npm - @ahoo-wang/fetcher-cosec - Versions diffs - 2.8.8 → 2.9.0 - Mend

@ahoo-wang/fetcher-cosec 2.8.8 → 2.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/deviceIdStorage.d.ts +4 -2
package/dist/deviceIdStorage.d.ts.map +1 -1
package/dist/index.es.js +78 -74
package/dist/index.es.js.map +1 -1
package/dist/index.umd.js +1 -1
package/dist/index.umd.js.map +1 -1
package/dist/jwts.d.ts.map +1 -1
package/dist/tokenStorage.d.ts +5 -2
package/dist/tokenStorage.d.ts.map +1 -1
package/package.json +2 -1

package/dist/deviceIdStorage.d.ts CHANGED Viewed

@@ -1,10 +1,12 @@
-import { KeyStorage } from '@ahoo-wang/fetcher-storage';
+import { KeyStorage, KeyStorageOptions } from '@ahoo-wang/fetcher-storage';
 export declare const DEFAULT_COSEC_DEVICE_ID_KEY = "cosec-device-id";
+export interface DeviceIdStorageOptions extends KeyStorageOptions<string> {
+}
 /**
  * Storage class for managing device identifiers.
  */
 export declare class DeviceIdStorage extends KeyStorage<string> {
-    constructor(key?: string);
+    constructor(options?: DeviceIdStorageOptions);
     /**
      * Generate a new device ID.
      *

package/dist/deviceIdStorage.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"deviceIdStorage.d.ts","sourceRoot":"","sources":["../src/deviceIdStorage.ts"],"names":[],"mappings":"AAcA,OAAO,~~EAGL~~,UAAU,~~EACX~~,MAAM,4BAA4B,CAAC;~~AAEpC~~,eAAO,MAAM,2BAA2B,oBAAoB,CAAC;~~AAE7D~~;;GAEG;AACH,qBAAa,eAAgB,SAAQ,UAAU,CAAC,MAAM,CAAC;gBACzC,~~GAAG~~,GAAE,~~MAAoC~~;~~IAQrD~~;;;;OAIG;IACH,gBAAgB,IAAI,MAAM;IAI1B;;;;OAIG;IACH,WAAW,IAAI,MAAM;CAWtB"}
1	+ {"version":3,"file":"deviceIdStorage.d.ts","sourceRoot":"","sources":["../src/deviceIdStorage.ts"],"names":[],"mappings":"AAcA,OAAO,EACL,UAAU,EAAE,iBAAiB,EAC9B,MAAM,4BAA4B,CAAC;AAGpC,eAAO,MAAM,2BAA2B,oBAAoB,CAAC;AAG7D,MAAM,WAAW,sBAAuB,SAAQ,iBAAiB,CAAC,MAAM,CAAC;CACxE;AAED;;GAEG;AACH,qBAAa,eAAgB,SAAQ,UAAU,CAAC,MAAM,CAAC;gBACzC,OAAO,GAAE,sBAGpB;IAID;;;;OAIG;IACH,gBAAgB,IAAI,MAAM;IAI1B;;;;OAIG;IACH,WAAW,IAAI,MAAM;CAWtB"}

package/dist/index.es.js CHANGED Viewed

@@ -1,6 +1,7 @@
-import { REQUEST_BODY_INTERCEPTOR_ORDER as A, ResultExtractors as S } from "@ahoo-wang/fetcher";
-import { nanoid as k } from "nanoid";
-import { KeyStorage as d, createListenableStorage as l, IdentitySerializer as P } from "@ahoo-wang/fetcher-storage";
+import { REQUEST_BODY_INTERCEPTOR_ORDER as S, ResultExtractors as y } from "@ahoo-wang/fetcher";
+import { nanoid as w } from "nanoid";
+import { KeyStorage as p } from "@ahoo-wang/fetcher-storage";
+import { BroadcastTypedEventBus as f, SerialTypedEventBus as O } from "@ahoo-wang/fetcher-eventbus";
 const a = class a {
 };
 a.DEVICE_ID = "CoSec-Device-Id", a.APP_ID = "CoSec-App-Id", a.AUTHORIZATION = "Authorization", a.REQUEST_ID = "CoSec-Request-Id";
@@ -16,24 +17,24 @@ const Q = {
   TOKEN_EXPIRED: { authorized: !1, reason: "Token Expired" },
   TOO_MANY_REQUESTS: { authorized: !1, reason: "Too Many Requests" }
 };
-class w {
+class C {
   /**
    * Generate a unique request ID.
    *
    * @returns A unique request ID
    */
   generateId() {
-    return k();
+    return w();
   }
 }
-const p = new w(), C = "CoSecRequestInterceptor", f = A + 1e3, O = "Ignore-Refresh-Token";
+const _ = new C(), U = "CoSecRequestInterceptor", N = S + 1e3, g = "Ignore-Refresh-Token";
 class H {
   /**
    * Creates a new CoSecRequestInterceptor instance.
    * @param options - The CoSec configuration options including appId, deviceIdStorage, and tokenManager
    */
   constructor(e) {
-    this.name = C, this.order = f, this.options = e;
+    this.name = U, this.order = N, this.options = e;
   }
   /**
    * Intercept requests to add CoSec authentication headers.
@@ -58,11 +59,11 @@ class H {
    * It will attempt to refresh the token before adding the Authorization header to the request.
    */
   async intercept(e) {
-    const t = p.generateId(), r = this.options.deviceIdStorage.getOrCreate(), n = e.ensureRequestHeaders();
+    const t = _.generateId(), r = this.options.deviceIdStorage.getOrCreate(), n = e.ensureRequestHeaders();
     n[o.APP_ID] = this.options.appId, n[o.DEVICE_ID] = r, n[o.REQUEST_ID] = t;
   }
 }
-const U = "AuthorizationRequestInterceptor", y = f + 1e3;
+const m = "AuthorizationRequestInterceptor", D = N + 1e3;
 class Z {
   /**
    * Creates an AuthorizationRequestInterceptor instance.
@@ -70,7 +71,7 @@ class Z {
    * @param options - Configuration options containing the token manager
    */
   constructor(e) {
-    this.options = e, this.name = U, this.order = y;
+    this.options = e, this.name = m, this.order = D;
   }
   /**
    * Intercepts the request exchange to add authorization headers.
@@ -86,17 +87,17 @@ class Z {
   async intercept(e) {
     let t = this.options.tokenManager.currentToken;
     const r = e.ensureRequestHeaders();
-    !t || r[o.AUTHORIZATION] || (!e.attributes.has(O) && t.isRefreshNeeded && t.isRefreshable && await this.options.tokenManager.refresh(), t = this.options.tokenManager.currentToken, t && (r[o.AUTHORIZATION] = `Bearer ${t.access.token}`));
+    !t || r[o.AUTHORIZATION] || (!e.attributes.has(g) && t.isRefreshNeeded && t.isRefreshable && await this.options.tokenManager.refresh(), t = this.options.tokenManager.currentToken, t && (r[o.AUTHORIZATION] = `Bearer ${t.access.token}`));
   }
 }
-const D = "AuthorizationResponseInterceptor", m = Number.MIN_SAFE_INTEGER + 1e3;
-class B {
+const b = "AuthorizationResponseInterceptor", M = Number.MIN_SAFE_INTEGER + 1e3;
+class Y {
   /**
    * Creates a new AuthorizationResponseInterceptor instance.
    * @param options - The CoSec configuration options including token storage and refresher
    */
   constructor(e) {
-    this.name = D, this.order = m, this.options = e;
+    this.name = b, this.order = M, this.options = e;
   }
   /**
    * Intercepts the response and handles unauthorized responses by refreshing tokens.
@@ -112,14 +113,13 @@ class B {
       }
   }
 }
-const b = "cosec-device-id";
-class L extends d {
-  constructor(e = b) {
-    super({
-      key: e,
-      serializer: new P(),
-      storage: l()
-    });
+const T = "cosec-device-id";
+class F extends p {
+  constructor(e = {
+    key: T,
+    eventBus: new f(new O(T))
+  }) {
+    super(e);
   }
   /**
    * Generate a new device ID.
@@ -127,7 +127,7 @@ class L extends d {
    * @returns A newly generated device ID
    */
   generateDeviceId() {
-    return p.generateId();
+    return _.generateId();
   }
   /**
    * Get or create a device ID.
@@ -139,8 +139,10 @@ class L extends d {
     return e || (e = this.generateDeviceId(), this.set(e)), e;
   }
 }
-function _(s) {
+function A(s) {
   try {
+    if (typeof s != "string")
+      return null;
     const e = s.split(".");
     if (e.length !== 3)
       return null;
@@ -157,34 +159,34 @@ function _(s) {
     return console.error("Failed to parse JWT token", e), null;
   }
 }
-function z(s, e = 0) {
-  const t = typeof s == "string" ? _(s) : s;
+function q(s, e = 0) {
+  const t = typeof s == "string" ? A(s) : s;
   if (!t)
     return !0;
   const r = t.exp;
   return r ? Date.now() / 1e3 > r - e : !1;
 }
-class T {
+class d {
   /**
    * Creates a new JwtToken instance
    */
   constructor(e, t = 0) {
-    this.token = e, this.earlyPeriod = t, this.payload = _(e);
+    this.token = e, this.earlyPeriod = t, this.payload = A(e);
   }
   /**
    * Checks if the token is expired
    * @returns true if the token is expired, false otherwise
    */
   get isExpired() {
-    return this.payload ? z(this.payload, this.earlyPeriod) : !0;
+    return this.payload ? q(this.payload, this.earlyPeriod) : !0;
   }
 }
-class g {
+class P {
   /**
    * Creates a new JwtCompositeToken instance
    */
   constructor(e, t = 0) {
-    this.token = e, this.earlyPeriod = t, this.access = new T(e.accessToken, t), this.refresh = new T(e.refreshToken, t);
+    this.token = e, this.earlyPeriod = t, this.access = new d(e.accessToken, t), this.refresh = new d(e.refreshToken, t);
   }
   /**
    * Checks if the access token needs to be refreshed
@@ -201,7 +203,7 @@ class g {
     return !this.refresh.isExpired;
   }
 }
-class N {
+class k {
   constructor(e = 0) {
     this.earlyPeriod = e;
   }
@@ -212,7 +214,7 @@ class N {
    */
   deserialize(e) {
     const t = JSON.parse(e);
-    return new g(t, this.earlyPeriod);
+    return new P(t, this.earlyPeriod);
   }
   /**
    * Serializes a JwtCompositeToken to a JSON string
@@ -223,8 +225,8 @@ class N {
     return JSON.stringify(e.token);
   }
 }
-const Y = new N();
-class F {
+const L = new k();
+class G {
   /**
    * Creates a new JwtTokenManager instance
    * @param tokenStorage The storage used to persist tokens
@@ -276,8 +278,8 @@ class F {
     return this.currentToken ? this.currentToken.isRefreshable : !1;
   }
 }
-const M = "ResourceAttributionRequestInterceptor", q = Number.MAX_SAFE_INTEGER;
-class G {
+const v = "ResourceAttributionRequestInterceptor", z = Number.MAX_SAFE_INTEGER;
+class j {
   /**
    * Creates a new ResourceAttributionRequestInterceptor
    * @param options - Configuration options for resource attribution including tenantId, ownerId and tokenStorage
@@ -287,7 +289,7 @@ class G {
     ownerId: t = "ownerId",
     tokenStorage: r
   }) {
-    this.name = M, this.order = q, this.tenantIdPathKey = e, this.ownerIdPathKey = t, this.tokenStorage = r;
+    this.name = v, this.order = z, this.tenantIdPathKey = e, this.ownerIdPathKey = t, this.tokenStorage = r;
   }
   /**
    * Intercepts outgoing requests and automatically adds tenant and owner ID path parameters
@@ -309,7 +311,7 @@ class G {
     R && n.includes(h) && !i[h] && (i[h] = R);
   }
 }
-class j {
+class V {
   /**
    * Creates a new instance of CoSecTokenRefresher.
    *
@@ -331,55 +333,57 @@ class j {
         body: e
       },
       {
-        resultExtractor: S.Json,
-        attributes: /* @__PURE__ */ new Map([[O, !0]])
+        resultExtractor: y.Json,
+        attributes: /* @__PURE__ */ new Map([[g, !0]])
       }
     );
   }
 }
-const K = "cosec-token";
-class V extends d {
-  constructor(e = K, t = 0) {
+const l = "cosec-token";
+class X extends p {
+  constructor(e = {
+    key: l,
+    eventBus: new f(new O(l))
+  }) {
     super({
-      key: e,
-      storage: l(),
-      serializer: new N(t)
-    }), this.earlyPeriod = t;
+      serializer: new k(e.earlyPeriod),
+      ...e
+    }), this.earlyPeriod = e.earlyPeriod ?? 0;
   }
   setCompositeToken(e) {
-    this.set(new g(e));
+    this.set(new P(e));
   }
 }
 export {
-  U as AUTHORIZATION_REQUEST_INTERCEPTOR_NAME,
-  y as AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER,
-  D as AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME,
-  m as AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER,
+  m as AUTHORIZATION_REQUEST_INTERCEPTOR_NAME,
+  D as AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER,
+  b as AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME,
+  M as AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER,
   Z as AuthorizationRequestInterceptor,
-  B as AuthorizationResponseInterceptor,
+  Y as AuthorizationResponseInterceptor,
   Q as AuthorizeResults,
-  C as COSEC_REQUEST_INTERCEPTOR_NAME,
-  f as COSEC_REQUEST_INTERCEPTOR_ORDER,
+  U as COSEC_REQUEST_INTERCEPTOR_NAME,
+  N as COSEC_REQUEST_INTERCEPTOR_ORDER,
   o as CoSecHeaders,
   H as CoSecRequestInterceptor,
-  j as CoSecTokenRefresher,
-  b as DEFAULT_COSEC_DEVICE_ID_KEY,
-  K as DEFAULT_COSEC_TOKEN_KEY,
-  L as DeviceIdStorage,
-  O as IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY,
-  g as JwtCompositeToken,
-  N as JwtCompositeTokenSerializer,
-  T as JwtToken,
-  F as JwtTokenManager,
-  w as NanoIdGenerator,
-  M as RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME,
-  q as RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER,
-  G as ResourceAttributionRequestInterceptor,
+  V as CoSecTokenRefresher,
+  T as DEFAULT_COSEC_DEVICE_ID_KEY,
+  l as DEFAULT_COSEC_TOKEN_KEY,
+  F as DeviceIdStorage,
+  g as IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY,
+  P as JwtCompositeToken,
+  k as JwtCompositeTokenSerializer,
+  d as JwtToken,
+  G as JwtTokenManager,
+  C as NanoIdGenerator,
+  v as RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME,
+  z as RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER,
+  j as ResourceAttributionRequestInterceptor,
   u as ResponseCodes,
-  V as TokenStorage,
-  p as idGenerator,
-  z as isTokenExpired,
-  Y as jwtCompositeTokenSerializer,
-  _ as parseJwtPayload
+  X as TokenStorage,
+  _ as idGenerator,
+  q as isTokenExpired,
+  L as jwtCompositeTokenSerializer,
+  A as parseJwtPayload
 };
 //# sourceMappingURL=index.es.js.map

package/dist/index.es.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.es.js","sources":["../src/types.ts","../src/idGenerator.ts","../src/cosecRequestInterceptor.ts","../src/authorizationRequestInterceptor.ts","../src/authorizationResponseInterceptor.ts","../src/deviceIdStorage.ts","../src/jwts.ts","../src/jwtToken.ts","../src/jwtTokenManager.ts","../src/resourceAttributionRequestInterceptor.ts","../src/tokenRefresher.ts","../src/tokenStorage.ts"],"sourcesContent":["/\n Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { DeviceIdStorage } from './deviceIdStorage';\nimport { JwtTokenManager } from './jwtTokenManager';\n\n/\n CoSec HTTP headers enumeration.\n /\nexport class CoSecHeaders {\n static readonly DEVICE_ID = 'CoSec-Device-Id';\n static readonly APP_ID = 'CoSec-App-Id';\n static readonly AUTHORIZATION = 'Authorization';\n static readonly REQUEST_ID = 'CoSec-Request-Id';\n}\n\nexport class ResponseCodes {\n static readonly UNAUTHORIZED = 401;\n}\n\nexport interface AppIdCapable {\n /\n Application ID to be sent in the CoSec-App-Id header.\n /\n appId: string;\n}\n\nexport interface DeviceIdStorageCapable {\n deviceIdStorage: DeviceIdStorage;\n}\n\nexport interface JwtTokenManagerCapable {\n tokenManager: JwtTokenManager;\n}\n\n/\n CoSec options interface.\n /\nexport interface CoSecOptions\n extends AppIdCapable,\n DeviceIdStorageCapable,\n JwtTokenManagerCapable {\n}\n\n/\n Authorization result interface.\n /\nexport interface AuthorizeResult {\n authorized: boolean;\n reason: string;\n}\n\n/\n Authorization result constants.\n /\nexport const AuthorizeResults = {\n ALLOW: { authorized: true, reason: 'Allow' },\n EXPLICIT_DENY: { authorized: false, reason: 'Explicit Deny' },\n IMPLICIT_DENY: { authorized: false, reason: 'Implicit Deny' },\n TOKEN_EXPIRED: { authorized: false, reason: 'Token Expired' },\n TOO_MANY_REQUESTS: { authorized: false, reason: 'Too Many Requests' },\n};\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { nanoid } from 'nanoid';\n\nexport interface IdGenerator {\n generateId(): string;\n}\n\n/\n Nano ID implementation of IdGenerator.\n * Generates unique request IDs using Nano ID.\n /\nexport class NanoIdGenerator implements IdGenerator {\n /\n Generate a unique request ID.\n \n @returns A unique request ID\n /\n generateId(): string {\n return nanoid();\n }\n}\n\nexport const idGenerator = new NanoIdGenerator();\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n FetchExchange,\n REQUEST_BODY_INTERCEPTOR_ORDER,\n type RequestInterceptor,\n} from '@ahoo-wang/fetcher';\nimport { AppIdCapable, CoSecHeaders, DeviceIdStorageCapable } from './types';\nimport { idGenerator } from './idGenerator';\n\nexport interface CoSecRequestOptions\n extends AppIdCapable,\n DeviceIdStorageCapable {\n}\n\n/\n The name of the CoSecRequestInterceptor.