@acontplus/ng-auth 1.1.2 → 1.1.4

package/fesm2022/acontplus-ng-auth.mjs

@@ -1,15 +1,15 @@
-import { UserRepository, BaseUseCase, LoggingService, TOKEN_PROVIDER } from '@acontplus/ng-infrastructure';
+import { BaseUseCase, TOKEN_PROVIDER, LoggingService } from '@acontplus/ng-infrastructure';
 export { TOKEN_PROVIDER } from '@acontplus/ng-infrastructure';
 import * as i0 from '@angular/core';
 import { inject, PLATFORM_ID, Injectable, NgZone, signal, input, computed, ViewEncapsulation, ChangeDetectionStrategy, Component } from '@angular/core';
 import { Router } from '@angular/router';
+import { of, tap, catchError, throwError, firstValueFrom, map, from } from 'rxjs';
 import * as i1 from '@angular/common';
 import { isPlatformBrowser, DOCUMENT, CommonModule } from '@angular/common';
 import { jwtDecode } from 'jwt-decode';
 import { ENVIRONMENT, AUTH_API } from '@acontplus/ng-config';
-import { catchError, switchMap } from 'rxjs/operators';
-import { throwError, firstValueFrom, map, from, of, tap, catchError as catchError$1 } from 'rxjs';
-import { HttpClient } from '@angular/common/http';
+import { HttpClient, HttpContextToken } from '@angular/common/http';
+import { catchError as catchError$1, switchMap } from 'rxjs/operators';
 import * as i2 from '@angular/forms';
 import { FormBuilder, Validators, ReactiveFormsModule } from '@angular/forms';
 import { MatCard, MatCardHeader, MatCardTitle, MatCardContent, MatCardFooter } from '@angular/material/card';
@@ -19,6 +19,9 @@ import { MatIcon } from '@angular/material/icon';
 import { MatButton, MatAnchor } from '@angular/material/button';
 import { MatCheckbox } from '@angular/material/checkbox';
 
+class AuthRepository {
+}
+
 class TokenRepository {
     environment = inject(ENVIRONMENT);
     platformId = inject(PLATFORM_ID);
@@ -127,286 +130,81 @@ class TokenRepository {
         const refreshTokenInLocalStorage = localStorage.getItem(this.environment.refreshTokenKey);
         return !!(tokenInLocalStorage || refreshTokenInLocalStorage);
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: TokenRepository, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: TokenRepository, providedIn: 'root' });
-}
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: TokenRepository, decorators: [{
-            type: Injectable,
-            args: [{
-                    providedIn: 'root',
-                }]
-        }] });
-
-/**
- * Service to manage URL redirection after authentication
- * Stores the intended URL when session is lost and redirects to it after successful login
- * SSR-compatible by checking platform before accessing sessionStorage
- */
-class UrlRedirectService {
-    REDIRECT_URL_KEY = 'acp_redirect_url';
-    EXCLUDED_ROUTES = [
-        '/login',
-        '/auth',
-        '/register',
-        '/forgot-password',
-        '/reset-password',
-    ];
-    router = inject(Router);
-    platformId = inject(PLATFORM_ID);
-    document = inject(DOCUMENT);
-    /**
-     * Stores the current URL for later redirection
-     * @param url - The URL to store (defaults to current URL)
-     */
-    storeIntendedUrl(url) {
-        // Only store in browser environment
-        if (!this.isBrowser()) {
-            return;
-        }
-        const urlToStore = url || this.router.url;
-        // Don't store authentication-related routes
-        if (this.isExcludedRoute(urlToStore)) {
-            return;
-        }
-        // Don't store URLs with query parameters that might contain sensitive data
-        const urlWithoutParams = urlToStore.split('?')[0];
-        this.getSessionStorage()?.setItem(this.REDIRECT_URL_KEY, urlWithoutParams);
-    }
-    /**
