));
-      });
-      return element.getConfig(true)
-          .catch(err => undefined)
-          .then(() => {
-            // When the top-level fetch call throws an error, it invokes
-            // checkCredentials, which in turn makes another fetch call.
-            // The second fetch call also fails, which leads to a second
-            // invocation of checkCredentials, which should immediately
-            // return instead of making further fetch calls.
-            assert.isTrue(checkCredentialsSpy .calledTwice);
-            assert.isTrue(window.fetch.calledTwice);
-          });
-    });
-
-    test('checkCredentials accepts only json', () => {
-      const authFetchStub = sandbox.stub(element._auth, 'fetch')
-          .returns(Promise.resolve());
-      element.checkCredentials();
-      assert.isTrue(authFetchStub.called);
-      assert.equal(authFetchStub.lastCall.args[1].headers.get('Accept'),
-          'application/json');
-    });
-
     test('legacy n,z key in change url is replaced', () => {
       const stub = sandbox.stub(element._restApiHelper, 'fetchJSON')
           .returns(Promise.resolve([]));
@@ -922,6 +813,18 @@ limitations under the License.
       assert.isFalse(element._cache.has(url));
     });
 
+    test('invalidateAccountsCache', () => {
+      const url = '/accounts/self/detail';
+
+      element._cache.set(url, {});
+
+      element.invalidateAccountsCache();
+
+      assert.isUndefined(element._sharedFetchPromises[url]);
+
+      assert.isFalse(element._cache.has(url));
+    });
+
     suite('getRepos', () => {
       const defaultQuery = 'state%3Aactive%20OR%20state%3Aread-only';
       let fetchCacheURLStub;
diff --git a/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-apis/gr-rest-api-helper.js b/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-apis/gr-rest-api-helper.js
index 3908a001bb..47989fdcf4 100644
--- a/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-apis/gr-rest-api-helper.js
+++ b/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-apis/gr-rest-api-helper.js
@@ -18,7 +18,6 @@
   'use strict';
 
   const JSON_PREFIX = ')]}\'';
-  const FAILED_TO_FETCH_ERROR = 'Failed to fetch';
 
   /**
    * Wrapper around Map for caching server responses. Site-based so that
@@ -107,15 +106,13 @@
      * @param {SiteBasedCache} cache
      * @param {object} auth
      * @param {FetchPromisesCache} fetchPromisesCache
-     * @param {object} credentialCheck
      * @param {object} restApiInterface
      */
-    constructor(cache, auth, fetchPromisesCache, credentialCheck,
+    constructor(cache, auth, fetchPromisesCache,
         restApiInterface) {
       this._cache = cache;// TODO: make it public
       this._auth = auth;
       this._fetchPromisesCache = fetchPromisesCache;
-      this._credentialCheck = credentialCheck;
       this._restApiInterface = restApiInterface;
     }
 
@@ -190,15 +187,10 @@
         }
         return res;
       }).catch(err => {
-        const isLoggedIn = !!this._cache.get('/accounts/self/detail');
-        if (isLoggedIn && err && err.message === FAILED_TO_FETCH_ERROR) {
-          this.checkCredentials();
+        if (req.errFn) {
+          req.errFn.call(undefined, null, err);
         } else {
-          if (req.errFn) {
-            req.errFn.call(undefined, null, err);
-          } else {
-            this.fire('network-error', {error: err});
-          }
+          this.fire('network-error', {error: err});
         }
         throw err;
       });
@@ -384,37 +376,6 @@
       return xhr;
     }
 
-    checkCredentials() {
-      if (this._credentialCheck.checking) {
-        return;
-      }
-      this._credentialCheck.checking = true;
-      let req = {url: '/accounts/self/detail', reportUrlAsIs: true};
-      req = this.addAcceptJsonHeader(req);
-      // Skip the REST response cache.
-      return this.fetchRawJSON(req).then(res => {
-        if (!res) { return; }
-        if (res.status === 403) {
-          this.fire('auth-error');
-          this._cache.delete('/accounts/self/detail');
-        } else if (res.ok) {
-          return this.getResponseObject(res);
-        }
-      }).then(res => {
-        this._credentialCheck.checking = false;
-        if (res) {
-          this._cache.set('/accounts/self/detail', res);
-        }
-        return res;
-      }).catch(err => {
-        this._credentialCheck.checking = false;
-        if (err && err.message === FAILED_TO_FETCH_ERROR) {
-          this.fire('auth-error');
-          this._cache.delete('/accounts/self/detail');
-        }
-      });
-    }
-
     /**
      * @param {string} prefix
      */
@@ -428,4 +389,3 @@
   window.FetchPromisesCache = FetchPromisesCache;
   window.GrRestApiHelper = GrRestApiHelper;
 })(window);
-
diff --git a/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-apis/gr-rest-api-helper_test.html b/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-apis/gr-rest-api-helper_test.html
index 446cfc8cbd..f4ff4df7e9 100644
--- a/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-apis/gr-rest-api-helper_test.html
+++ b/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-apis/gr-rest-api-helper_test.html
@@ -41,7 +41,6 @@ limitations under the License.
       sandbox = sinon.sandbox.create();
       cache = new SiteBasedCache();
       fetchPromisesCache = new FetchPromisesCache();
-      const credentialCheck = {checking: false};
 
       window.CANONICAL_PATH = 'testhelper';
 
@@ -59,7 +58,7 @@ limitations under the License.
       }));
 
       helper = new GrRestApiHelper(cache, Gerrit.Auth, fetchPromisesCache,
-          credentialCheck, mockRestApiInterface);
+          mockRestApiInterface);
     });
 
     teardown(() => {