\n /\nexport const COSEC_REQUEST_INTERCEPTOR_NAME = 'CoSecRequestInterceptor';\n\n/\n The order of the CoSecRequestInterceptor.\n * Set to REQUEST_BODY_INTERCEPTOR_ORDER + 1000 to ensure it runs after RequestBodyInterceptor.\n /\nexport const COSEC_REQUEST_INTERCEPTOR_ORDER =\n REQUEST_BODY_INTERCEPTOR_ORDER + 1000;\n\nexport const IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY = 'Ignore-Refresh-Token';\n\n/\n Interceptor that automatically adds CoSec authentication headers to requests.\n \n This interceptor adds the following headers to each request:\n * - CoSec-Device-Id: Device identifier (stored in localStorage or generated)\n * - CoSec-App-Id: Application identifier\n * - CoSec-Request-Id: Unique request identifier for each request\n \n @remarks\n * This interceptor runs after RequestBodyInterceptor but before FetchInterceptor.\n * The order is set to COSEC_REQUEST_INTERCEPTOR_ORDER to ensure it runs after\n * request body processing but before the actual HTTP request is made. This positioning\n * allows for proper authentication header addition after all request body transformations\n * are complete, ensuring that the final request is properly authenticated before\n * being sent over the network.\n /\nexport class CoSecRequestInterceptor implements RequestInterceptor {\n readonly name = COSEC_REQUEST_INTERCEPTOR_NAME;\n readonly order = COSEC_REQUEST_INTERCEPTOR_ORDER;\n private options: CoSecRequestOptions;\n\n /\n Creates a new CoSecRequestInterceptor instance.\n * @param options - The CoSec configuration options including appId, deviceIdStorage, and tokenManager\n /\n constructor(options: CoSecRequestOptions) {\n this.options = options;\n }\n\n /\n Intercept requests to add CoSec authentication headers.\n \n This method adds the following headers to each request:\n * - CoSec-App-Id: The application identifier from the CoSec options\n * - CoSec-Device-Id: A unique device identifier, either retrieved from storage or generated\n * - CoSec-Request-Id: A unique identifier for this specific request\n \n @param exchange - The fetch exchange containing the request to process\n \n @remarks\n * This method runs after RequestBodyInterceptor but before FetchInterceptor.\n * It ensures that authentication headers are added to the request after all\n * body processing is complete. The positioning allows for proper authentication\n * header addition after all request body transformations are finished, ensuring\n * that the final request is properly authenticated before being sent over the network.\n * This execution order prevents authentication headers from being overwritten by\n * subsequent request processing interceptors.\n \n The method also handles token refreshing when the current token is expired but still refreshable.\n * It will attempt to refresh the token before adding the Authorization header to the request.\n /\n async intercept(exchange: FetchExchange) {\n // Generate a unique request ID for this request\n const requestId = idGenerator.generateId();\n\n // Get or create a device ID\n const deviceId = this.options.deviceIdStorage.getOrCreate();\n\n // Ensure request headers object exists\n const requestHeaders = exchange.ensureRequestHeaders();\n\n // Add CoSec headers to the request\n requestHeaders[CoSecHeaders.APP_ID] = this.options.appId;\n requestHeaders[CoSecHeaders.DEVICE_ID] = deviceId;\n requestHeaders[CoSecHeaders.REQUEST_ID] = requestId;\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { FetchExchange, RequestInterceptor } from '@ahoo-wang/fetcher';\nimport {\n COSEC_REQUEST_INTERCEPTOR_ORDER,\n IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY,\n} from './cosecRequestInterceptor';\nimport { CoSecHeaders, JwtTokenManagerCapable } from './types';\n\n// eslint-disable-next-line @typescript-eslint/no-empty-object-type\nexport interface AuthorizationInterceptorOptions\n extends JwtTokenManagerCapable {\n}\n\nexport const AUTHORIZATION_REQUEST_INTERCEPTOR_NAME =\n 'AuthorizationRequestInterceptor';\nexport const AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER =\n COSEC_REQUEST_INTERCEPTOR_ORDER + 1000;\n\n/\n Request interceptor that automatically adds Authorization header to requests.\n \n This interceptor handles JWT token management by:\n * 1. Adding Authorization header with Bearer token if not already present\n * 2. Refreshing tokens when needed and possible\n * 3. Skipping refresh when explicitly requested via attributes\n \n The interceptor runs after CoSecRequestInterceptor but before FetchInterceptor in the chain.\n /\nexport class AuthorizationRequestInterceptor implements RequestInterceptor {\n readonly name = AUTHORIZATION_REQUEST_INTERCEPTOR_NAME;\n readonly order = AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER;\n\n /\n Creates an AuthorizationRequestInterceptor instance.\n \n @param options - Configuration options containing the token manager\n /\n constructor(private readonly options: AuthorizationInterceptorOptions) {\n }\n\n /\n Intercepts the request exchange to add authorization headers.\n \n This method performs the following operations:\n * 1. Checks if a token exists and if Authorization header is already set\n * 2. Refreshes the token if needed, possible, and not explicitly ignored\n * 3. Adds the Authorization header with Bearer token if a token is available\n \n @param exchange - The fetch exchange containing request information\n * @returns Promise that resolves when the interception is complete\n /\n async intercept(exchange: FetchExchange): Promise<void> {\n // Get the current token from token manager\n let currentToken = this.options.tokenManager.currentToken;\n\n const requestHeaders = exchange.ensureRequestHeaders();\n\n // Skip if no token exists or Authorization header is already set\n if (!currentToken \|\| requestHeaders[CoSecHeaders.AUTHORIZATION]) {\n return;\n }\n\n // Refresh token if needed and refreshable\n if (\n !exchange.attributes.has(IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY) &&\n currentToken.isRefreshNeeded &&\n currentToken.isRefreshable\n ) {\n await this.options.tokenManager.refresh();\n }\n\n // Get the current token again (might have been refreshed)\n currentToken = this.options.tokenManager.currentToken;\n\n // Add Authorization header if we have a token\n if (currentToken) {\n requestHeaders[CoSecHeaders.AUTHORIZATION] =\n `Bearer ${currentToken.access.token}`;\n }\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { ResponseCodes } from './types';\nimport { FetchExchange, type ResponseInterceptor } from '@ahoo-wang/fetcher';\nimport { AuthorizationInterceptorOptions } from './authorizationRequestInterceptor';\n\n/\n The name of the AuthorizationResponseInterceptor.\n /\nexport const AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME =\n 'AuthorizationResponseInterceptor';\n\n/\n The order of the AuthorizationResponseInterceptor.\n * Set to a high negative value to ensure it runs early in the interceptor chain.\n /\nexport const AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER =\n Number.MIN_SAFE_INTEGER + 1000;\n\n/\n CoSecResponseInterceptor is responsible for handling unauthorized responses (401)\n * by attempting to refresh the authentication token and retrying the original request.\n \n This interceptor:\n * 1. Checks if the response status is 401 (UNAUTHORIZED)\n * 2. If so, and if there's a current token, attempts to refresh it\n * 3. On successful refresh, stores the new token and retries the original request\n * 4. On refresh failure, clears stored tokens and propagates the error\n /\nexport class AuthorizationResponseInterceptor implements ResponseInterceptor {\n readonly name = AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME;\n readonly order = AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER;\n private options: AuthorizationInterceptorOptions;\n\n /\n Creates a new AuthorizationResponseInterceptor instance.\n * @param options - The CoSec configuration options including token storage and refresher\n /\n constructor(options: AuthorizationInterceptorOptions) {\n this.options = options;\n }\n\n /\n Intercepts the response and handles unauthorized responses by refreshing tokens.\n * @param exchange - The fetch exchange containing request and response information\n /\n async intercept(exchange: FetchExchange): Promise<void> {\n const response = exchange.response;\n // If there's no response, nothing to intercept\n if (!response) {\n return;\n }\n\n // Only handle unauthorized responses (401)\n if (response.status !== ResponseCodes.UNAUTHORIZED) {\n return;\n }\n\n if (!this.options.tokenManager.isRefreshable) {\n return;\n }\n try {\n await this.options.tokenManager.refresh();\n // Retry the original request with the new token\n await exchange.fetcher.interceptors.exchange(exchange);\n } catch (error) {\n // If token refresh fails, clear stored tokens and re-throw the error\n this.options.tokenManager.tokenStorage.remove();\n throw error;\n }\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { idGenerator } from './idGenerator';\nimport {\n createListenableStorage,\n IdentitySerializer,\n KeyStorage,\n} from '@ahoo-wang/fetcher-storage';\n\nexport const DEFAULT_COSEC_DEVICE_ID_KEY = 'cosec-device-id';\n\n/\n Storage class for managing device identifiers.\n /\nexport class DeviceIdStorage extends KeyStorage<string> {\n constructor(key: string = DEFAULT_COSEC_DEVICE_ID_KEY) {\n super({\n key,\n serializer: new IdentitySerializer<string>(),\n storage: createListenableStorage(),\n });\n }\n\n /\n Generate a new device ID.\n \n @returns A newly generated device ID\n /\n generateDeviceId(): string {\n return idGenerator.generateId();\n }\n\n /\n Get or create a device ID.\n \n @returns The existing device ID if available, otherwise a newly generated one\n /\n getOrCreate(): string {\n // Try to get existing device ID from storage\n let deviceId = this.get();\n if (!deviceId) {\n // Generate a new device ID and store it\n deviceId = this.generateDeviceId();\n this.set(deviceId);\n }\n\n return deviceId;\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n/\n Interface representing a JWT payload as defined in RFC 7519.\n * Contains standard JWT claims as well as custom properties.\n /\nexport interface JwtPayload {\n /\n JWT ID - provides a unique identifier for the JWT.\n /\n jti?: string;\n /\n Subject - identifies the principal that is the subject of the JWT.\n /\n sub?: string;\n /\n Issuer - identifies the principal that issued the JWT.\n /\n iss?: string;\n /\n Audience - identifies the recipients that the JWT is intended for.\n * Can be a single string or an array of strings.\n /\n aud?: string \| string[];\n /\n Expiration Time - identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.\n * Represented as NumericDate (seconds since Unix epoch).\n /\n exp?: number;\n /\n Not Before - identifies the time before which the JWT MUST NOT be accepted for processing.\n * Represented as NumericDate (seconds since Unix epoch).\n /\n nbf?: number;\n /\n Issued At - identifies the time at which the JWT was issued.\n * Represented as NumericDate (seconds since Unix epoch).\n /\n iat?: number;\n\n /\n Allows additional custom properties to be included in the payload.\n /\n [key: string]: any;\n}\n\n/\n Interface representing a JWT payload with CoSec-specific extensions.\n * Extends the standard JwtPayload interface with additional CoSec-specific properties.\n /\nexport interface CoSecJwtPayload extends JwtPayload {\n /\n Tenant identifier - identifies the tenant scope for the JWT.\n /\n tenantId?: string;\n /\n Policies - array of policy identifiers associated with the JWT.\n * These are security policies defined internally by Cosec.\n /\n policies?: string[];\n /\n Roles - array of role identifiers associated with the JWT.\n * Role IDs indicate what roles the token belongs to.\n /\n roles?: string[];\n /\n Attributes - custom key-value pairs providing additional information about the JWT.\n /\n attributes?: Record<string, any>;\n}\n\n/\n Parses a JWT token and extracts its payload.\n \n This function decodes the payload part of a JWT token, handling Base64URL decoding\n * and JSON parsing. It validates the token structure and returns null for invalid tokens.\n \n @param token - The JWT token string to parse\n * @returns The parsed JWT payload or null if parsing fails\n /\nexport function parseJwtPayload<T extends JwtPayload>(token: string): T \| null {\n try {\n const parts = token.split('.');\n if (parts.length !== 3) {\n return null;\n }\n\n const base64Url = parts[1];\n const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');\n\n // Add padding if needed\n const paddedBase64 = base64.padEnd(\n base64.length + ((4 - (base64.length % 4)) % 4),\n '=',\n );\n\n const jsonPayload = decodeURIComponent(\n atob(paddedBase64)\n .split('')\n .map(function(c) {\n return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);\n })\n .join(''),\n );\n return JSON.parse(jsonPayload) as T;\n } catch (error) {\n // Avoid exposing sensitive information in error logs\n console.error('Failed to parse JWT token', error);\n return null;\n }\n}\n\nexport interface EarlyPeriodCapable {\n /\n The time in seconds before actual expiration when the token should be considered expired (default: 0)\n /\n readonly earlyPeriod: number;\n}\n\n/\n Checks if a JWT token is expired based on its expiration time (exp claim).\n \n This function determines if a JWT token has expired by comparing its exp claim\n * with the current time. If the token is a string, it will be parsed first.\n * Tokens without an exp claim are considered not expired.\n \n The early period parameter allows for early token expiration, which is useful\n * for triggering token refresh before the token actually expires. This helps\n * avoid race conditions where a token expires between the time it is checked and\n * the time it is used.