-     * Gets the stored intended URL
-     * @returns The stored URL or null if none exists
-     */
-    getIntendedUrl() {
-        if (!this.isBrowser()) {
-            return null;
-        }
-        return this.getSessionStorage()?.getItem(this.REDIRECT_URL_KEY) || null;
-    }
-    /**
-     * Redirects to the stored URL and clears it from storage
-     * @param defaultRoute - The default route to navigate to if no URL is stored
-     */
-    redirectToIntendedUrl(defaultRoute = '/') {
-        const intendedUrl = this.getIntendedUrl();
-        if (intendedUrl && !this.isExcludedRoute(intendedUrl)) {
-            this.clearIntendedUrl();
-            this.router.navigateByUrl(intendedUrl);
-        }
-        else {
-            this.router.navigate([defaultRoute]);
-        }
-    }
-    /**
-     * Clears the stored intended URL
-     */
-    clearIntendedUrl() {
-        if (!this.isBrowser()) {
-            return;
-        }
-        this.getSessionStorage()?.removeItem(this.REDIRECT_URL_KEY);
-    }
-    /**
-     * Checks if a URL should be excluded from redirection
-     * @param url - The URL to check
-     * @returns True if the URL should be excluded
-     */
-    isExcludedRoute(url) {
-        return this.EXCLUDED_ROUTES.some(route => url.includes(route));
-    }
-    /**
-     * Stores the current URL if it's not an excluded route
-     * Useful for guards and interceptors
-     */
-    storeCurrentUrlIfAllowed() {
-        const currentUrl = this.router.url;
-        if (!this.isExcludedRoute(currentUrl)) {
-            this.storeIntendedUrl(currentUrl);
-        }
-    }
-    /**
-     * Checks if we're running in a browser environment
-     * @returns True if running in browser, false if SSR
-     */
-    isBrowser() {
-        return isPlatformBrowser(this.platformId);
-    }
-    /**
-     * Safely gets sessionStorage reference
-     * @returns sessionStorage object or null if not available
-     */
-    getSessionStorage() {
-        if (!this.isBrowser()) {
+    getUserData() {
+        const token = this.getToken();
+        if (!token) {
             return null;
         }
         try {
-            return this.document.defaultView?.sessionStorage || null;
+            const decodedToken = jwtDecode(token);
+            const email = decodedToken['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'] ??
+                decodedToken['email'] ??
+                decodedToken['sub'] ??
+                decodedToken['user_id'];
+            const displayName = decodedToken['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'] ??
+                decodedToken['displayName'] ??
+                decodedToken['display_name'] ??
+                decodedToken['name'] ??
+                decodedToken['given_name'];
+            const name = decodedToken['name'] ?? displayName;
+            if (!email) {
+                return null;
+            }
+            const userData = {
+                email: email.toString(),
+                displayName: displayName?.toString() ?? 'Unknown User',
+                name: name?.toString(),
+                roles: this.extractArrayField(decodedToken, ['roles', 'role']),
+                permissions: this.extractArrayField(decodedToken, ['permissions', 'perms']),
+                tenantId: decodedToken['tenantId']?.toString() ??
+                    decodedToken['tenant_id']?.toString() ??
+                    decodedToken['tenant']?.toString(),
+                companyId: decodedToken['companyId']?.toString() ??
+                    decodedToken['company_id']?.toString() ??
+                    decodedToken['organizationId']?.toString() ??