\n \n @param token - The JWT token to check, either as a string or as a JwtPayload object\n * @param earlyPeriod - The time in seconds before actual expiration when the token should be considered expired (default: 0)\n * @returns true if the token is expired (or will expire within the early period) or cannot be parsed, false otherwise\n /\nexport function isTokenExpired(\n token: string \| CoSecJwtPayload,\n earlyPeriod: number = 0,\n): boolean {\n const payload = typeof token === 'string' ? parseJwtPayload(token) : token;\n if (!payload) {\n return true;\n }\n\n const expAt = payload.exp;\n if (!expAt) {\n return false;\n }\n\n const now = Date.now() / 1000;\n return now > expAt - earlyPeriod;\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n CoSecJwtPayload,\n EarlyPeriodCapable,\n isTokenExpired,\n JwtPayload,\n parseJwtPayload,\n} from './jwts';\nimport { CompositeToken } from './tokenRefresher';\nimport { Serializer } from '@ahoo-wang/fetcher-storage';\n\n/\n Interface for JWT token with typed payload\n * @template Payload The type of the JWT payload\n /\nexport interface IJwtToken<Payload extends JwtPayload>\n extends EarlyPeriodCapable {\n readonly token: string;\n readonly payload: Payload \| null;\n\n isExpired: boolean;\n}\n\n/\n Class representing a JWT token with typed payload\n * @template Payload The type of the JWT payload\n /\nexport class JwtToken<Payload extends JwtPayload>\n implements IJwtToken<Payload> {\n public readonly payload: Payload \| null;\n\n /\n Creates a new JwtToken instance\n /\n constructor(\n public readonly token: string,\n public readonly earlyPeriod: number = 0,\n ) {\n this.payload = parseJwtPayload<Payload>(token);\n }\n\n /\n Checks if the token is expired\n * @returns true if the token is expired, false otherwise\n /\n get isExpired(): boolean {\n if (!this.payload) {\n return true;\n }\n return isTokenExpired(this.payload, this.earlyPeriod);\n }\n}\n\nexport interface RefreshTokenStatusCapable {\n /\n Checks if the access token needs to be refreshed\n * @returns true if the access token is expired, false otherwise\n /\n readonly isRefreshNeeded: boolean;\n /\n Checks if the refresh token is still valid and can be used to refresh the access token\n * @returns true if the refresh token is not expired, false otherwise\n /\n readonly isRefreshable: boolean;\n}\n\n/\n Class representing a composite token containing both access and refresh tokens\n /\nexport class JwtCompositeToken\n implements EarlyPeriodCapable, RefreshTokenStatusCapable {\n public readonly access: JwtToken<CoSecJwtPayload>;\n public readonly refresh: JwtToken<JwtPayload>;\n\n /\n Creates a new JwtCompositeToken instance\n /\n constructor(\n public readonly token: CompositeToken,\n public readonly earlyPeriod: number = 0,\n ) {\n this.access = new JwtToken(token.accessToken, earlyPeriod);\n this.refresh = new JwtToken(token.refreshToken, earlyPeriod);\n }\n\n /\n Checks if the access token needs to be refreshed\n * @returns true if the access token is expired, false otherwise\n /\n get isRefreshNeeded(): boolean {\n return this.access.isExpired;\n }\n\n /\n Checks if the refresh token is still valid and can be used to refresh the access token\n * @returns true if the refresh token is not expired, false otherwise\n /\n get isRefreshable(): boolean {\n return !this.refresh.isExpired;\n }\n}\n\n/\n Serializer for JwtCompositeToken that handles conversion to and from JSON strings\n /\nexport class JwtCompositeTokenSerializer\n implements Serializer<string, JwtCompositeToken>, EarlyPeriodCapable {\n constructor(public readonly earlyPeriod: number = 0) {\n }\n\n /\n Deserializes a JSON string to a JwtCompositeToken\n * @param value The JSON string representation of a composite token\n * @returns A JwtCompositeToken instance\n /\n deserialize(value: string): JwtCompositeToken {\n const compositeToken = JSON.parse(value) as CompositeToken;\n return new JwtCompositeToken(compositeToken, this.earlyPeriod);\n }\n\n /\n Serializes a JwtCompositeToken to a JSON string\n * @param value The JwtCompositeToken to serialize\n * @returns A JSON string representation of the composite token\n /\n serialize(value: JwtCompositeToken): string {\n return JSON.stringify(value.token);\n }\n}\n\nexport const jwtCompositeTokenSerializer = new JwtCompositeTokenSerializer();\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { TokenStorage } from './tokenStorage';\nimport { CompositeToken, TokenRefresher } from './tokenRefresher';\nimport { JwtCompositeToken, RefreshTokenStatusCapable } from './jwtToken';\n\n/\n Manages JWT token refreshing operations and provides status information\n /\nexport class JwtTokenManager implements RefreshTokenStatusCapable {\n private refreshInProgress?: Promise<void>;\n\n /\n Creates a new JwtTokenManager instance\n * @param tokenStorage The storage used to persist tokens\n * @param tokenRefresher The refresher used to refresh expired tokens\n /\n constructor(\n public readonly tokenStorage: TokenStorage,\n public readonly tokenRefresher: TokenRefresher,\n ) {\n }\n\n /\n Gets the current JWT composite token from storage\n * @returns The current token or null if none exists\n /\n get currentToken(): JwtCompositeToken \| null {\n return this.tokenStorage.get();\n }\n\n /\n Refreshes the JWT token\n * @param currentToken Optional current token to refresh. If not provided, uses the stored token.\n * @returns Promise that resolves when refresh is complete\n * @throws Error if no token is found or refresh fails\n /\n async refresh(currentToken?: CompositeToken): Promise<void> {\n if (!currentToken) {\n const jwtToken = this.currentToken;\n if (!jwtToken) {\n throw new Error('No token found');\n }\n currentToken = jwtToken.token;\n }\n if (this.refreshInProgress) {\n return this.refreshInProgress;\n }\n\n this.refreshInProgress = this.tokenRefresher\n .refresh(currentToken)\n .then(newToken => {\n this.tokenStorage.setCompositeToken(newToken);\n })\n .catch(error => {\n this.tokenStorage.remove();\n throw error;\n })\n .finally(() => {\n this.refreshInProgress = undefined;\n });\n\n return this.refreshInProgress;\n }\n\n /\n Indicates if the current token needs to be refreshed\n * @returns true if the access token is expired and needs refresh, false otherwise\n /\n get isRefreshNeeded(): boolean {\n if (!this.currentToken) {\n return false;\n }\n return this.currentToken.isRefreshNeeded;\n }\n\n /\n Indicates if the current token can be refreshed\n * @returns true if the refresh token is still valid, false otherwise\n /\n get isRefreshable(): boolean {\n if (!this.currentToken) {\n return false;\n }\n return this.currentToken.isRefreshable;\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { FetchExchange, RequestInterceptor } from '@ahoo-wang/fetcher';\nimport { TokenStorage } from './tokenStorage';\n\n/\n Configuration options for resource attribution\n /\nexport interface ResourceAttributionOptions {\n /\n The path parameter key used for tenant ID in URL templates\n /\n tenantId?: string;\n /\n The path parameter key used for owner ID in URL templates\n /\n ownerId?: string;\n /\n Storage mechanism for retrieving current authentication tokens\n /\n tokenStorage: TokenStorage;\n}\n\n/\n Name identifier for the ResourceAttributionRequestInterceptor\n /\nexport const RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME =\n 'ResourceAttributionRequestInterceptor';\n/\n Order priority for the ResourceAttributionRequestInterceptor, set to maximum safe integer to ensure it runs last\n /\nexport const RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER =\n Number.MAX_SAFE_INTEGER;\n\n/\n Request interceptor that automatically adds tenant and owner ID path parameters to requests\n * based on the current authentication token. This is useful for multi-tenant applications where\n * requests need to include tenant-specific information in the URL path.\n /\nexport class ResourceAttributionRequestInterceptor\n implements RequestInterceptor {\n readonly name = RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME;\n readonly order = RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER;\n private readonly tenantIdPathKey: string;\n private readonly ownerIdPathKey: string;\n private readonly tokenStorage: TokenStorage;\n\n /\n Creates a new ResourceAttributionRequestInterceptor\n * @param options - Configuration options for resource attribution including tenantId, ownerId and tokenStorage\n /\n constructor({\n tenantId = 'tenantId',\n ownerId = 'ownerId',\n tokenStorage,\n }: ResourceAttributionOptions) {\n this.tenantIdPathKey = tenantId;\n this.ownerIdPathKey = ownerId;\n this.tokenStorage = tokenStorage;\n }\n\n /\n Intercepts outgoing requests and automatically adds tenant and owner ID path parameters\n * if they are defined in the URL template but not provided in the request.\n * @param exchange - The fetch exchange containing the request information\n /\n intercept(exchange: FetchExchange): void {\n const currentToken = this.tokenStorage.get();\n if (!currentToken) {\n return;\n }\n const principal = currentToken.access.payload;\n if (!principal) {\n return;\n }\n if (!principal.tenantId && !principal.sub) {\n return;\n }\n\n // Extract path parameters from the URL template\n const extractedPathParams =\n exchange.fetcher.urlBuilder.urlTemplateResolver.extractPathParams(\n exchange.request.url,\n );\n const tenantIdPathKey = this.tenantIdPathKey;\n const requestPathParams = exchange.ensureRequestUrlParams().path;\n const tenantId = principal.tenantId;\n\n // Add tenant ID to path parameters if it's part of the URL template and not already provided\n if (\n tenantId &&\n extractedPathParams.includes(tenantIdPathKey) &&\n !requestPathParams[tenantIdPathKey]\n ) {\n requestPathParams[tenantIdPathKey] = tenantId;\n }\n\n const ownerIdPathKey = this.ownerIdPathKey;\n const ownerId = principal.sub;\n\n // Add owner ID to path parameters if it's part of the URL template and not already provided\n if (\n ownerId &&\n extractedPathParams.includes(ownerIdPathKey) &&\n !requestPathParams[ownerIdPathKey]\n ) {\n requestPathParams[ownerIdPathKey] = ownerId;\n }\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Fetcher, ResultExtractors } from '@ahoo-wang/fetcher';\nimport { IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY } from './cosecRequestInterceptor';\n\n/\n Interface for access tokens.\n /\nexport interface AccessToken {\n accessToken: string;\n}\n\n/\n Interface for refresh tokens.\n /\nexport interface RefreshToken {\n refreshToken: string;\n}\n\n/\n Composite token interface that contains both access and refresh tokens.\n \n accessToken and refreshToken always appear in pairs, no need to split them.\n /\nexport interface CompositeToken extends AccessToken, RefreshToken {\n}\n\n/\n Interface for token refreshers.\n \n Provides a method to refresh tokens.\n /\nexport interface TokenRefresher {\n /\n Refresh the given token and return a new CompositeToken.\n \n @param token The token to refresh\n * @returns A Promise that resolves to a new CompositeToken\n /\n refresh(token: CompositeToken): Promise<CompositeToken>;\n}\n\nexport interface CoSecTokenRefresherOptions {\n fetcher: Fetcher;\n endpoint: string;\n}\n\n/\n CoSecTokenRefresher is a class that implements the TokenRefresher interface\n * for refreshing composite tokens through a configured endpoint.\n /\nexport class CoSecTokenRefresher implements TokenRefresher {\n /\n Creates a new instance of CoSecTokenRefresher.\n \n @param options The configuration options for the token refresher including fetcher and endpoint\n /\n constructor(public readonly options: CoSecTokenRefresherOptions) {\n }\n\n /\n Refresh the given token and return a new CompositeToken.\n \n @param token The token to refresh\n * @returns A Promise that resolves to a new CompositeToken\n /\n refresh(token: CompositeToken): Promise<CompositeToken> {\n // Send a POST request to the configured endpoint with the token as body\n // and extract the response as JSON to return a new CompositeToken\n\n return this.options.fetcher.post<CompositeToken>(\n this.options.endpoint,\n {\n body: token,\n },\n {\n resultExtractor: ResultExtractors.Json,\n attributes: new Map([[IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY, true]]),\n },\n );\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { JwtCompositeToken, JwtCompositeTokenSerializer } from './jwtToken';\nimport { CompositeToken } from './tokenRefresher';\nimport { EarlyPeriodCapable } from './jwts';\nimport {\n createListenableStorage,\n KeyStorage,\n} from '@ahoo-wang/fetcher-storage';\n\nexport const DEFAULT_COSEC_TOKEN_KEY = 'cosec-token';\n\n/\n Storage class for managing access and refresh tokens.\n */\nexport class TokenStorage\n extends KeyStorage<JwtCompositeToken>\n implements EarlyPeriodCapable {\n constructor(\n key: string = DEFAULT_COSEC_TOKEN_KEY,\n public readonly earlyPeriod: number = 0,\n ) {\n super({\n key,\n storage: createListenableStorage(),\n serializer: new JwtCompositeTokenSerializer(earlyPeriod),\n });\n }\n\n setCompositeToken(compositeToken: CompositeToken) {\n this.set(new JwtCompositeToken(compositeToken));\n }\n}\n"],"names":["_CoSecHeaders","CoSecHeaders","_ResponseCodes","ResponseCodes","AuthorizeResults","NanoIdGenerator","nanoid","idGenerator","COSEC_REQUEST_INTERCEPTOR_NAME","COSEC_REQUEST_INTERCEPTOR_ORDER","REQUEST_BODY_INTERCEPTOR_ORDER","IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY","CoSecRequestInterceptor","options","exchange","requestId","deviceId","requestHeaders","AUTHORIZATION_REQUEST_INTERCEPTOR_NAME","AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER","AuthorizationRequestInterceptor","currentToken","AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME","AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER","AuthorizationResponseInterceptor","response","error","DEFAULT_COSEC_DEVICE_ID_KEY","DeviceIdStorage","KeyStorage","key","IdentitySerializer","createListenableStorage","parseJwtPayload","token","parts","base64","paddedBase64","jsonPayload","c","isTokenExpired","earlyPeriod","payload","expAt","JwtToken","JwtCompositeToken","JwtCompositeTokenSerializer","value","compositeToken","jwtCompositeTokenSerializer","JwtTokenManager","tokenStorage","tokenRefresher","jwtToken","newToken","RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME","RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER","ResourceAttributionRequestInterceptor","tenantId","ownerId","principal","extractedPathParams","tenantIdPathKey","requestPathParams","ownerIdPathKey","CoSecTokenRefresher","ResultExtractors","DEFAULT_COSEC_TOKEN_KEY","TokenStorage"],"mappings":";;;AAmBO,MAAMA,IAAN,MAAMA,EAAa;AAK1B;AAJEA,EAAgB,YAAY,mBAC5BA,EAAgB,SAAS,gBACzBA,EAAgB,gBAAgB,iBAChCA,EAAgB,aAAa;AAJxB,IAAMC,IAAND;AAOA,MAAME,IAAN,MAAMA,EAAc;AAE3B;AADEA,EAAgB,eAAe;AAD1B,IAAMC,IAAND;AAuCA,MAAME,IAAmB;AAAA,EAC9B,OAAO,EAAE,YAAY,IAAM,QAAQ,QAAA;AAAA,EACnC,eAAe,EAAE,YAAY,IAAO,QAAQ,gBAAA;AAAA,EAC5C,eAAe,EAAE,YAAY,IAAO,QAAQ,gBAAA;AAAA,EAC5C,eAAe,EAAE,YAAY,IAAO,QAAQ,gBAAA;AAAA,EAC5C,mBAAmB,EAAE,YAAY,IAAO,QAAQ,oBAAA;AAClD;AChDO,MAAMC,EAAuC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMlD,aAAqB;AACnB,WAAOC,EAAA;AAAA,EACT;AACF;AAEO,MAAMC,IAAc,IAAIF,EAAA,GCLlBG,IAAiC,2BAMjCC,IACXC,IAAiC,KAEtBC,IAAqC;AAkB3C,MAAMC,EAAsD;AAAA;AAAA;AAAA;AAAA;AAAA,EASjE,YAAYC,GAA8B;AAR1C,SAAS,OAAOL,GAChB,KAAS,QAAQC,GAQf,KAAK,UAAUI;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAwBA,MAAM,UAAUC,GAAyB;AAEvC,UAAMC,IAAYR,EAAY,WAAA,GAGxBS,IAAW,KAAK,QAAQ,gBAAgB,YAAA,GAGxCC,IAAiBH,EAAS,qBAAA;AAGhC,IAAAG,EAAehB,EAAa,MAAM,IAAI,KAAK,QAAQ,OACnDgB,EAAehB,EAAa,SAAS,IAAIe,GACzCC,EAAehB,EAAa,UAAU,IAAIc;AAAA,EAC5C;AACF;ACjFO,MAAMG,IACX,mCACWC,IACXV,IAAkC;AAY7B,MAAMW,EAA8D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASzE,YAA6BP,GAA0C;AAA1C,SAAA,UAAAA,GAR7B,KAAS,OAAOK,GAChB,KAAS,QAAQC;AAAA,EAQjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,UAAUL,GAAwC;AAEtD,QAAIO,IAAe,KAAK,QAAQ,aAAa;AAE7C,UAAMJ,IAAiBH,EAAS,qBAAA;AAGhC,IAAI,CAACO,KAAgBJ,EAAehB,EAAa,aAAa,MAM5D,CAACa,EAAS,WAAW,IAAIH,CAAkC,KAC3DU,EAAa,mBACbA,EAAa,iBAEb,MAAM,KAAK,QAAQ,aAAa,QAAA,GAIlCA,IAAe,KAAK,QAAQ,aAAa,cAGrCA,MACFJ,EAAehB,EAAa,aAAa,IACvC,UAAUoB,EAAa,OAAO,KAAK;AAAA,EAEzC;AACF;ACxEO,MAAMC,IACX,oCAMWC,IACX,OAAO,mBAAmB;AAYrB,MAAMC,EAAgE;AAAA;AAAA;AAAA;AAAA;AAAA,EAS3E,YAAYX,GAA0C;AARtD,SAAS,OAAOS,GAChB,KAAS,QAAQC,GAQf,KAAK,UAAUV;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,UAAUC,GAAwC;AACtD,UAAMW,IAAWX,EAAS;AAE1B,QAAKW,KAKDA,EAAS,WAAWtB,EAAc,gBAIjC,KAAK,QAAQ,aAAa;AAG/B,UAAI;AACF,cAAM,KAAK,QAAQ,aAAa,QAAA,GAEhC,MAAMW,EAAS,QAAQ,aAAa,SAASA,CAAQ;AAAA,MACvD,SAASY,GAAO;AAEd,mBAAK,QAAQ,aAAa,aAAa,OAAA,GACjCA;AAAA,MACR;AAAA,EACF;AACF;AC9DO,MAAMC,IAA8B;