+                    decodedToken['org_id']?.toString(),
+                locale: decodedToken['locale']?.toString(),
+                timezone: decodedToken['timezone']?.toString() ?? decodedToken['tz']?.toString(),
+            };
+            return userData;
         }
         catch {
-            // Handle cases where sessionStorage might be disabled
             return null;
         }
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: UrlRedirectService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: UrlRedirectService, providedIn: 'root' });
-}
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: UrlRedirectService, decorators: [{
-            type: Injectable,
-            args: [{
-                    providedIn: 'root',
-                }]
-        }] });
-
-const authGuard = (_route, state) => {
-    const tokenRepository = inject(TokenRepository);
-    const router = inject(Router);
-    const urlRedirectService = inject(UrlRedirectService);
-    const environment = inject(ENVIRONMENT);
-    if (tokenRepository.isAuthenticated()) {
-        return true;
-    }
-    // Store the current URL for redirection after login
-    urlRedirectService.storeIntendedUrl(state.url);
-    // Redirect to login page (configurable via environment)
-    router.navigate([environment.loginRoute]);
-    return false;
-};
-
-/**
- * Interceptor that handles authentication errors and manages URL redirection
- * Captures the current URL when a 401 error occurs and redirects to login
- */
-const authRedirectInterceptor = (req, next) => {
-    const router = inject(Router);
-    const urlRedirectService = inject(UrlRedirectService);
-    const tokenRepository = inject(TokenRepository);
-    const environment = inject(ENVIRONMENT);
-    return next(req).pipe(catchError((error) => {
-        // Handle 401 Unauthorized errors
-        if (error.status === 401) {
-            // Only store and redirect if user was previously authenticated
-            // This prevents redirect loops and handles session expiry scenarios
-            if (tokenRepository.isAuthenticated()) {
-                // Store the current URL for redirection after re-authentication
-                urlRedirectService.storeCurrentUrlIfAllowed();
-                // Navigate to login page
-                router.navigate([environment.loginRoute]);
-            }
-        }
-        // Re-throw the error so other error handlers can process it
-        return throwError(() => error);
-    }));
-};
-
-// src/lib/domain/models/auth.ts
-
-// src/lib/domain/models/index.ts
-
-class AuthRepository {
-}
-
-// src/lib/domain/repositories/index.ts
-
-// src/lib/domain/index.ts
-
-// src/lib/services/csrf.service.ts
-class CsrfService {
-    http = inject(HttpClient);
-    csrfToken = null;
     /**
-     * Get CSRF token, fetching it if not available
+     * Extract array field from decoded token, trying multiple possible field names
      */
-    async getCsrfToken() {
-        if (this.csrfToken) {
-            return this.csrfToken;
-        }
-        try {
-            this.csrfToken = await firstValueFrom(this.http
-                .get('/csrf-token')
-                .pipe(map(response => response.csrfToken)));
-            return this.csrfToken || '';
-        }
-        catch {
-            // If CSRF endpoint fails, return empty token
-            // Server should handle missing CSRF tokens appropriately
-            return '';
+    extractArrayField(decodedToken, fieldNames) {
+        for (const fieldName of fieldNames) {
+            const value = decodedToken[fieldName];
+            if (Array.isArray(value)) {
+                return value.map(v => v.toString());
+            }
+            if (typeof value === 'string') {
+                // Handle comma-separated string values
+                return value
+                    .split(',')
+                    .map(v => v.trim())
+                    .filter(v => v.length > 0);
+            }
         }
+        return undefined;
     }
-    /**
-     * Clear stored CSRF token (useful on logout)
-     */
-    clearCsrfToken() {
-        this.csrfToken = null;
-    }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: CsrfService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: CsrfService, providedIn: 'root' });
-}
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: CsrfService, decorators: [{
-            type: Injectable,
-            args: [{
-                    providedIn: 'root',
-                }]
-        }] });
-
-// src/lib/data/repositories/auth-http.repository.ts
-function getDeviceInfo() {
-    return `${navigator.platform ?? 'Unknown'} - ${navigator.userAgent}`;
-}
-class AuthHttpRepository extends AuthRepository {
-    http = inject(HttpClient);
-    csrfService = inject(CsrfService);
-    URL = `${AUTH_API.ACCOUNT}`;
-    login(request) {
-        return from(this.csrfService.getCsrfToken()).pipe(switchMap(csrfToken => this.http.post(`${this.URL}login`, request, {
-            headers: {
-                'Device-Info': getDeviceInfo(),
-                'X-CSRF-Token': csrfToken,
-            },
-            withCredentials: true,
-        })));
-    }
-    register(request) {
-        return from(this.csrfService.getCsrfToken()).pipe(switchMap(csrfToken => this.http.post(`${this.URL}register`, request, {
-            headers: {
-                'Device-Info': getDeviceInfo(),
-                'X-CSRF-Token': csrfToken,
-            },
-            withCredentials: true,
-        })));
-    }
-    refreshToken(request) {
-        return from(this.csrfService.getCsrfToken()).pipe(switchMap(csrfToken => this.http.post(`${this.URL}refresh`, request, {
-            headers: {
-                'Device-Info': getDeviceInfo(),
-                'X-CSRF-Token': csrfToken,
-            },
-            withCredentials: true,
-        })));
-    }
-    logout(email, refreshToken) {
-        return from(this.csrfService.getCsrfToken()).pipe(switchMap(csrfToken => this.http.post(`${this.URL}logout`, { email, refreshToken: refreshToken || undefined }, {
-            headers: { 'X-CSRF-Token': csrfToken },
-            withCredentials: true, // Ensure cookies are sent
-        })));
-    }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: AuthHttpRepository, deps: null, target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: AuthHttpRepository, providedIn: 'root' });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: TokenRepository, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: TokenRepository, providedIn: 'root' });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: AuthHttpRepository, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: TokenRepository, decorators: [{
             type: Injectable,
             args: [{
                     providedIn: 'root',
                 }]
         }] });
 
-// src/lib/data/repositories/index.ts
-
-// src/lib/data/index.ts
-
 // src/lib/presentation/stores/auth.store.ts
 class AuthStore {
     authRepository = inject(AuthRepository);
     tokenRepository = inject(TokenRepository);
-    userRepository = inject(UserRepository);
     router = inject(Router);
     ngZone = inject(NgZone);
     // Authentication state signals
@@ -432,7 +230,7 @@ class AuthStore {
             const isAuthenticated = this.tokenRepository.isAuthenticated();
             this._isAuthenticated.set(isAuthenticated);
             if (isAuthenticated) {
-                const userData = this.userRepository.getCurrentUser();
+                const userData = this.tokenRepository.getUserData();
                 this._user.set(userData);
                 this.scheduleTokenRefresh();
             }
@@ -494,7 +292,7 @@ class AuthStore {
         if (this.refreshInProgress$) {
             return this.refreshInProgress$;
         }
-        const userData = this.userRepository.getCurrentUser();
+        const userData = this.tokenRepository.getUserData();
         const refreshToken = this.tokenRepository.getRefreshToken();
         if (!userData?.email || !refreshToken) {
             this.logout();
@@ -507,7 +305,7 @@ class AuthStore {
         })
             .pipe(tap(tokens => {
             this.setAuthenticated(tokens);
-        }), catchError$1(() => {
+        }), catchError(() => {
             this.logout();
             return of(null);
         }), tap({
@@ -526,7 +324,7 @@ class AuthStore {
     setAuthenticated(tokens, rememberMe = false) {
         this.tokenRepository.saveTokens(tokens, rememberMe);
         this._isAuthenticated.set(true);
-        const userData = this.userRepository.getCurrentUser();
+        const userData = this.tokenRepository.getUserData();
         this._user.set(userData);
         this.scheduleTokenRefresh();
     }
@@ -610,13 +408,132 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.2", ngImpor
                 }]
         }], ctorParameters: () => [] });
 
-// src/lib/application/use-cases/login.use-case.ts
-class LoginUseCase extends BaseUseCase {
-    authRepository = inject(AuthRepository);
-    authStore = inject(AuthStore);
-    router = inject(Router);
-    urlRedirectService = inject(UrlRedirectService);
-    execute(request) {
+/**
+ * Service to manage URL redirection after authentication
+ * Stores the intended URL when session is lost and redirects to it after successful login
+ * SSR-compatible by checking platform before accessing sessionStorage
+ */
+class UrlRedirectService {
+    REDIRECT_URL_KEY = 'acp_redirect_url';
+    EXCLUDED_ROUTES = [
+        '/login',
+        '/auth',
+        '/register',
+        '/forgot-password',
+        '/reset-password',
+    ];
+    router = inject(Router);
+    platformId = inject(PLATFORM_ID);
+    document = inject(DOCUMENT);
+    /**
+     * Stores the current URL for later redirection
+     * @param url - The URL to store (defaults to current URL)
+     */
+    storeIntendedUrl(url) {
+        // Only store in browser environment
+        if (!this.isBrowser()) {
+            return;
+        }
+        const urlToStore = url || this.router.url;
+        // Don't store authentication-related routes
+        if (this.isExcludedRoute(urlToStore)) {
+            return;
+        }