AAKpC,MAAMC,UAAwBC,EAAmB;AAAA,EACtD,YAAYC,IAAcH,GAA6B;AACrD,UAAM;AAAA,MACJ,KAAAG;AAAA,MACA,YAAY,IAAIC,EAAA;AAAA,MAChB,SAASC,EAAA;AAAA,IAAwB,CAClC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,mBAA2B;AACzB,WAAOzB,EAAY,WAAA;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,cAAsB;AAEpB,QAAIS,IAAW,KAAK,IAAA;AACpB,WAAKA,MAEHA,IAAW,KAAK,iBAAA,GAChB,KAAK,IAAIA,CAAQ,IAGZA;AAAA,EACT;AACF;AC+BO,SAASiB,EAAsCC,GAAyB;AAC7E,MAAI;AACF,UAAMC,IAAQD,EAAM,MAAM,GAAG;AAC7B,QAAIC,EAAM,WAAW;AACnB,aAAO;AAIT,UAAMC,IADYD,EAAM,CAAC,EACA,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,GAGvDE,IAAeD,EAAO;AAAA,MAC1BA,EAAO,UAAW,IAAKA,EAAO,SAAS,KAAM;AAAA,MAC7C;AAAA,IAAA,GAGIE,IAAc;AAAA,MAClB,KAAKD,CAAY,EACd,MAAM,EAAE,EACR,IAAI,SAASE,GAAG;AACf,eAAO,OAAO,OAAOA,EAAE,WAAW,CAAC,EAAE,SAAS,EAAE,GAAG,MAAM,EAAE;AAAA,MAC7D,CAAC,EACA,KAAK,EAAE;AAAA,IAAA;AAEZ,WAAO,KAAK,MAAMD,CAAW;AAAA,EAC/B,SAASZ,GAAO;AAEd,mBAAQ,MAAM,6BAA6BA,CAAK,GACzC;AAAA,EACT;AACF;AAyBO,SAASc,EACdN,GACAO,IAAsB,GACb;AACT,QAAMC,IAAU,OAAOR,KAAU,WAAWD,EAAgBC,CAAK,IAAIA;AACrE,MAAI,CAACQ;AACH,WAAO;AAGT,QAAMC,IAAQD,EAAQ;AACtB,SAAKC,IAIO,KAAK,IAAA,IAAQ,MACZA,IAAQF,IAJZ;AAKX;AC1HO,MAAMG,EACmB;AAAA;AAAA;AAAA;AAAA,EAM9B,YACkBV,GACAO,IAAsB,GACtC;AAFgB,SAAA,QAAAP,GACA,KAAA,cAAAO,GAEhB,KAAK,UAAUR,EAAyBC,CAAK;AAAA,EAC/C;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,YAAqB;AACvB,WAAK,KAAK,UAGHM,EAAe,KAAK,SAAS,KAAK,WAAW,IAF3C;AAAA,EAGX;AACF;AAkBO,MAAMK,EAC8C;AAAA;AAAA;AAAA;AAAA,EAOzD,YACkBX,GACAO,IAAsB,GACtC;AAFgB,SAAA,QAAAP,GACA,KAAA,cAAAO,GAEhB,KAAK,SAAS,IAAIG,EAASV,EAAM,aAAaO,CAAW,GACzD,KAAK,UAAU,IAAIG,EAASV,EAAM,cAAcO,CAAW;AAAA,EAC7D;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,kBAA2B;AAC7B,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,gBAAyB;AAC3B,WAAO,CAAC,KAAK,QAAQ;AAAA,EACvB;AACF;AAKO,MAAMK,EAC0D;AAAA,EACrE,YAA4BL,IAAsB,GAAG;AAAzB,SAAA,cAAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAAYM,GAAkC;AAC5C,UAAMC,IAAiB,KAAK,MAAMD,CAAK;AACvC,WAAO,IAAIF,EAAkBG,GAAgB,KAAK,WAAW;AAAA,EAC/D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,UAAUD,GAAkC;AAC1C,WAAO,KAAK,UAAUA,EAAM,KAAK;AAAA,EACnC;AACF;AAEO,MAAME,IAA8B,IAAIH,EAAA;AC1HxC,MAAMI,EAAqD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQhE,YACkBC,GACAC,GAChB;AAFgB,SAAA,eAAAD,GACA,KAAA,iBAAAC;AAAA,EAElB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,eAAyC;AAC3C,WAAO,KAAK,aAAa,IAAA;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,QAAQ/B,GAA8C;AAC1D,QAAI,CAACA,GAAc;AACjB,YAAMgC,IAAW,KAAK;AACtB,UAAI,CAACA;AACH,cAAM,IAAI,MAAM,gBAAgB;AAElC,MAAAhC,IAAegC,EAAS;AAAA,IAC1B;AACA,WAAI,KAAK,oBACA,KAAK,qBAGd,KAAK,oBAAoB,KAAK,eAC3B,QAAQhC,CAAY,EACpB,KAAK,CAAAiC,MAAY;AAChB,WAAK,aAAa,kBAAkBA,CAAQ;AAAA,IAC9C,CAAC,EACA,MAAM,CAAA5B,MAAS;AACd,iBAAK,aAAa,OAAA,GACZA;AAAA,IACR,CAAC,EACA,QAAQ,MAAM;AACb,WAAK,oBAAoB;AAAA,IAC3B,CAAC,GAEI,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,kBAA2B;AAC7B,WAAK,KAAK,eAGH,KAAK,aAAa,kBAFhB;AAAA,EAGX;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,gBAAyB;AAC3B,WAAK,KAAK,eAGH,KAAK,aAAa,gBAFhB;AAAA,EAGX;AACF;AC5DO,MAAM6B,IACX,yCAIWC,IACX,OAAO;AAOF,MAAMC,EACmB;AAAA;AAAA;AAAA;AAAA;AAAA,EAW9B,YAAY;AAAA,IACE,UAAAC,IAAW;AAAA,IACX,SAAAC,IAAU;AAAA,IACV,cAAAR;AAAA,EAAA,GAC6B;AAd3C,SAAS,OAAOI,GAChB,KAAS,QAAQC,GAcf,KAAK,kBAAkBE,GACvB,KAAK,iBAAiBC,GACtB,KAAK,eAAeR;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,UAAUrC,GAA+B;AACvC,UAAMO,IAAe,KAAK,aAAa,IAAA;AACvC,QAAI,CAACA;AACH;AAEF,UAAMuC,IAAYvC,EAAa,OAAO;AAItC,QAHI,CAACuC,KAGD,CAACA,EAAU,YAAY,CAACA,EAAU;AACpC;AAIF,UAAMC,IACJ/C,EAAS,QAAQ,WAAW,oBAAoB;AAAA,MAC9CA,EAAS,QAAQ;AAAA,IAAA,GAEfgD,IAAkB,KAAK,iBACvBC,IAAoBjD,EAAS,uBAAA,EAAyB,MACtD4C,IAAWE,EAAU;AAG3B,IACEF,KACAG,EAAoB,SAASC,CAAe,KAC5C,CAACC,EAAkBD,CAAe,MAElCC,EAAkBD,CAAe,IAAIJ;AAGvC,UAAMM,IAAiB,KAAK,gBACtBL,IAAUC,EAAU;AAG1B,IACED,KACAE,EAAoB,SAASG,CAAc,KAC3C,CAACD,EAAkBC,CAAc,MAEjCD,EAAkBC,CAAc,IAAIL;AAAA,EAExC;AACF;AC1DO,MAAMM,EAA8C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMzD,YAA4BpD,GAAqC;AAArC,SAAA,UAAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,QAAQqB,GAAgD;AAItD,WAAO,KAAK,QAAQ,QAAQ;AAAA,MAC1B,KAAK,QAAQ;AAAA,MACb;AAAA,QACE,MAAMA;AAAA,MAAA;AAAA,MAER;AAAA,QACE,iBAAiBgC,EAAiB;AAAA,QAClC,gCAAgB,IAAI,CAAC,CAACvD,GAAoC,EAAI,CAAC,CAAC;AAAA,MAAA;AAAA,IAClE;AAAA,EAEJ;AACF;ACvEO,MAAMwD,IAA0B;AAKhC,MAAMC,UACHvC,EACsB;AAAA,EAC9B,YACEC,IAAcqC,GACE1B,IAAsB,GACtC;AACA,UAAM;AAAA,MACJ,KAAAX;AAAA,MACA,SAASE,EAAA;AAAA,MACT,YAAY,IAAIc,EAA4BL,CAAW;AAAA,IAAA,CACxD,GANe,KAAA,cAAAA;AAAA,EAOlB;AAAA,EAEA,kBAAkBO,GAAgC;AAChD,SAAK,IAAI,IAAIH,EAAkBG,CAAc,CAAC;AAAA,EAChD;AACF;"}
1	+ {"version":3,"file":"index.es.js","sources":["../src/types.ts","../src/idGenerator.ts","../src/cosecRequestInterceptor.ts","../src/authorizationRequestInterceptor.ts","../src/authorizationResponseInterceptor.ts","../src/deviceIdStorage.ts","../src/jwts.ts","../src/jwtToken.ts","../src/jwtTokenManager.ts","../src/resourceAttributionRequestInterceptor.ts","../src/tokenRefresher.ts","../src/tokenStorage.ts"],"sourcesContent":["/\n Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { DeviceIdStorage } from './deviceIdStorage';\nimport { JwtTokenManager } from './jwtTokenManager';\n\n/\n CoSec HTTP headers enumeration.\n /\nexport class CoSecHeaders {\n static readonly DEVICE_ID = 'CoSec-Device-Id';\n static readonly APP_ID = 'CoSec-App-Id';\n static readonly AUTHORIZATION = 'Authorization';\n static readonly REQUEST_ID = 'CoSec-Request-Id';\n}\n\nexport class ResponseCodes {\n static readonly UNAUTHORIZED = 401;\n}\n\nexport interface AppIdCapable {\n /\n Application ID to be sent in the CoSec-App-Id header.\n /\n appId: string;\n}\n\nexport interface DeviceIdStorageCapable {\n deviceIdStorage: DeviceIdStorage;\n}\n\nexport interface JwtTokenManagerCapable {\n tokenManager: JwtTokenManager;\n}\n\n/\n CoSec options interface.\n /\nexport interface CoSecOptions\n extends AppIdCapable,\n DeviceIdStorageCapable,\n JwtTokenManagerCapable {\n}\n\n/\n Authorization result interface.\n /\nexport interface AuthorizeResult {\n authorized: boolean;\n reason: string;\n}\n\n/\n Authorization result constants.\n /\nexport const AuthorizeResults = {\n ALLOW: { authorized: true, reason: 'Allow' },\n EXPLICIT_DENY: { authorized: false, reason: 'Explicit Deny' },\n IMPLICIT_DENY: { authorized: false, reason: 'Implicit Deny' },\n TOKEN_EXPIRED: { authorized: false, reason: 'Token Expired' },\n TOO_MANY_REQUESTS: { authorized: false, reason: 'Too Many Requests' },\n};\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { nanoid } from 'nanoid';\n\nexport interface IdGenerator {\n generateId(): string;\n}\n\n/\n Nano ID implementation of IdGenerator.\n * Generates unique request IDs using Nano ID.\n /\nexport class NanoIdGenerator implements IdGenerator {\n /\n Generate a unique request ID.\n \n @returns A unique request ID\n /\n generateId(): string {\n return nanoid();\n }\n}\n\nexport const idGenerator = new NanoIdGenerator();\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n FetchExchange,\n REQUEST_BODY_INTERCEPTOR_ORDER,\n type RequestInterceptor,\n} from '@ahoo-wang/fetcher';\nimport { AppIdCapable, CoSecHeaders, DeviceIdStorageCapable } from './types';\nimport { idGenerator } from './idGenerator';\n\nexport interface CoSecRequestOptions\n extends AppIdCapable,\n DeviceIdStorageCapable {\n}\n\n/\n The name of the CoSecRequestInterceptor.\n /\nexport const COSEC_REQUEST_INTERCEPTOR_NAME = 'CoSecRequestInterceptor';\n\n/\n The order of the CoSecRequestInterceptor.\n * Set to REQUEST_BODY_INTERCEPTOR_ORDER + 1000 to ensure it runs after RequestBodyInterceptor.\n /\nexport const COSEC_REQUEST_INTERCEPTOR_ORDER =\n REQUEST_BODY_INTERCEPTOR_ORDER + 1000;\n\nexport const IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY = 'Ignore-Refresh-Token';\n\n/\n Interceptor that automatically adds CoSec authentication headers to requests.\n \n This interceptor adds the following headers to each request:\n * - CoSec-Device-Id: Device identifier (stored in localStorage or generated)\n * - CoSec-App-Id: Application identifier\n * - CoSec-Request-Id: Unique request identifier for each request\n \n @remarks\n * This interceptor runs after RequestBodyInterceptor but before FetchInterceptor.\n * The order is set to COSEC_REQUEST_INTERCEPTOR_ORDER to ensure it runs after\n * request body processing but before the actual HTTP request is made. This positioning\n * allows for proper authentication header addition after all request body transformations\n * are complete, ensuring that the final request is properly authenticated before\n * being sent over the network.\n /\nexport class CoSecRequestInterceptor implements RequestInterceptor {\n readonly name = COSEC_REQUEST_INTERCEPTOR_NAME;\n readonly order = COSEC_REQUEST_INTERCEPTOR_ORDER;\n private options: CoSecRequestOptions;\n\n /\n Creates a new CoSecRequestInterceptor instance.\n * @param options - The CoSec configuration options including appId, deviceIdStorage, and tokenManager\n /\n constructor(options: CoSecRequestOptions) {\n this.options = options;\n }\n\n /\n Intercept requests to add CoSec authentication headers.\n \n This method adds the following headers to each request:\n * - CoSec-App-Id: The application identifier from the CoSec options\n * - CoSec-Device-Id: A unique device identifier, either retrieved from storage or generated\n * - CoSec-Request-Id: A unique identifier for this specific request\n \n @param exchange - The fetch exchange containing the request to process\n \n @remarks\n * This method runs after RequestBodyInterceptor but before FetchInterceptor.\n * It ensures that authentication headers are added to the request after all\n * body processing is complete. The positioning allows for proper authentication\n * header addition after all request body transformations are finished, ensuring\n * that the final request is properly authenticated before being sent over the network.\n * This execution order prevents authentication headers from being overwritten by\n * subsequent request processing interceptors.\n \n The method also handles token refreshing when the current token is expired but still refreshable.\n * It will attempt to refresh the token before adding the Authorization header to the request.\n /\n async intercept(exchange: FetchExchange) {\n // Generate a unique request ID for this request\n const requestId = idGenerator.generateId();\n\n // Get or create a device ID\n const deviceId = this.options.deviceIdStorage.getOrCreate();\n\n // Ensure request headers object exists\n const requestHeaders = exchange.ensureRequestHeaders();\n\n // Add CoSec headers to the request\n requestHeaders[CoSecHeaders.APP_ID] = this.options.appId;\n requestHeaders[CoSecHeaders.DEVICE_ID] = deviceId;\n requestHeaders[CoSecHeaders.REQUEST_ID] = requestId;\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { FetchExchange, RequestInterceptor } from '@ahoo-wang/fetcher';\nimport {\n COSEC_REQUEST_INTERCEPTOR_ORDER,\n IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY,\n} from './cosecRequestInterceptor';\nimport { CoSecHeaders, JwtTokenManagerCapable } from './types';\n\n// eslint-disable-next-line @typescript-eslint/no-empty-object-type\nexport interface AuthorizationInterceptorOptions\n extends JwtTokenManagerCapable {\n}\n\nexport const AUTHORIZATION_REQUEST_INTERCEPTOR_NAME =\n 'AuthorizationRequestInterceptor';\nexport const AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER =\n COSEC_REQUEST_INTERCEPTOR_ORDER + 1000;\n\n/\n Request interceptor that automatically adds Authorization header to requests.\n \n This interceptor handles JWT token management by:\n * 1. Adding Authorization header with Bearer token if not already present\n * 2. Refreshing tokens when needed and possible\n * 3. Skipping refresh when explicitly requested via attributes\n \n The interceptor runs after CoSecRequestInterceptor but before FetchInterceptor in the chain.\n /\nexport class AuthorizationRequestInterceptor implements RequestInterceptor {\n readonly name = AUTHORIZATION_REQUEST_INTERCEPTOR_NAME;\n readonly order = AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER;\n\n /\n Creates an AuthorizationRequestInterceptor instance.\n \n @param options - Configuration options containing the token manager\n /\n constructor(private readonly options: AuthorizationInterceptorOptions) {\n }\n\n /\n Intercepts the request exchange to add authorization headers.\n \n This method performs the following operations:\n * 1. Checks if a token exists and if Authorization header is already set\n * 2. Refreshes the token if needed, possible, and not explicitly ignored\n * 3. Adds the Authorization header with Bearer token if a token is available\n \n @param exchange - The fetch exchange containing request information\n * @returns Promise that resolves when the interception is complete\n /\n async intercept(exchange: FetchExchange): Promise<void> {\n // Get the current token from token manager\n let currentToken = this.options.tokenManager.currentToken;\n\n const requestHeaders = exchange.ensureRequestHeaders();\n\n // Skip if no token exists or Authorization header is already set\n if (!currentToken \|\| requestHeaders[CoSecHeaders.AUTHORIZATION]) {\n return;\n }\n\n // Refresh token if needed and refreshable\n if (\n !exchange.attributes.has(IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY) &&\n currentToken.isRefreshNeeded &&\n currentToken.isRefreshable\n ) {\n await this.options.tokenManager.refresh();\n }\n\n // Get the current token again (might have been refreshed)\n currentToken = this.options.tokenManager.currentToken;\n\n // Add Authorization header if we have a token\n if (currentToken) {\n requestHeaders[CoSecHeaders.AUTHORIZATION] =\n `Bearer ${currentToken.access.token}`;\n }\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { ResponseCodes } from './types';\nimport { FetchExchange, type ResponseInterceptor } from '@ahoo-wang/fetcher';\nimport { AuthorizationInterceptorOptions } from './authorizationRequestInterceptor';\n\n/\n The name of the AuthorizationResponseInterceptor.\n /\nexport const AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME =\n 'AuthorizationResponseInterceptor';\n\n/\n The order of the AuthorizationResponseInterceptor.\n * Set to a high negative value to ensure it runs early in the interceptor chain.\n /\nexport const AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER =\n Number.MIN_SAFE_INTEGER + 1000;\n\n/\n CoSecResponseInterceptor is responsible for handling unauthorized responses (401)\n * by attempting to refresh the authentication token and retrying the original request.\n \n This interceptor:\n * 1. Checks if the response status is 401 (UNAUTHORIZED)\n * 2. If so, and if there's a current token, attempts to refresh it\n * 3. On successful refresh, stores the new token and retries the original request\n * 4. On refresh failure, clears stored tokens and propagates the error\n /\nexport class AuthorizationResponseInterceptor implements ResponseInterceptor {\n readonly name = AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME;\n readonly order = AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER;\n private options: AuthorizationInterceptorOptions;\n\n /\n Creates a new AuthorizationResponseInterceptor instance.\n * @param options - The CoSec configuration options including token storage and refresher\n /\n constructor(options: AuthorizationInterceptorOptions) {\n this.options = options;\n }\n\n /\n Intercepts the response and handles unauthorized responses by refreshing tokens.