+        // Don't store URLs with query parameters that might contain sensitive data
+        const urlWithoutParams = urlToStore.split('?')[0];
+        this.getSessionStorage()?.setItem(this.REDIRECT_URL_KEY, urlWithoutParams);
+    }
+    /**
+     * Gets the stored intended URL
+     * @returns The stored URL or null if none exists
+     */
+    getIntendedUrl() {
+        if (!this.isBrowser()) {
+            return null;
+        }
+        return this.getSessionStorage()?.getItem(this.REDIRECT_URL_KEY) || null;
+    }
+    /**
+     * Redirects to the stored URL and clears it from storage
+     * @param defaultRoute - The default route to navigate to if no URL is stored
+     */
+    redirectToIntendedUrl(defaultRoute = '/') {
+        const intendedUrl = this.getIntendedUrl();
+        if (intendedUrl && !this.isExcludedRoute(intendedUrl)) {
+            this.clearIntendedUrl();
+            this.router.navigateByUrl(intendedUrl);
+        }
+        else {
+            this.router.navigate([defaultRoute]);
+        }
+    }
+    /**
+     * Clears the stored intended URL
+     */
+    clearIntendedUrl() {
+        if (!this.isBrowser()) {
+            return;
+        }
+        this.getSessionStorage()?.removeItem(this.REDIRECT_URL_KEY);
+    }
+    /**
+     * Checks if a URL should be excluded from redirection
+     * @param url - The URL to check
+     * @returns True if the URL should be excluded
+     */
+    isExcludedRoute(url) {
+        return this.EXCLUDED_ROUTES.some(route => url.includes(route));
+    }
+    /**
+     * Stores the current URL if it's not an excluded route
+     * Useful for guards and interceptors
+     */
+    storeCurrentUrlIfAllowed() {
+        const currentUrl = this.router.url;
+        if (!this.isExcludedRoute(currentUrl)) {
+            this.storeIntendedUrl(currentUrl);
+        }
+    }
+    /**
+     * Checks if we're running in a browser environment
+     * @returns True if running in browser, false if SSR
+     */
+    isBrowser() {
+        return isPlatformBrowser(this.platformId);
+    }
+    /**
+     * Safely gets sessionStorage reference
+     * @returns sessionStorage object or null if not available
+     */
+    getSessionStorage() {
+        if (!this.isBrowser()) {
+            return null;
+        }
+        try {
+            return this.document.defaultView?.sessionStorage || null;
+        }
+        catch {
+            // Handle cases where sessionStorage might be disabled
+            return null;
+        }
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: UrlRedirectService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: UrlRedirectService, providedIn: 'root' });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: UrlRedirectService, decorators: [{
+            type: Injectable,
+            args: [{
+                    providedIn: 'root',
+                }]
+        }] });
+
+// src/lib/application/use-cases/login.use-case.ts
+class LoginUseCase extends BaseUseCase {
+    authRepository = inject(AuthRepository);
+    authStore = inject(AuthStore);
+    router = inject(Router);
+    urlRedirectService = inject(UrlRedirectService);
+    execute(request) {
         return this.authRepository.login(request).pipe(tap(tokens => {
             // Set authentication state with rememberMe preference
             this.authStore.setAuthenticated(tokens, request.rememberMe ?? false);
@@ -660,11 +577,10 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.2", ngImpor
 // src/lib/application/use-cases/refresh-token.use-case.ts
 class RefreshTokenUseCase extends BaseUseCase {
     authRepository = inject(AuthRepository);
-    userRepository = inject(UserRepository);
     tokenRepository = inject(TokenRepository);
     authStore = inject(AuthStore);
     execute() {
-        const userData = this.userRepository.getCurrentUser();
+        const userData = this.tokenRepository.getUserData();
         const refreshToken = this.tokenRepository.getRefreshToken();
         if (!userData?.email || !refreshToken || refreshToken.trim().length === 0) {
             const error = new Error('No refresh token or email available');
@@ -680,7 +596,7 @@ class RefreshTokenUseCase extends BaseUseCase {
             const rememberMe = this.tokenRepository.isRememberMeEnabled();
             // Update authentication state
             this.authStore.setAuthenticated(tokens, rememberMe);
-        }), catchError$1(error => {
+        }), catchError(error => {
             // Don't logout here, let the interceptor handle it
             return throwError(() => error);
         }));
@@ -698,11 +614,10 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.2", ngImpor
 // src/lib/application/use-cases/logout.use-case.ts
 class LogoutUseCase extends BaseUseCase {
     authRepository = inject(AuthRepository);
-    userRepository = inject(UserRepository);
     tokenRepository = inject(TokenRepository);
     authStore = inject(AuthStore);
     execute() {
-        const userData = this.userRepository.getCurrentUser();
+        const userData = this.tokenRepository.getUserData();
         const refreshToken = this.tokenRepository.getRefreshToken();