\n * @param exchange - The fetch exchange containing request and response information\n /\n async intercept(exchange: FetchExchange): Promise<void> {\n const response = exchange.response;\n // If there's no response, nothing to intercept\n if (!response) {\n return;\n }\n\n // Only handle unauthorized responses (401)\n if (response.status !== ResponseCodes.UNAUTHORIZED) {\n return;\n }\n\n if (!this.options.tokenManager.isRefreshable) {\n return;\n }\n try {\n await this.options.tokenManager.refresh();\n // Retry the original request with the new token\n await exchange.fetcher.interceptors.exchange(exchange);\n } catch (error) {\n // If token refresh fails, clear stored tokens and re-throw the error\n this.options.tokenManager.tokenStorage.remove();\n throw error;\n }\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { idGenerator } from './idGenerator';\nimport {\n KeyStorage, KeyStorageOptions,\n} from '@ahoo-wang/fetcher-storage';\nimport { BroadcastTypedEventBus, SerialTypedEventBus } from '@ahoo-wang/fetcher-eventbus';\n\nexport const DEFAULT_COSEC_DEVICE_ID_KEY = 'cosec-device-id';\n\n// eslint-disable-next-line @typescript-eslint/no-empty-object-type\nexport interface DeviceIdStorageOptions extends KeyStorageOptions<string> {\n}\n\n/\n Storage class for managing device identifiers.\n /\nexport class DeviceIdStorage extends KeyStorage<string> {\n constructor(options: DeviceIdStorageOptions = {\n key: DEFAULT_COSEC_DEVICE_ID_KEY,\n eventBus: new BroadcastTypedEventBus(new SerialTypedEventBus(DEFAULT_COSEC_DEVICE_ID_KEY)),\n }) {\n super(options);\n }\n\n /\n Generate a new device ID.\n \n @returns A newly generated device ID\n /\n generateDeviceId(): string {\n return idGenerator.generateId();\n }\n\n /\n Get or create a device ID.\n \n @returns The existing device ID if available, otherwise a newly generated one\n /\n getOrCreate(): string {\n // Try to get existing device ID from storage\n let deviceId = this.get();\n if (!deviceId) {\n // Generate a new device ID and store it\n deviceId = this.generateDeviceId();\n this.set(deviceId);\n }\n\n return deviceId;\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n/\n Interface representing a JWT payload as defined in RFC 7519.\n * Contains standard JWT claims as well as custom properties.\n /\nexport interface JwtPayload {\n /\n JWT ID - provides a unique identifier for the JWT.\n /\n jti?: string;\n /\n Subject - identifies the principal that is the subject of the JWT.\n /\n sub?: string;\n /\n Issuer - identifies the principal that issued the JWT.\n /\n iss?: string;\n /\n Audience - identifies the recipients that the JWT is intended for.\n * Can be a single string or an array of strings.\n /\n aud?: string \| string[];\n /\n Expiration Time - identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.\n * Represented as NumericDate (seconds since Unix epoch).\n /\n exp?: number;\n /\n Not Before - identifies the time before which the JWT MUST NOT be accepted for processing.\n * Represented as NumericDate (seconds since Unix epoch).\n /\n nbf?: number;\n /\n Issued At - identifies the time at which the JWT was issued.\n * Represented as NumericDate (seconds since Unix epoch).\n /\n iat?: number;\n\n /\n Allows additional custom properties to be included in the payload.\n /\n [key: string]: any;\n}\n\n/\n Interface representing a JWT payload with CoSec-specific extensions.\n * Extends the standard JwtPayload interface with additional CoSec-specific properties.\n /\nexport interface CoSecJwtPayload extends JwtPayload {\n /\n Tenant identifier - identifies the tenant scope for the JWT.\n /\n tenantId?: string;\n /\n Policies - array of policy identifiers associated with the JWT.\n * These are security policies defined internally by Cosec.\n /\n policies?: string[];\n /\n Roles - array of role identifiers associated with the JWT.\n * Role IDs indicate what roles the token belongs to.\n /\n roles?: string[];\n /\n Attributes - custom key-value pairs providing additional information about the JWT.\n /\n attributes?: Record<string, any>;\n}\n\n/\n Parses a JWT token and extracts its payload.\n \n This function decodes the payload part of a JWT token, handling Base64URL decoding\n * and JSON parsing. It validates the token structure and returns null for invalid tokens.\n \n @param token - The JWT token string to parse\n * @returns The parsed JWT payload or null if parsing fails\n /\nexport function parseJwtPayload<T extends JwtPayload>(token: string): T \| null {\n try {\n if (typeof token !== 'string') {\n return null;\n }\n const parts = token.split('.');\n if (parts.length !== 3) {\n return null;\n }\n\n const base64Url = parts[1];\n const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');\n\n // Add padding if needed\n const paddedBase64 = base64.padEnd(\n base64.length + ((4 - (base64.length % 4)) % 4),\n '=',\n );\n\n const jsonPayload = decodeURIComponent(\n atob(paddedBase64)\n .split('')\n .map(function(c) {\n return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);\n })\n .join(''),\n );\n return JSON.parse(jsonPayload) as T;\n } catch (error) {\n // Avoid exposing sensitive information in error logs\n console.error('Failed to parse JWT token', error);\n return null;\n }\n}\n\nexport interface EarlyPeriodCapable {\n /\n The time in seconds before actual expiration when the token should be considered expired (default: 0)\n /\n readonly earlyPeriod: number;\n}\n\n/\n Checks if a JWT token is expired based on its expiration time (exp claim).\n \n This function determines if a JWT token has expired by comparing its exp claim\n * with the current time. If the token is a string, it will be parsed first.\n * Tokens without an exp claim are considered not expired.\n \n The early period parameter allows for early token expiration, which is useful\n * for triggering token refresh before the token actually expires. This helps\n * avoid race conditions where a token expires between the time it is checked and\n * the time it is used.\n \n @param token - The JWT token to check, either as a string or as a JwtPayload object\n * @param earlyPeriod - The time in seconds before actual expiration when the token should be considered expired (default: 0)\n * @returns true if the token is expired (or will expire within the early period) or cannot be parsed, false otherwise\n /\nexport function isTokenExpired(\n token: string \| CoSecJwtPayload,\n earlyPeriod: number = 0,\n): boolean {\n const payload = typeof token === 'string' ? parseJwtPayload(token) : token;\n if (!payload) {\n return true;\n }\n\n const expAt = payload.exp;\n if (!expAt) {\n return false;\n }\n\n const now = Date.now() / 1000;\n return now > expAt - earlyPeriod;\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n CoSecJwtPayload,\n EarlyPeriodCapable,\n isTokenExpired,\n JwtPayload,\n parseJwtPayload,\n} from './jwts';\nimport { CompositeToken } from './tokenRefresher';\nimport { Serializer } from '@ahoo-wang/fetcher-storage';\n\n/\n Interface for JWT token with typed payload\n * @template Payload The type of the JWT payload\n /\nexport interface IJwtToken<Payload extends JwtPayload>\n extends EarlyPeriodCapable {\n readonly token: string;\n readonly payload: Payload \| null;\n\n isExpired: boolean;\n}\n\n/\n Class representing a JWT token with typed payload\n * @template Payload The type of the JWT payload\n /\nexport class JwtToken<Payload extends JwtPayload>\n implements IJwtToken<Payload> {\n public readonly payload: Payload \| null;\n\n /\n Creates a new JwtToken instance\n /\n constructor(\n public readonly token: string,\n public readonly earlyPeriod: number = 0,\n ) {\n this.payload = parseJwtPayload<Payload>(token);\n }\n\n /\n Checks if the token is expired\n * @returns true if the token is expired, false otherwise\n /\n get isExpired(): boolean {\n if (!this.payload) {\n return true;\n }\n return isTokenExpired(this.payload, this.earlyPeriod);\n }\n}\n\nexport interface RefreshTokenStatusCapable {\n /\n Checks if the access token needs to be refreshed\n * @returns true if the access token is expired, false otherwise\n /\n readonly isRefreshNeeded: boolean;\n /\n Checks if the refresh token is still valid and can be used to refresh the access token\n * @returns true if the refresh token is not expired, false otherwise\n /\n readonly isRefreshable: boolean;\n}\n\n/\n Class representing a composite token containing both access and refresh tokens\n /\nexport class JwtCompositeToken\n implements EarlyPeriodCapable, RefreshTokenStatusCapable {\n public readonly access: JwtToken<CoSecJwtPayload>;\n public readonly refresh: JwtToken<JwtPayload>;\n\n /\n Creates a new JwtCompositeToken instance\n /\n constructor(\n public readonly token: CompositeToken,\n public readonly earlyPeriod: number = 0,\n ) {\n this.access = new JwtToken(token.accessToken, earlyPeriod);\n this.refresh = new JwtToken(token.refreshToken, earlyPeriod);\n }\n\n /\n Checks if the access token needs to be refreshed\n * @returns true if the access token is expired, false otherwise\n /\n get isRefreshNeeded(): boolean {\n return this.access.isExpired;\n }\n\n /\n Checks if the refresh token is still valid and can be used to refresh the access token\n * @returns true if the refresh token is not expired, false otherwise\n /\n get isRefreshable(): boolean {\n return !this.refresh.isExpired;\n }\n}\n\n/\n Serializer for JwtCompositeToken that handles conversion to and from JSON strings\n /\nexport class JwtCompositeTokenSerializer\n implements Serializer<string, JwtCompositeToken>, EarlyPeriodCapable {\n constructor(public readonly earlyPeriod: number = 0) {\n }\n\n /\n Deserializes a JSON string to a JwtCompositeToken\n * @param value The JSON string representation of a composite token\n * @returns A JwtCompositeToken instance\n /\n deserialize(value: string): JwtCompositeToken {\n const compositeToken = JSON.parse(value) as CompositeToken;\n return new JwtCompositeToken(compositeToken, this.earlyPeriod);\n }\n\n /\n Serializes a JwtCompositeToken to a JSON string\n * @param value The JwtCompositeToken to serialize\n * @returns A JSON string representation of the composite token\n /\n serialize(value: JwtCompositeToken): string {\n return JSON.stringify(value.token);\n }\n}\n\nexport const jwtCompositeTokenSerializer = new JwtCompositeTokenSerializer();\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { TokenStorage } from './tokenStorage';\nimport { CompositeToken, TokenRefresher } from './tokenRefresher';\nimport { JwtCompositeToken, RefreshTokenStatusCapable } from './jwtToken';\n\n/\n Manages JWT token refreshing operations and provides status information\n /\nexport class JwtTokenManager implements RefreshTokenStatusCapable {\n private refreshInProgress?: Promise<void>;\n\n /\n Creates a new JwtTokenManager instance\n * @param tokenStorage The storage used to persist tokens\n * @param tokenRefresher The refresher used to refresh expired tokens\n /\n constructor(\n public readonly tokenStorage: TokenStorage,\n public readonly tokenRefresher: TokenRefresher,\n ) {\n }\n\n /\n Gets the current JWT composite token from storage\n * @returns The current token or null if none exists\n /\n get currentToken(): JwtCompositeToken \| null {\n return this.tokenStorage.get();\n }\n\n /\n Refreshes the JWT token\n * @param currentToken Optional current token to refresh. If not provided, uses the stored token.\n * @returns Promise that resolves when refresh is complete\n * @throws Error if no token is found or refresh fails\n /\n async refresh(currentToken?: CompositeToken): Promise<void> {\n if (!currentToken) {\n const jwtToken = this.currentToken;\n if (!jwtToken) {\n throw new Error('No token found');\n }\n currentToken = jwtToken.token;\n }\n if (this.refreshInProgress) {\n return this.refreshInProgress;\n }\n\n this.refreshInProgress = this.tokenRefresher\n .refresh(currentToken)\n .then(newToken => {\n this.tokenStorage.setCompositeToken(newToken);\n })\n .catch(error => {\n this.tokenStorage.remove();\n throw error;\n })\n .finally(() => {\n this.refreshInProgress = undefined;\n });\n\n return this.refreshInProgress;\n }\n\n /\n Indicates if the current token needs to be refreshed\n * @returns true if the access token is expired and needs refresh, false otherwise\n /\n get isRefreshNeeded(): boolean {\n if (!this.currentToken) {\n return false;\n }\n return this.currentToken.isRefreshNeeded;\n }\n\n /\n Indicates if the current token can be refreshed\n * @returns true if the refresh token is still valid, false otherwise\n /\n get isRefreshable(): boolean {\n if (!this.currentToken) {\n return false;\n }\n return this.currentToken.isRefreshable;\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { FetchExchange, RequestInterceptor } from '@ahoo-wang/fetcher';\nimport { TokenStorage } from './tokenStorage';\n\n/\n Configuration options for resource attribution\n /\nexport interface ResourceAttributionOptions {\n /\n The path parameter key used for tenant ID in URL templates\n /\n tenantId?: string;\n /\n The path parameter key used for owner ID in URL templates\n /\n ownerId?: string;\n /\n Storage mechanism for retrieving current authentication tokens\n /\n tokenStorage: TokenStorage;\n}\n\n/\n Name identifier for the ResourceAttributionRequestInterceptor\n /\nexport const RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME =\n 'ResourceAttributionRequestInterceptor';\n/\n Order priority for the ResourceAttributionRequestInterceptor, set to maximum safe integer to ensure it runs last\n /\nexport const RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER =\n Number.MAX_SAFE_INTEGER;\n\n/\n Request interceptor that automatically adds tenant and owner ID path parameters to requests\n * based on the current authentication token. This is useful for multi-tenant applications where\n * requests need to include tenant-specific information in the URL path.\n /\nexport class ResourceAttributionRequestInterceptor\n implements RequestInterceptor {\n readonly name = RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME;\n readonly order = RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER;\n private readonly tenantIdPathKey: string;\n private readonly ownerIdPathKey: string;\n private readonly tokenStorage: TokenStorage;\n\n /\n Creates a new ResourceAttributionRequestInterceptor\n * @param options - Configuration options for resource attribution including tenantId, ownerId and tokenStorage\n /\n constructor({\n tenantId = 'tenantId',\n ownerId = 'ownerId',\n tokenStorage,\n }: ResourceAttributionOptions) {\n this.tenantIdPathKey = tenantId;\n this.ownerIdPathKey = ownerId;\n this.tokenStorage = tokenStorage;\n }\n\n /\n Intercepts outgoing requests and automatically adds tenant and owner ID path parameters\n * if they are defined in the URL template but not provided in the request.\n * @param exchange - The fetch exchange containing the request information\n /\n intercept(exchange: FetchExchange): void {\n const currentToken = this.tokenStorage.get();\n if (!currentToken) {\n return;\n }\n const principal = currentToken.access.payload;\n if (!principal) {\n return;\n }\n if (!principal.tenantId && !principal.sub) {\n return;\n }\n\n // Extract path parameters from the URL template\n const extractedPathParams =\n exchange.fetcher.urlBuilder.urlTemplateResolver.extractPathParams(\n exchange.request.url,\n );\n const tenantIdPathKey = this.tenantIdPathKey;\n const requestPathParams = exchange.ensureRequestUrlParams().path;\n const tenantId = principal.tenantId;\n\n // Add tenant ID to path parameters if it's part of the URL template and not already provided\n if (\n tenantId &&\n extractedPathParams.includes(tenantIdPathKey) &&\n !requestPathParams[tenantIdPathKey]\n ) {\n requestPathParams[tenantIdPathKey] = tenantId;\n }\n\n const ownerIdPathKey = this.ownerIdPathKey;\n const ownerId = principal.sub;\n\n // Add owner ID to path parameters if it's part of the URL template and not already provided\n if (\n ownerId &&\n extractedPathParams.includes(ownerIdPathKey) &&\n !requestPathParams[ownerIdPathKey]\n ) {\n requestPathParams[ownerIdPathKey] = ownerId;\n }\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Fetcher, ResultExtractors } from '@ahoo-wang/fetcher';\nimport { IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY } from './cosecRequestInterceptor';\n\n/\n Interface for access tokens.\n /\nexport interface AccessToken {\n accessToken: string;\n}\n\n/\n Interface for refresh tokens.\n /\nexport interface RefreshToken {\n refreshToken: string;\n}\n\n/\n Composite token interface that contains both access and refresh tokens.\n \n accessToken and refreshToken always appear in pairs, no need to split them.\n /\nexport interface CompositeToken extends AccessToken, RefreshToken {\n}\n\n/\n Interface for token refreshers.\n \n Provides a method to refresh tokens.\n /\nexport interface TokenRefresher {\n /\n Refresh the given token and return a new CompositeToken.\n \n @param token The token to refresh\n * @returns A Promise that resolves to a new CompositeToken\n /\n refresh(token: CompositeToken): Promise<CompositeToken>;\n}\n\nexport interface CoSecTokenRefresherOptions {\n fetcher: Fetcher;\n endpoint: string;\n}\n\n/\n CoSecTokenRefresher is a class that implements the TokenRefresher interface\n * for refreshing composite tokens through a configured endpoint.\n /\nexport class CoSecTokenRefresher implements TokenRefresher {\n /\n Creates a new instance of CoSecTokenRefresher.\n \n @param options The configuration options for the token refresher including fetcher and endpoint\n /\n constructor(public readonly options: CoSecTokenRefresherOptions) {\n }\n\n /\n Refresh the given token and return a new CompositeToken.\n \n @param token The token to refresh\n * @returns A Promise that resolves to a new CompositeToken\n /\n refresh(token: CompositeToken): Promise<CompositeToken> {\n // Send a POST request to the configured endpoint with the token as body\n // and extract the response as JSON to return a new CompositeToken\n\n return this.options.fetcher.post<CompositeToken>(\n this.options.endpoint,\n {\n body: token,\n },\n {\n resultExtractor: ResultExtractors.Json,\n attributes: new Map([[IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY, true]]),\n },\n );\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { JwtCompositeToken, JwtCompositeTokenSerializer } from './jwtToken';\nimport { CompositeToken } from './tokenRefresher';\nimport { EarlyPeriodCapable } from './jwts';\nimport {\n KeyStorage, KeyStorageOptions,\n} from '@ahoo-wang/fetcher-storage';\nimport { PartialBy } from '@ahoo-wang/fetcher';\nimport { BroadcastTypedEventBus, SerialTypedEventBus } from '@ahoo-wang/fetcher-eventbus';\n\nexport const DEFAULT_COSEC_TOKEN_KEY = 'cosec-token';\n\nexport interface TokenStorageOptions extends Omit<KeyStorageOptions<JwtCompositeToken>, 'serializer'>, PartialBy<EarlyPeriodCapable, 'earlyPeriod'> {\n\n}\n\n/\n Storage class for managing access and refresh tokens.\n */\nexport class TokenStorage\n extends KeyStorage<JwtCompositeToken>\n implements EarlyPeriodCapable {\n public readonly earlyPeriod: number;\n\n constructor(\n options: TokenStorageOptions = {\n key: DEFAULT_COSEC_TOKEN_KEY,\n eventBus: new BroadcastTypedEventBus(new SerialTypedEventBus(DEFAULT_COSEC_TOKEN_KEY)),\n },\n ) {\n super({\n serializer: new JwtCompositeTokenSerializer(options.earlyPeriod),\n ...options,\n });\n this.earlyPeriod = options.earlyPeriod ?? 0;\n }\n\n setCompositeToken(compositeToken: CompositeToken) {\n this.set(new JwtCompositeToken(compositeToken));\n }\n}\n"],"names":["_CoSecHeaders","CoSecHeaders","_ResponseCodes","ResponseCodes","AuthorizeResults","NanoIdGenerator","nanoid","idGenerator","COSEC_REQUEST_INTERCEPTOR_NAME","COSEC_REQUEST_INTERCEPTOR_ORDER","REQUEST_BODY_INTERCEPTOR_ORDER","IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY","CoSecRequestInterceptor","options","exchange","requestId","deviceId","requestHeaders","AUTHORIZATION_REQUEST_INTERCEPTOR_NAME","AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER","AuthorizationRequestInterceptor","currentToken","AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME","AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER","AuthorizationResponseInterceptor","response","error","DEFAULT_COSEC_DEVICE_ID_KEY","DeviceIdStorage","KeyStorage","BroadcastTypedEventBus","SerialTypedEventBus","parseJwtPayload","token","parts","base64","paddedBase64","jsonPayload","c","isTokenExpired","earlyPeriod","payload","expAt","JwtToken","JwtCompositeToken","JwtCompositeTokenSerializer","value","compositeToken","jwtCompositeTokenSerializer","JwtTokenManager","tokenStorage","tokenRefresher","jwtToken","newToken","RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME","RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER","ResourceAttributionRequestInterceptor","tenantId","ownerId","principal","extractedPathParams","tenantIdPathKey","requestPathParams","ownerIdPathKey","CoSecTokenRefresher","ResultExtractors","DEFAULT_COSEC_TOKEN_KEY","TokenStorage"],"mappings":";;;;AAmBO,MAAMA,IAAN,MAAMA,EAAa;AAK1B;AAJEA,EAAgB,YAAY,mBAC5BA,EAAgB,SAAS,gBACzBA,EAAgB,gBAAgB,iBAChCA,EAAgB,aAAa;AAJxB,IAAMC,IAAND;AAOA,MAAME,IAAN,MAAMA,EAAc;AAE3B;AADEA,EAAgB,eAAe;AAD1B,IAAMC,IAAND;AAuCA,MAAME,IAAmB;AAAA,EAC9B,OAAO,EAAE,YAAY,IAAM,QAAQ,QAAA;AAAA,EACnC,eAAe,EAAE,YAAY,IAAO,QAAQ,gBAAA;AAAA,EAC5C,eAAe,EAAE,YAAY,IAAO,QAAQ,gBAAA;AAAA,EAC5C,eAAe,EAAE,YAAY,IAAO,QAAQ,gBAAA;AAAA,EAC5C,mBAAmB,EAAE,YAAY,IAAO,QAAQ,oBAAA;AAClD;AChDO,MAAMC,EAAuC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMlD,aAAqB;AACnB,WAAOC,EAAA;AAAA,EACT;AACF;AAEO,MAAMC,IAAc,IAAIF,EAAA,GCLlBG,IAAiC,2BAMjCC,IACXC,IAAiC,KAEtBC,IAAqC;AAkB3C,MAAMC,EAAsD;AAAA;AAAA;AAAA;AAAA;AAAA,EASjE,YAAYC,GAA8B;AAR1C,SAAS,OAAOL,GAChB,KAAS,QAAQC,GAQf,KAAK,UAAUI;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAwBA,MAAM,UAAUC,GAAyB;AAEvC,UAAMC,IAAYR,EAAY,WAAA,GAGxBS,IAAW,KAAK,QAAQ,gBAAgB,YAAA,GAGxCC,IAAiBH,EAAS,qBAAA;AAGhC,IAAAG,EAAehB,EAAa,MAAM,IAAI,KAAK,QAAQ,OACnDgB,EAAehB,EAAa,SAAS,IAAIe,GACzCC,EAAehB,EAAa,UAAU,IAAIc;AAAA,EAC5C;AACF;ACjFO,MAAMG,IACX,mCACWC,IACXV,IAAkC;AAY7B,MAAMW,EAA8D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASzE,YAA6BP,GAA0C;AAA1C,SAAA,UAAAA,GAR7B,KAAS,OAAOK,GAChB,KAAS,QAAQC;AAAA,EAQjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,UAAUL,GAAwC;AAEtD,QAAIO,IAAe,KAAK,QAAQ,aAAa;AAE7C,UAAMJ,IAAiBH,EAAS,qBAAA;AAGhC,IAAI,CAACO,KAAgBJ,EAAehB,EAAa,aAAa,MAM5D,CAACa,EAAS,WAAW,IAAIH,CAAkC,KAC3DU,EAAa,mBACbA,EAAa,iBAEb,MAAM,KAAK,QAAQ,aAAa,QAAA,GAIlCA,IAAe,KAAK,QAAQ,aAAa,cAGrCA,MACFJ,EAAehB,EAAa,aAAa,IACvC,UAAUoB,EAAa,OAAO,KAAK;AAAA,EAEzC;AACF;ACxEO,MAAMC,IACX,oCAMWC,IACX,OAAO,mBAAmB;AAYrB,MAAMC,EAAgE;AAAA;AAAA;AAAA;AAAA;AAAA,EAS3E,YAAYX,GAA0C;AARtD,SAAS,OAAOS,GAChB,KAAS,QAAQC,GAQf,KAAK,UAAUV;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,UAAUC,GAAwC;AACtD,UAAMW,IAAWX,EAAS;AAE1B,QAAKW,KAKDA,EAAS,WAAWtB,EAAc,gBAIjC,KAAK,QAAQ,aAAa;AAG/B,UAAI;AACF,cAAM,KAAK,QAAQ,aAAa,QAAA,GAEhC,MAAMW,EAAS,QAAQ,aAAa,SAASA,CAAQ;AAAA,MACvD,SAASY,GAAO;AAEd,mBAAK,QAAQ,aAAa,aAAa,OAAA,GACjCA;AAAA,MACR;AAAA,EACF;AACF;AC/DO,MAAMC,IAA8B;AASpC,MAAMC,UAAwBC,EAAmB;AAAA,EACtD,YAAYhB,IAAkC;AAAA,IAC5C,KAAKc;AAAA,IACL,UAAU,IAAIG,EAAuB,IAAIC,EAAoBJ,CAA2B,CAAC;AAAA,EAAA,GACxF;AACD,UAAMd,CAAO;AAAA,EACf;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,mBAA2B;AACzB,WAAON,EAAY,WAAA;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,cAAsB;AAEpB,QAAIS,IAAW,KAAK,IAAA;AACpB,WAAKA,MAEHA,IAAW,KAAK,iBAAA,GAChB,KAAK,IAAIA,CAAQ,IAGZA;AAAA,EACT;AACF;AC6BO,SAASgB,EAAsCC,GAAyB;AAC7E,MAAI;AACF,QAAI,OAAOA,KAAU;AACnB,aAAO;AAET,UAAMC,IAAQD,EAAM,MAAM,GAAG;AAC7B,QAAIC,EAAM,WAAW;AACnB,aAAO;AAIT,UAAMC,IADYD,EAAM,CAAC,EACA,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,GAGvDE,IAAeD,EAAO;AAAA,MAC1BA,EAAO,UAAW,IAAKA,EAAO,SAAS,KAAM;AAAA,MAC7C;AAAA,IAAA,GAGIE,IAAc;AAAA,MAClB,KAAKD,CAAY,EACd,MAAM,EAAE,EACR,IAAI,SAASE,GAAG;AACf,eAAO,OAAO,OAAOA,EAAE,WAAW,CAAC,EAAE,SAAS,EAAE,GAAG,MAAM,EAAE;AAAA,MAC7D,CAAC,EACA,KAAK,EAAE;AAAA,IAAA;AAEZ,WAAO,KAAK,MAAMD,CAAW;AAAA,EAC/B,SAASX,GAAO;AAEd,mBAAQ,MAAM,6BAA6BA,CAAK,GACzC;AAAA,EACT;AACF;AAyBO,SAASa,EACdN,GACAO,IAAsB,GACb;AACT,QAAMC,IAAU,OAAOR,KAAU,WAAWD,EAAgBC,CAAK,IAAIA;AACrE,MAAI,CAACQ;AACH,WAAO;AAGT,QAAMC,IAAQD,EAAQ;AACtB,SAAKC,IAIO,KAAK,IAAA,IAAQ,MACZA,IAAQF,IAJZ;AAKX;AC7HO,MAAMG,EACmB;AAAA;AAAA;AAAA;AAAA,EAM9B,YACkBV,GACAO,IAAsB,GACtC;AAFgB,SAAA,QAAAP,GACA,KAAA,cAAAO,GAEhB,KAAK,UAAUR,EAAyBC,CAAK;AAAA,EAC/C;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,YAAqB;AACvB,WAAK,KAAK,UAGHM,EAAe,KAAK,SAAS,KAAK,WAAW,IAF3C;AAAA,EAGX;AACF;AAkBO,MAAMK,EAC8C;AAAA;AAAA;AAAA;AAAA,EAOzD,YACkBX,GACAO,IAAsB,GACtC;AAFgB,SAAA,QAAAP,GACA,KAAA,cAAAO,GAEhB,KAAK,SAAS,IAAIG,EAASV,EAAM,aAAaO,CAAW,GACzD,KAAK,UAAU,IAAIG,EAASV,EAAM,cAAcO,CAAW;AAAA,EAC7D;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,kBAA2B;AAC7B,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,gBAAyB;AAC3B,WAAO,CAAC,KAAK,QAAQ;AAAA,EACvB;AACF;AAKO,MAAMK,EAC0D;AAAA,EACrE,YAA4BL,IAAsB,GAAG;AAAzB,SAAA,cAAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAAYM,GAAkC;AAC5C,UAAMC,IAAiB,KAAK,MAAMD,CAAK;AACvC,WAAO,IAAIF,EAAkBG,GAAgB,KAAK,WAAW;AAAA,EAC/D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,UAAUD,GAAkC;AAC1C,WAAO,KAAK,UAAUA,EAAM,KAAK;AAAA,EACnC;AACF;AAEO,MAAME,IAA8B,IAAIH,EAAA;AC1HxC,MAAMI,EAAqD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQhE,YACkBC,GACAC,GAChB;AAFgB,SAAA,eAAAD,GACA,KAAA,iBAAAC;AAAA,EAElB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,eAAyC;AAC3C,WAAO,KAAK,aAAa,IAAA;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,QAAQ9B,GAA8C;AAC1D,QAAI,CAACA,GAAc;AACjB,YAAM+B,IAAW,KAAK;AACtB,UAAI,CAACA;AACH,cAAM,IAAI,MAAM,gBAAgB;AAElC,MAAA/B,IAAe+B,EAAS;AAAA,IAC1B;AACA,WAAI,KAAK,oBACA,KAAK,qBAGd,KAAK,oBAAoB,KAAK,eAC3B,QAAQ/B,CAAY,EACpB,KAAK,CAAAgC,MAAY;AAChB,WAAK,aAAa,kBAAkBA,CAAQ;AAAA,IAC9C,CAAC,EACA,MAAM,CAAA3B,MAAS;AACd,iBAAK,aAAa,OAAA,GACZA;AAAA,IACR,CAAC,EACA,QAAQ,MAAM;AACb,WAAK,oBAAoB;AAAA,IAC3B,CAAC,GAEI,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,kBAA2B;AAC7B,WAAK,KAAK,eAGH,KAAK,aAAa,kBAFhB;AAAA,EAGX;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,gBAAyB;AAC3B,WAAK,KAAK,eAGH,KAAK,aAAa,gBAFhB;AAAA,EAGX;AACF;AC5DO,MAAM4B,IACX,yCAIWC,IACX,OAAO;AAOF,MAAMC,EACmB;AAAA;AAAA;AAAA;AAAA;AAAA,EAW9B,YAAY;AAAA,IACE,UAAAC,IAAW;AAAA,IACX,SAAAC,IAAU;AAAA,IACV,cAAAR;AAAA,EAAA,GAC6B;AAd3C,SAAS,OAAOI,GAChB,KAAS,QAAQC,GAcf,KAAK,kBAAkBE,GACvB,KAAK,iBAAiBC,GACtB,KAAK,eAAeR;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,UAAUpC,GAA+B;AACvC,UAAMO,IAAe,KAAK,aAAa,IAAA;AACvC,QAAI,CAACA;AACH;AAEF,UAAMsC,IAAYtC,EAAa,OAAO;AAItC,QAHI,CAACsC,KAGD,CAACA,EAAU,YAAY,CAACA,EAAU;AACpC;AAIF,UAAMC,IACJ9C,EAAS,QAAQ,WAAW,oBAAoB;AAAA,MAC9CA,EAAS,QAAQ;AAAA,IAAA,GAEf+C,IAAkB,KAAK,iBACvBC,IAAoBhD,EAAS,uBAAA,EAAyB,MACtD2C,IAAWE,EAAU;AAG3B,IACEF,KACAG,EAAoB,SAASC,CAAe,KAC5C,CAACC,EAAkBD,CAAe,MAElCC,EAAkBD,CAAe,IAAIJ;AAGvC,UAAMM,IAAiB,KAAK,gBACtBL,IAAUC,EAAU;AAG1B,IACED,KACAE,EAAoB,SAASG,CAAc,KAC3C,CAACD,EAAkBC,CAAc,MAEjCD,EAAkBC,CAAc,IAAIL;AAAA,EAExC;AACF;AC1DO,MAAMM,EAA8C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMzD,YAA4BnD,GAAqC;AAArC,SAAA,UAAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,QAAQoB,GAAgD;AAItD,WAAO,KAAK,QAAQ,QAAQ;AAAA,MAC1B,KAAK,QAAQ;AAAA,MACb;AAAA,QACE,MAAMA;AAAA,MAAA;AAAA,MAER;AAAA,QACE,iBAAiBgC,EAAiB;AAAA,QAClC,gCAAgB,IAAI,CAAC,CAACtD,GAAoC,EAAI,CAAC,CAAC;AAAA,MAAA;AAAA,IAClE;AAAA,EAEJ;AACF;ACtEO,MAAMuD,IAA0B;AAShC,MAAMC,UACHtC,EACsB;AAAA,EAG9B,YACEhB,IAA+B;AAAA,IAC7B,KAAKqD;AAAA,IACL,UAAU,IAAIpC,EAAuB,IAAIC,EAAoBmC,CAAuB,CAAC;AAAA,EAAA,GAEvF;AACA,UAAM;AAAA,MACJ,YAAY,IAAIrB,EAA4BhC,EAAQ,WAAW;AAAA,MAC/D,GAAGA;AAAA,IAAA,CACJ,GACD,KAAK,cAAcA,EAAQ,eAAe;AAAA,EAC5C;AAAA,EAEA,kBAAkBkC,GAAgC;AAChD,SAAK,IAAI,IAAIH,EAAkBG,CAAc,CAAC;AAAA,EAChD;AACF;"}

package/dist/index.umd.js CHANGED Viewed

@@ -1,2 +1,2 @@
-(function(r,a){typeof exports=="object"&&typeof module<"u"?a(exports,require("@ahoo-wang/fetcher"),require("nanoid"),require("@ahoo-wang/fetcher-storage")):typeof define=="function"&&define.amd?define(["exports","@ahoo-wang/fetcher","nanoid","@ahoo-wang/fetcher-storage"],a):(r=typeof globalThis<"u"?globalThis:r||self,a(r.FetcherCoSec={},r.Fetcher,r.nanoid,r.FetcherStorage))})(this,(function(r,a,q,R){"use strict";const c=class c{};c.DEVICE_ID="CoSec-Device-Id",c.APP_ID="CoSec-App-Id",c.AUTHORIZATION="Authorization",c.REQUEST_ID="CoSec-Request-Id";let i=c;const N=class N{};N.UNAUTHORIZED=401;let h=N;const b={ALLOW:{authorized:!0,reason:"Allow"},EXPLICIT_DENY:{authorized:!1,reason:"Explicit Deny"},IMPLICIT_DENY:{authorized:!1,reason:"Implicit Deny"},TOKEN_EXPIRED:{authorized:!1,reason:"Token Expired"},TOO_MANY_REQUESTS:{authorized:!1,reason:"Too Many Requests"}};class p{generateId(){return q.nanoid()}}const u=new p,A="CoSecRequestInterceptor",I=a.REQUEST_BODY_INTERCEPTOR_ORDER+1e3,d="Ignore-Refresh-Token";class K{constructor(e){this.name=A,this.order=I,this.options=e}async intercept(e){const t=u.generateId(),s=this.options.deviceIdStorage.getOrCreate(),o=e.ensureRequestHeaders();o[i.APP_ID]=this.options.appId,o[i.DEVICE_ID]=s,o[i.REQUEST_ID]=t}}const C="AuthorizationRequestInterceptor",g=I+1e3;class Q{constructor(e){this.options=e,this.name=C,this.order=g}async intercept(e){let t=this.options.tokenManager.currentToken;const s=e.ensureRequestHeaders();!t||s[i.AUTHORIZATION]||(!e.attributes.has(d)&&t.isRefreshNeeded&&t.isRefreshable&&await this.options.tokenManager.refresh(),t=this.options.tokenManager.currentToken,t&&(s[i.AUTHORIZATION]=`Bearer ${t.access.token}`))}}const P="AuthorizationResponseInterceptor",k=Number.MIN_SAFE_INTEGER+1e3;class H{constructor(e){this.name=P,this.order=k,this.options=e}async intercept(e){const t=e.response;if(t&&t.status===h.UNAUTHORIZED&&this.options.tokenManager.isRefreshable)try{await this.options.tokenManager.refresh(),await e.fetcher.interceptors.exchange(e)}catch(s){throw this.options.tokenManager.tokenStorage.remove(),s}}}const U="cosec-device-id";class J extends R.KeyStorage{constructor(e=U){super({key:e,serializer:new R.IdentitySerializer,storage:R.createListenableStorage()})}generateDeviceId(){return u.generateId()}getOrCreate(){let e=this.get();return e||(e=this.generateDeviceId(),this.set(e)),e}}function _(n){try{const e=n.split(".");if(e.length!==3)return null;const s=e[1].replace(/-/g,"+").replace(/_/g,"/"),o=s.padEnd(s.length+(4-s.length%4)%4,"="),T=decodeURIComponent(atob(o).split("").map(function(E){return"%"+("00"+E.charCodeAt(0).toString(16)).slice(-2)}).join(""));return JSON.parse(T)}catch(e){return console.error("Failed to parse JWT token",e),null}}function w(n,e=0){const t=typeof n=="string"?