         if (userData?.email && refreshToken && refreshToken.length > 0) {
             return this.authRepository
@@ -730,6 +645,202 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.2", ngImpor
 
 // src/lib/application/index.ts
 
+// src/lib/data/repositories/auth-http.repository.ts
+function getDeviceInfo() {
+    return `${navigator.platform ?? 'Unknown'} - ${navigator.userAgent}`;
+}
+class AuthHttpRepository extends AuthRepository {
+    http = inject(HttpClient);
+    URL = `${AUTH_API.AUTH}`;
+    login(request) {
+        return this.http.post(`${this.URL}login`, request, {
+            headers: {
+                'Device-Info': getDeviceInfo(),
+            },
+            withCredentials: true,
+        });
+    }
+    register(request) {
+        return this.http.post(`${this.URL}register`, request, {
+            headers: {
+                'Device-Info': getDeviceInfo(),
+            },
+            withCredentials: true,
+        });
+    }
+    refreshToken(request) {
+        return this.http.post(`${this.URL}refresh`, request, {
+            headers: {
+                'Device-Info': getDeviceInfo(),
+            },
+            withCredentials: true,
+        });
+    }
+    logout(email, refreshToken) {
+        return this.http.post(`${this.URL}logout`, { email, refreshToken: refreshToken || undefined }, {
+            headers: {},
+            withCredentials: true, // Ensure cookies are sent
+        });
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: AuthHttpRepository, deps: null, target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: AuthHttpRepository, providedIn: 'root' });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: AuthHttpRepository, decorators: [{
+            type: Injectable,
+            args: [{
+                    providedIn: 'root',
+                }]
+        }] });
+
+// src/lib/data/repositories/index.ts
+
+// src/lib/data/index.ts
+
+// src/lib/domain/models/auth.ts
+
+// src/lib/domain/models/index.ts
+
+// src/lib/domain/repositories/index.ts
+
+// src/lib/domain/index.ts
+
+const authGuard = (_route, state) => {
+    const tokenRepository = inject(TokenRepository);
+    const router = inject(Router);
+    const urlRedirectService = inject(UrlRedirectService);
+    const environment = inject(ENVIRONMENT);
+    if (tokenRepository.isAuthenticated()) {
+        return true;
+    }
+    // Store the current URL for redirection after login
+    urlRedirectService.storeIntendedUrl(state.url);
+    // Redirect to login page (configurable via environment)
+    router.navigate([`/${environment.loginRoute}`]);
+    return false;
+};
+
+/**
+ * Interceptor that handles authentication errors and manages URL redirection
+ * Captures the current URL when a 401 error occurs and redirects to login
+ */
+const authRedirectInterceptor = (req, next) => {
+    const router = inject(Router);
+    const urlRedirectService = inject(UrlRedirectService);
+    const tokenRepository = inject(TokenRepository);
+    const environment = inject(ENVIRONMENT);
+    return next(req).pipe(catchError$1((error) => {
+        // Handle 401 Unauthorized errors
+        if (error.status === 401) {
+            // Only store and redirect if user was previously authenticated
+            // This prevents redirect loops and handles session expiry scenarios
+            if (tokenRepository.isAuthenticated()) {
+                // Store the current URL for redirection after re-authentication
+                urlRedirectService.storeCurrentUrlIfAllowed();
+                // Navigate to login page
+                router.navigate([`/${environment.loginRoute}`]);
+            }
+        }
+        // Re-throw the error so other error handlers can process it
+        return throwError(() => error);
+    }));
+};
+
+// src/lib/services/csrf.service.ts
+class CsrfService {
+    http = inject(HttpClient);
+    csrfToken = null;
+    /**
+     * Get CSRF token, fetching it if not available
+     */
+    async getCsrfToken() {
+        if (this.csrfToken) {
+            return this.csrfToken;
+        }
+        try {
+            this.csrfToken = await firstValueFrom(this.http
+                .get('csrf-token')
+                .pipe(map(response => response.csrfToken)));
+            return this.csrfToken || '';
+        }
+        catch {
+            // If CSRF endpoint fails, return empty token
+            // Server should handle missing CSRF tokens appropriately
+            return '';
+        }
+    }
+    /**
+     * Clear stored CSRF token (useful on logout)
+     */
+    clearCsrfToken() {
+        this.csrfToken = null;
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: CsrfService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: CsrfService, providedIn: 'root' });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.2", ngImport: i0, type: CsrfService, decorators: [{
+            type: Injectable,
+            args: [{
+                    providedIn: 'root',
+                }]
+        }] });
+
+// A token to use with HttpContext for skipping CSRF token addition on specific requests.