_(n):n;if(!t)return!0;const s=t.exp;return s?Date.now()/1e3>s-e:!1}class O{constructor(e,t=0){this.token=e,this.earlyPeriod=t,this.payload=_(e)}get isExpired(){return this.payload?w(this.payload,this.earlyPeriod):!0}}class l{constructor(e,t=0){this.token=e,this.earlyPeriod=t,this.access=new O(e.accessToken,t),this.refresh=new O(e.refreshToken,t)}get isRefreshNeeded(){return this.access.isExpired}get isRefreshable(){return!this.refresh.isExpired}}class f{constructor(e=0){this.earlyPeriod=e}deserialize(e){const t=JSON.parse(e);return new l(t,this.earlyPeriod)}serialize(e){return JSON.stringify(e.token)}}const v=new f;class Z{constructor(e,t){this.tokenStorage=e,this.tokenRefresher=t}get currentToken(){return this.tokenStorage.get()}async refresh(e){if(!e){const t=this.currentToken;if(!t)throw new Error("No token found");e=t.token}return this.refreshInProgress?this.refreshInProgress:(this.refreshInProgress=this.tokenRefresher.refresh(e).then(t=>{this.tokenStorage.setCompositeToken(t)}).catch(t=>{throw this.tokenStorage.remove(),t}).finally(()=>{this.refreshInProgress=void 0}),this.refreshInProgress)}get isRefreshNeeded(){return this.currentToken?this.currentToken.isRefreshNeeded:!1}get isRefreshable(){return this.currentToken?this.currentToken.isRefreshable:!1}}const D="ResourceAttributionRequestInterceptor",y=Number.MAX_SAFE_INTEGER;class F{constructor({tenantId:e="tenantId",ownerId:t="ownerId",tokenStorage:s}){this.name=D,this.order=y,this.tenantIdPathKey=e,this.ownerIdPathKey=t,this.tokenStorage=s}intercept(e){const t=this.tokenStorage.get();if(!t)return;const s=t.access.payload;if(!s||!s.tenantId&&!s.sub)return;const o=e.fetcher.urlBuilder.urlTemplateResolver.extractPathParams(e.request.url),T=this.tenantIdPathKey,E=e.ensureRequestUrlParams().path,z=s.tenantId;z&&o.includes(T)&&!E[T]&&(E[T]=z);const S=this.ownerIdPathKey,M=s.sub;M&&o.includes(S)&&!E[S]&&(E[S]=M)}}class B{constructor(e){this.options=e}refresh(e){return this.options.fetcher.post(this.options.endpoint,{body:e},{resultExtractor:a.ResultExtractors.Json,attributes:new Map([[d,!0]])})}}const m="cosec-token";class L extends R.KeyStorage{constructor(e=m,t=0){super({key:e,storage:R.createListenableStorage(),serializer:new f(t)}),this.earlyPeriod=t}setCompositeToken(e){this.set(new l(e))}}r.AUTHORIZATION_REQUEST_INTERCEPTOR_NAME=C,r.AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER=g,r.AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME=P,r.AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER=k,r.AuthorizationRequestInterceptor=Q,r.AuthorizationResponseInterceptor=H,r.AuthorizeResults=b,r.COSEC_REQUEST_INTERCEPTOR_NAME=A,r.COSEC_REQUEST_INTERCEPTOR_ORDER=I,r.CoSecHeaders=i,r.CoSecRequestInterceptor=K,r.CoSecTokenRefresher=B,r.DEFAULT_COSEC_DEVICE_ID_KEY=U,r.DEFAULT_COSEC_TOKEN_KEY=m,r.DeviceIdStorage=J,r.IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY=d,r.JwtCompositeToken=l,r.JwtCompositeTokenSerializer=f,r.JwtToken=O,r.JwtTokenManager=Z,r.NanoIdGenerator=p,r.RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME=D,r.RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER=y,r.ResourceAttributionRequestInterceptor=F,r.ResponseCodes=h,r.TokenStorage=L,r.idGenerator=u,r.isTokenExpired=w,r.jwtCompositeTokenSerializer=v,r.parseJwtPayload=_,Object.defineProperty(r,Symbol.toStringTag,{value:"Module"})}));
+(function(t,a){typeof exports=="object"&&typeof module<"u"?a(exports,require("@ahoo-wang/fetcher"),require("nanoid"),require("@ahoo-wang/fetcher-storage"),require("@ahoo-wang/fetcher-eventbus")):typeof define=="function"&&define.amd?define(["exports","@ahoo-wang/fetcher","nanoid","@ahoo-wang/fetcher-storage","@ahoo-wang/fetcher-eventbus"],a):(t=typeof globalThis<"u"?globalThis:t||self,a(t.FetcherCoSec={},t.Fetcher,t.nanoid,t.FetcherStorage,t.FetcherEventBus))})(this,(function(t,a,v,C,R){"use strict";const c=class c{};c.DEVICE_ID="CoSec-Device-Id",c.APP_ID="CoSec-App-Id",c.AUTHORIZATION="Authorization",c.REQUEST_ID="CoSec-Request-Id";let i=c;const p=class p{};p.UNAUTHORIZED=401;let h=p;const B={ALLOW:{authorized:!0,reason:"Allow"},EXPLICIT_DENY:{authorized:!1,reason:"Explicit Deny"},IMPLICIT_DENY:{authorized:!1,reason:"Implicit Deny"},TOKEN_EXPIRED:{authorized:!1,reason:"Token Expired"},TOO_MANY_REQUESTS:{authorized:!1,reason:"Too Many Requests"}};class P{generateId(){return v.nanoid()}}const u=new P,g="CoSecRequestInterceptor",I=a.REQUEST_BODY_INTERCEPTOR_ORDER+1e3,d="Ignore-Refresh-Token";class K{constructor(e){this.name=g,this.order=I,this.options=e}async intercept(e){const r=u.generateId(),s=this.options.deviceIdStorage.getOrCreate(),o=e.ensureRequestHeaders();o[i.APP_ID]=this.options.appId,o[i.DEVICE_ID]=s,o[i.REQUEST_ID]=r}}const k="AuthorizationRequestInterceptor",U=I+1e3;class b{constructor(e){this.options=e,this.name=k,this.order=U}async intercept(e){let r=this.options.tokenManager.currentToken;const s=e.ensureRequestHeaders();!r||s[i.AUTHORIZATION]||(!e.attributes.has(d)&&r.isRefreshNeeded&&r.isRefreshable&&await this.options.tokenManager.refresh(),r=this.options.tokenManager.currentToken,r&&(s[i.AUTHORIZATION]=`Bearer ${r.access.token}`))}}const w="AuthorizationResponseInterceptor",y=Number.MIN_SAFE_INTEGER+1e3;class Q{constructor(e){this.name=w,this.order=y,this.options=e}async intercept(e){const r=e.response;if(r&&r.status===h.UNAUTHORIZED&&this.options.tokenManager.isRefreshable)try{await this.options.tokenManager.refresh(),await e.fetcher.interceptors.exchange(e)}catch(s){throw this.options.tokenManager.tokenStorage.remove(),s}}}const _="cosec-device-id";class H extends C.KeyStorage{constructor(e={key:_,eventBus:new R.BroadcastTypedEventBus(new R.SerialTypedEventBus(_))}){super(e)}generateDeviceId(){return u.generateId()}getOrCreate(){let e=this.get();return e||(e=this.generateDeviceId(),this.set(e)),e}}function O(n){try{if(typeof n!="string")return null;const e=n.split(".");if(e.length!==3)return null;const s=e[1].replace(/-/g,"+").replace(/_/g,"/"),o=s.padEnd(s.length+(4-s.length%4)%4,"="),T=decodeURIComponent(atob(o).split("").map(function(E){return"%"+("00"+E.charCodeAt(0).toString(16)).slice(-2)}).join(""));return JSON.parse(T)}catch(e){return console.error("Failed to parse JWT token",e),null}}function D(n,e=0){const r=typeof n=="string"?O(n):n;if(!r)return!0;const s=r.exp;return s?Date.now()/1e3>s-e:!1}class l{constructor(e,r=0){this.token=e,this.earlyPeriod=r,this.payload=O(e)}get isExpired(){return this.payload?D(this.payload,this.earlyPeriod):!0}}class f{constructor(e,r=0){this.token=e,this.earlyPeriod=r,this.access=new l(e.accessToken,r),this.refresh=new l(e.refreshToken,r)}get isRefreshNeeded(){return this.access.isExpired}get isRefreshable(){return!this.refresh.isExpired}}class S{constructor(e=0){this.earlyPeriod=e}deserialize(e){const r=JSON.parse(e);return new f(r,this.earlyPeriod)}serialize(e){return JSON.stringify(e.token)}}const J=new S;class F{constructor(e,r){this.tokenStorage=e,this.tokenRefresher=r}get currentToken(){return this.tokenStorage.get()}async refresh(e){if(!e){const r=this.currentToken;if(!r)throw new Error("No token found");e=r.token}return this.refreshInProgress?this.refreshInProgress:(this.refreshInProgress=this.tokenRefresher.refresh(e).then(r=>{this.tokenStorage.setCompositeToken(r)}).catch(r=>{throw this.tokenStorage.remove(),r}).finally(()=>{this.refreshInProgress=void 0}),this.refreshInProgress)}get isRefreshNeeded(){return this.currentToken?this.currentToken.isRefreshNeeded:!1}get isRefreshable(){return this.currentToken?this.currentToken.isRefreshable:!1}}const m="ResourceAttributionRequestInterceptor",q=Number.MAX_SAFE_INTEGER;class Z{constructor({tenantId:e="tenantId",ownerId:r="ownerId",tokenStorage:s}){this.name=m,this.order=q,this.tenantIdPathKey=e,this.ownerIdPathKey=r,this.tokenStorage=s}intercept(e){const r=this.tokenStorage.get();if(!r)return;const s=r.access.payload;if(!s||!s.tenantId&&!s.sub)return;const o=e.fetcher.urlBuilder.urlTemplateResolver.extractPathParams(e.request.url),T=this.tenantIdPathKey,E=e.ensureRequestUrlParams().path,M=s.tenantId;M&&o.includes(T)&&!E[T]&&(E[T]=M);const A=this.ownerIdPathKey,z=s.sub;z&&o.includes(A)&&!E[A]&&(E[A]=z)}}class Y{constructor(e){this.options=e}refresh(e){return this.options.fetcher.post(this.options.endpoint,{body:e},{resultExtractor:a.ResultExtractors.Json,attributes:new Map([[d,!0]])})}}const N="cosec-token";class G extends C.KeyStorage{constructor(e={key:N,eventBus:new R.BroadcastTypedEventBus(new R.SerialTypedEventBus(N))}){super({serializer:new S(e.earlyPeriod),...e}),this.earlyPeriod=e.earlyPeriod??0}setCompositeToken(e){this.set(new f(e))}}t.AUTHORIZATION_REQUEST_INTERCEPTOR_NAME=k,t.AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER=U,t.AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME=w,t.AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER=y,t.AuthorizationRequestInterceptor=b,t.AuthorizationResponseInterceptor=Q,t.AuthorizeResults=B,t.COSEC_REQUEST_INTERCEPTOR_NAME=g,t.COSEC_REQUEST_INTERCEPTOR_ORDER=I,t.CoSecHeaders=i,t.CoSecRequestInterceptor=K,t.CoSecTokenRefresher=Y,t.DEFAULT_COSEC_DEVICE_ID_KEY=_,t.DEFAULT_COSEC_TOKEN_KEY=N,t.DeviceIdStorage=H,t.IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY=d,t.JwtCompositeToken=f,t.JwtCompositeTokenSerializer=S,t.JwtToken=l,t.JwtTokenManager=F,t.NanoIdGenerator=P,t.RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME=m,t.RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER=q,t.ResourceAttributionRequestInterceptor=Z,t.ResponseCodes=h,t.TokenStorage=G,t.idGenerator=u,t.isTokenExpired=D,t.jwtCompositeTokenSerializer=J,t.parseJwtPayload=O,Object.defineProperty(t,Symbol.toStringTag,{value:"Module"})}));
 //# sourceMappingURL=index.umd.js.map

package/dist/index.umd.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.umd.js","sources":["../src/types.ts","../src/idGenerator.ts","../src/cosecRequestInterceptor.ts","../src/authorizationRequestInterceptor.ts","../src/authorizationResponseInterceptor.ts","../src/deviceIdStorage.ts","../src/jwts.ts","../src/jwtToken.ts","../src/jwtTokenManager.ts","../src/resourceAttributionRequestInterceptor.ts","../src/tokenRefresher.ts","../src/tokenStorage.ts"],"sourcesContent":["/\n Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { DeviceIdStorage } from './deviceIdStorage';\nimport { JwtTokenManager } from './jwtTokenManager';\n\n/\n CoSec HTTP headers enumeration.\n /\nexport class CoSecHeaders {\n static readonly DEVICE_ID = 'CoSec-Device-Id';\n static readonly APP_ID = 'CoSec-App-Id';\n static readonly AUTHORIZATION = 'Authorization';\n static readonly REQUEST_ID = 'CoSec-Request-Id';\n}\n\nexport class ResponseCodes {\n static readonly UNAUTHORIZED = 401;\n}\n\nexport interface AppIdCapable {\n /\n Application ID to be sent in the CoSec-App-Id header.\n /\n appId: string;\n}\n\nexport interface DeviceIdStorageCapable {\n deviceIdStorage: DeviceIdStorage;\n}\n\nexport interface JwtTokenManagerCapable {\n tokenManager: JwtTokenManager;\n}\n\n/\n CoSec options interface.\n /\nexport interface CoSecOptions\n extends AppIdCapable,\n DeviceIdStorageCapable,\n JwtTokenManagerCapable {\n}\n\n/\n Authorization result interface.\n /\nexport interface AuthorizeResult {\n authorized: boolean;\n reason: string;\n}\n\n/\n Authorization result constants.\n /\nexport const AuthorizeResults = {\n ALLOW: { authorized: true, reason: 'Allow' },\n EXPLICIT_DENY: { authorized: false, reason: 'Explicit Deny' },\n IMPLICIT_DENY: { authorized: false, reason: 'Implicit Deny' },\n TOKEN_EXPIRED: { authorized: false, reason: 'Token Expired' },\n TOO_MANY_REQUESTS: { authorized: false, reason: 'Too Many Requests' },\n};\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { nanoid } from 'nanoid';\n\nexport interface IdGenerator {\n generateId(): string;\n}\n\n/\n Nano ID implementation of IdGenerator.\n * Generates unique request IDs using Nano ID.\n /\nexport class NanoIdGenerator implements IdGenerator {\n /\n Generate a unique request ID.\n \n @returns A unique request ID\n /\n generateId(): string {\n return nanoid();\n }\n}\n\nexport const idGenerator = new NanoIdGenerator();\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n FetchExchange,\n REQUEST_BODY_INTERCEPTOR_ORDER,\n type RequestInterceptor,\n} from '@ahoo-wang/fetcher';\nimport { AppIdCapable, CoSecHeaders, DeviceIdStorageCapable } from './types';\nimport { idGenerator } from './idGenerator';\n\nexport interface CoSecRequestOptions\n extends AppIdCapable,\n DeviceIdStorageCapable {\n}\n\n/\n The name of the CoSecRequestInterceptor.\n /\nexport const COSEC_REQUEST_INTERCEPTOR_NAME = 'CoSecRequestInterceptor';\n\n/\n The order of the CoSecRequestInterceptor.\n * Set to REQUEST_BODY_INTERCEPTOR_ORDER + 1000 to ensure it runs after RequestBodyInterceptor.\n /\nexport const COSEC_REQUEST_INTERCEPTOR_ORDER =\n REQUEST_BODY_INTERCEPTOR_ORDER + 1000;\n\nexport const IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY = 'Ignore-Refresh-Token';\n\n/\n Interceptor that automatically adds CoSec authentication headers to requests.\n \n This interceptor adds the following headers to each request:\n * - CoSec-Device-Id: Device identifier (stored in localStorage or generated)\n * - CoSec-App-Id: Application identifier\n * - CoSec-Request-Id: Unique request identifier for each request\n \n @remarks\n * This interceptor runs after RequestBodyInterceptor but before FetchInterceptor.\n * The order is set to COSEC_REQUEST_INTERCEPTOR_ORDER to ensure it runs after\n * request body processing but before the actual HTTP request is made. This positioning\n * allows for proper authentication header addition after all request body transformations\n * are complete, ensuring that the final request is properly authenticated before\n * being sent over the network.\n /\nexport class CoSecRequestInterceptor implements RequestInterceptor {\n readonly name = COSEC_REQUEST_INTERCEPTOR_NAME;\n readonly order = COSEC_REQUEST_INTERCEPTOR_ORDER;\n private options: CoSecRequestOptions;\n\n /\n Creates a new CoSecRequestInterceptor instance.\n * @param options - The CoSec configuration options including appId, deviceIdStorage, and tokenManager\n /\n constructor(options: CoSecRequestOptions) {\n this.options = options;\n }\n\n /\n Intercept requests to add CoSec authentication headers.\n \n This method adds the following headers to each request:\n * - CoSec-App-Id: The application identifier from the CoSec options\n * - CoSec-Device-Id: A unique device identifier, either retrieved from storage or generated\n * - CoSec-Request-Id: A unique identifier for this specific request\n \n @param exchange - The fetch exchange containing the request to process\n \n @remarks\n * This method runs after RequestBodyInterceptor but before FetchInterceptor.\n * It ensures that authentication headers are added to the request after all\n * body processing is complete. The positioning allows for proper authentication\n * header addition after all request body transformations are finished, ensuring\n * that the final request is properly authenticated before being sent over the network.\n * This execution order prevents authentication headers from being overwritten by\n * subsequent request processing interceptors.\n \n The method also handles token refreshing when the current token is expired but still refreshable.\n * It will attempt to refresh the token before adding the Authorization header to the request.