+const SKIP_CSRF = new HttpContextToken(() => false);
+/**
+ * HTTP interceptor that automatically adds CSRF tokens to state-changing requests
+ * Only applies to requests to the same origin to avoid leaking tokens to external APIs
+ */
+const csrfInterceptor = (req, next) => {
+    const csrfService = inject(CsrfService);
+    // Check if CSRF should be skipped for this request
+    const skipCsrf = req.context.get(SKIP_CSRF);
+    if (skipCsrf) {
+        return next(req);
+    }
+    // Only add CSRF token to state-changing requests (POST, PUT, PATCH, DELETE)
+    const isStateChangingMethod = ['POST', 'PUT', 'PATCH', 'DELETE'].includes(req.method.toUpperCase());
+    // Only add CSRF token to same-origin requests
+    const isSameOrigin = isRequestToSameOrigin(req);
+    if (isStateChangingMethod && isSameOrigin) {
+        return from(csrfService.getCsrfToken()).pipe(switchMap(csrfToken => {
+            const modifiedReq = req.clone({
+                setHeaders: {
+                    'X-CSRF-Token': csrfToken,
+                },
+            });
+            return next(modifiedReq);
+        }));
+    }
+    // For non-state-changing requests or external requests, proceed without modification
+    return next(req);
+};
+/**
+ * Checks if the request is going to the same origin as the current application
+ */
+function isRequestToSameOrigin(req) {
+    try {
+        const requestUrl = new URL(req.url, window.location.origin);
+        return requestUrl.origin === window.location.origin;
+    }
+    catch {
+        // If URL parsing fails, assume it's not same origin for security
+        return false;
+    }
+}
+
+const authProviders = [
+    {
+        provide: AuthRepository,
+        useClass: AuthHttpRepository,
+    },
+    {
+        provide: TOKEN_PROVIDER,
+        useClass: TokenRepository,
+    },
+];
+
+// src/lib/providers/index.ts
+
 // src/lib/presentation/stores/index.ts
 
 // src/lib/presentation/components/login/login.component.ts
@@ -856,22 +967,9 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.2", ngImpor
 
 // src/lib/presentation/index.ts
 
-const authProviders = [
-    {
-        provide: AuthRepository,
-        useClass: AuthHttpRepository,
-    },
-    {
-        provide: TOKEN_PROVIDER,
-        useClass: TokenRepository,
-    },
-];
-
-// src/lib/providers/index.ts
-
 /**
  * Generated bundle index. Do not edit.
  */
 
-export { AuthHttpRepository, AuthRepository, AuthStore, LoginComponent, LoginUseCase, LogoutUseCase, RefreshTokenUseCase, RegisterUseCase, TokenRepository, UrlRedirectService, authGuard, authProviders, authRedirectInterceptor };
+export { AuthHttpRepository, AuthRepository, AuthStore, CsrfService, LoginComponent, LoginUseCase, LogoutUseCase, RefreshTokenUseCase, RegisterUseCase, SKIP_CSRF, TokenRepository, UrlRedirectService, authGuard, authProviders, authRedirectInterceptor, csrfInterceptor };
 //# sourceMappingURL=acontplus-ng-auth.mjs.map