\n /\n async intercept(exchange: FetchExchange) {\n // Generate a unique request ID for this request\n const requestId = idGenerator.generateId();\n\n // Get or create a device ID\n const deviceId = this.options.deviceIdStorage.getOrCreate();\n\n // Ensure request headers object exists\n const requestHeaders = exchange.ensureRequestHeaders();\n\n // Add CoSec headers to the request\n requestHeaders[CoSecHeaders.APP_ID] = this.options.appId;\n requestHeaders[CoSecHeaders.DEVICE_ID] = deviceId;\n requestHeaders[CoSecHeaders.REQUEST_ID] = requestId;\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { FetchExchange, RequestInterceptor } from '@ahoo-wang/fetcher';\nimport {\n COSEC_REQUEST_INTERCEPTOR_ORDER,\n IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY,\n} from './cosecRequestInterceptor';\nimport { CoSecHeaders, JwtTokenManagerCapable } from './types';\n\n// eslint-disable-next-line @typescript-eslint/no-empty-object-type\nexport interface AuthorizationInterceptorOptions\n extends JwtTokenManagerCapable {\n}\n\nexport const AUTHORIZATION_REQUEST_INTERCEPTOR_NAME =\n 'AuthorizationRequestInterceptor';\nexport const AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER =\n COSEC_REQUEST_INTERCEPTOR_ORDER + 1000;\n\n/\n Request interceptor that automatically adds Authorization header to requests.\n \n This interceptor handles JWT token management by:\n * 1. Adding Authorization header with Bearer token if not already present\n * 2. Refreshing tokens when needed and possible\n * 3. Skipping refresh when explicitly requested via attributes\n \n The interceptor runs after CoSecRequestInterceptor but before FetchInterceptor in the chain.\n /\nexport class AuthorizationRequestInterceptor implements RequestInterceptor {\n readonly name = AUTHORIZATION_REQUEST_INTERCEPTOR_NAME;\n readonly order = AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER;\n\n /\n Creates an AuthorizationRequestInterceptor instance.\n \n @param options - Configuration options containing the token manager\n /\n constructor(private readonly options: AuthorizationInterceptorOptions) {\n }\n\n /\n Intercepts the request exchange to add authorization headers.\n \n This method performs the following operations:\n * 1. Checks if a token exists and if Authorization header is already set\n * 2. Refreshes the token if needed, possible, and not explicitly ignored\n * 3. Adds the Authorization header with Bearer token if a token is available\n \n @param exchange - The fetch exchange containing request information\n * @returns Promise that resolves when the interception is complete\n /\n async intercept(exchange: FetchExchange): Promise<void> {\n // Get the current token from token manager\n let currentToken = this.options.tokenManager.currentToken;\n\n const requestHeaders = exchange.ensureRequestHeaders();\n\n // Skip if no token exists or Authorization header is already set\n if (!currentToken \|\| requestHeaders[CoSecHeaders.AUTHORIZATION]) {\n return;\n }\n\n // Refresh token if needed and refreshable\n if (\n !exchange.attributes.has(IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY) &&\n currentToken.isRefreshNeeded &&\n currentToken.isRefreshable\n ) {\n await this.options.tokenManager.refresh();\n }\n\n // Get the current token again (might have been refreshed)\n currentToken = this.options.tokenManager.currentToken;\n\n // Add Authorization header if we have a token\n if (currentToken) {\n requestHeaders[CoSecHeaders.AUTHORIZATION] =\n `Bearer ${currentToken.access.token}`;\n }\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { ResponseCodes } from './types';\nimport { FetchExchange, type ResponseInterceptor } from '@ahoo-wang/fetcher';\nimport { AuthorizationInterceptorOptions } from './authorizationRequestInterceptor';\n\n/\n The name of the AuthorizationResponseInterceptor.\n /\nexport const AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME =\n 'AuthorizationResponseInterceptor';\n\n/\n The order of the AuthorizationResponseInterceptor.\n * Set to a high negative value to ensure it runs early in the interceptor chain.\n /\nexport const AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER =\n Number.MIN_SAFE_INTEGER + 1000;\n\n/\n CoSecResponseInterceptor is responsible for handling unauthorized responses (401)\n * by attempting to refresh the authentication token and retrying the original request.\n \n This interceptor:\n * 1. Checks if the response status is 401 (UNAUTHORIZED)\n * 2. If so, and if there's a current token, attempts to refresh it\n * 3. On successful refresh, stores the new token and retries the original request\n * 4. On refresh failure, clears stored tokens and propagates the error\n /\nexport class AuthorizationResponseInterceptor implements ResponseInterceptor {\n readonly name = AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME;\n readonly order = AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER;\n private options: AuthorizationInterceptorOptions;\n\n /\n Creates a new AuthorizationResponseInterceptor instance.\n * @param options - The CoSec configuration options including token storage and refresher\n /\n constructor(options: AuthorizationInterceptorOptions) {\n this.options = options;\n }\n\n /\n Intercepts the response and handles unauthorized responses by refreshing tokens.\n * @param exchange - The fetch exchange containing request and response information\n /\n async intercept(exchange: FetchExchange): Promise<void> {\n const response = exchange.response;\n // If there's no response, nothing to intercept\n if (!response) {\n return;\n }\n\n // Only handle unauthorized responses (401)\n if (response.status !== ResponseCodes.UNAUTHORIZED) {\n return;\n }\n\n if (!this.options.tokenManager.isRefreshable) {\n return;\n }\n try {\n await this.options.tokenManager.refresh();\n // Retry the original request with the new token\n await exchange.fetcher.interceptors.exchange(exchange);\n } catch (error) {\n // If token refresh fails, clear stored tokens and re-throw the error\n this.options.tokenManager.tokenStorage.remove();\n throw error;\n }\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { idGenerator } from './idGenerator';\nimport {\n createListenableStorage,\n IdentitySerializer,\n KeyStorage,\n} from '@ahoo-wang/fetcher-storage';\n\nexport const DEFAULT_COSEC_DEVICE_ID_KEY = 'cosec-device-id';\n\n/\n Storage class for managing device identifiers.\n /\nexport class DeviceIdStorage extends KeyStorage<string> {\n constructor(key: string = DEFAULT_COSEC_DEVICE_ID_KEY) {\n super({\n key,\n serializer: new IdentitySerializer<string>(),\n storage: createListenableStorage(),\n });\n }\n\n /\n Generate a new device ID.\n \n @returns A newly generated device ID\n /\n generateDeviceId(): string {\n return idGenerator.generateId();\n }\n\n /\n Get or create a device ID.\n \n @returns The existing device ID if available, otherwise a newly generated one\n /\n getOrCreate(): string {\n // Try to get existing device ID from storage\n let deviceId = this.get();\n if (!deviceId) {\n // Generate a new device ID and store it\n deviceId = this.generateDeviceId();\n this.set(deviceId);\n }\n\n return deviceId;\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n/\n Interface representing a JWT payload as defined in RFC 7519.\n * Contains standard JWT claims as well as custom properties.\n /\nexport interface JwtPayload {\n /\n JWT ID - provides a unique identifier for the JWT.\n /\n jti?: string;\n /\n Subject - identifies the principal that is the subject of the JWT.\n /\n sub?: string;\n /\n Issuer - identifies the principal that issued the JWT.\n /\n iss?: string;\n /\n Audience - identifies the recipients that the JWT is intended for.\n * Can be a single string or an array of strings.\n /\n aud?: string \| string[];\n /\n Expiration Time - identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.\n * Represented as NumericDate (seconds since Unix epoch).\n /\n exp?: number;\n /\n Not Before - identifies the time before which the JWT MUST NOT be accepted for processing.\n * Represented as NumericDate (seconds since Unix epoch).\n /\n nbf?: number;\n /\n Issued At - identifies the time at which the JWT was issued.\n * Represented as NumericDate (seconds since Unix epoch).\n /\n iat?: number;\n\n /\n Allows additional custom properties to be included in the payload.\n /\n [key: string]: any;\n}\n\n/\n Interface representing a JWT payload with CoSec-specific extensions.\n * Extends the standard JwtPayload interface with additional CoSec-specific properties.\n /\nexport interface CoSecJwtPayload extends JwtPayload {\n /\n Tenant identifier - identifies the tenant scope for the JWT.\n /\n tenantId?: string;\n /\n Policies - array of policy identifiers associated with the JWT.\n * These are security policies defined internally by Cosec.\n /\n policies?: string[];\n /\n Roles - array of role identifiers associated with the JWT.\n * Role IDs indicate what roles the token belongs to.\n /\n roles?: string[];\n /\n Attributes - custom key-value pairs providing additional information about the JWT.\n /\n attributes?: Record<string, any>;\n}\n\n/\n Parses a JWT token and extracts its payload.\n \n This function decodes the payload part of a JWT token, handling Base64URL decoding\n * and JSON parsing. It validates the token structure and returns null for invalid tokens.\n \n @param token - The JWT token string to parse\n * @returns The parsed JWT payload or null if parsing fails\n /\nexport function parseJwtPayload<T extends JwtPayload>(token: string): T \| null {\n try {\n const parts = token.split('.');\n if (parts.length !== 3) {\n return null;\n }\n\n const base64Url = parts[1];\n const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');\n\n // Add padding if needed\n const paddedBase64 = base64.padEnd(\n base64.length + ((4 - (base64.length % 4)) % 4),\n '=',\n );\n\n const jsonPayload = decodeURIComponent(\n atob(paddedBase64)\n .split('')\n .map(function(c) {\n return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);\n })\n .join(''),\n );\n return JSON.parse(jsonPayload) as T;\n } catch (error) {\n // Avoid exposing sensitive information in error logs\n console.error('Failed to parse JWT token', error);\n return null;\n }\n}\n\nexport interface EarlyPeriodCapable {\n /\n The time in seconds before actual expiration when the token should be considered expired (default: 0)\n /\n readonly earlyPeriod: number;\n}\n\n/\n Checks if a JWT token is expired based on its expiration time (exp claim).\n \n This function determines if a JWT token has expired by comparing its exp claim\n * with the current time. If the token is a string, it will be parsed first.\n * Tokens without an exp claim are considered not expired.\n \n The early period parameter allows for early token expiration, which is useful\n * for triggering token refresh before the token actually expires. This helps\n * avoid race conditions where a token expires between the time it is checked and\n * the time it is used.\n \n @param token - The JWT token to check, either as a string or as a JwtPayload object\n * @param earlyPeriod - The time in seconds before actual expiration when the token should be considered expired (default: 0)\n * @returns true if the token is expired (or will expire within the early period) or cannot be parsed, false otherwise\n /\nexport function isTokenExpired(\n token: string \| CoSecJwtPayload,\n earlyPeriod: number = 0,\n): boolean {\n const payload = typeof token === 'string' ? parseJwtPayload(token) : token;\n if (!payload) {\n return true;\n }\n\n const expAt = payload.exp;\n if (!expAt) {\n return false;\n }\n\n const now = Date.now() / 1000;\n return now > expAt - earlyPeriod;\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n CoSecJwtPayload,\n EarlyPeriodCapable,\n isTokenExpired,\n JwtPayload,\n parseJwtPayload,\n} from './jwts';\nimport { CompositeToken } from './tokenRefresher';\nimport { Serializer } from '@ahoo-wang/fetcher-storage';\n\n/\n Interface for JWT token with typed payload\n * @template Payload The type of the JWT payload\n /\nexport interface IJwtToken<Payload extends JwtPayload>\n extends EarlyPeriodCapable {\n readonly token: string;\n readonly payload: Payload \| null;\n\n isExpired: boolean;\n}\n\n/\n Class representing a JWT token with typed payload\n * @template Payload The type of the JWT payload\n /\nexport class JwtToken<Payload extends JwtPayload>\n implements IJwtToken<Payload> {\n public readonly payload: Payload \| null;\n\n /\n Creates a new JwtToken instance\n /\n constructor(\n public readonly token: string,\n public readonly earlyPeriod: number = 0,\n ) {\n this.payload = parseJwtPayload<Payload>(token);\n }\n\n /\n Checks if the token is expired\n * @returns true if the token is expired, false otherwise\n /\n get isExpired(): boolean {\n if (!this.payload) {\n return true;\n }\n return isTokenExpired(this.payload, this.earlyPeriod);\n }\n}\n\nexport interface RefreshTokenStatusCapable {\n /\n Checks if the access token needs to be refreshed\n * @returns true if the access token is expired, false otherwise\n /\n readonly isRefreshNeeded: boolean;\n /\n Checks if the refresh token is still valid and can be used to refresh the access token\n * @returns true if the refresh token is not expired, false otherwise\n /\n readonly isRefreshable: boolean;\n}\n\n/\n Class representing a composite token containing both access and refresh tokens\n /\nexport class JwtCompositeToken\n implements EarlyPeriodCapable, RefreshTokenStatusCapable {\n public readonly access: JwtToken<CoSecJwtPayload>;\n public readonly refresh: JwtToken<JwtPayload>;\n\n /\n Creates a new JwtCompositeToken instance\n /\n constructor(\n public readonly token: CompositeToken,\n public readonly earlyPeriod: number = 0,\n ) {\n this.access = new JwtToken(token.accessToken, earlyPeriod);\n this.refresh = new JwtToken(token.refreshToken, earlyPeriod);\n }\n\n /\n Checks if the access token needs to be refreshed\n * @returns true if the access token is expired, false otherwise\n /\n get isRefreshNeeded(): boolean {\n return this.access.isExpired;\n }\n\n /\n Checks if the refresh token is still valid and can be used to refresh the access token\n * @returns true if the refresh token is not expired, false otherwise\n /\n get isRefreshable(): boolean {\n return !this.refresh.isExpired;\n }\n}\n\n/\n Serializer for JwtCompositeToken that handles conversion to and from JSON strings\n /\nexport class JwtCompositeTokenSerializer\n implements Serializer<string, JwtCompositeToken>, EarlyPeriodCapable {\n constructor(public readonly earlyPeriod: number = 0) {\n }\n\n /\n Deserializes a JSON string to a JwtCompositeToken\n * @param value The JSON string representation of a composite token\n * @returns A JwtCompositeToken instance\n /\n deserialize(value: string): JwtCompositeToken {\n const compositeToken = JSON.parse(value) as CompositeToken;\n return new JwtCompositeToken(compositeToken, this.earlyPeriod);\n }\n\n /\n Serializes a JwtCompositeToken to a JSON string\n * @param value The JwtCompositeToken to serialize\n * @returns A JSON string representation of the composite token\n /\n serialize(value: JwtCompositeToken): string {\n return JSON.stringify(value.token);\n }\n}\n\nexport const jwtCompositeTokenSerializer = new JwtCompositeTokenSerializer();\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { TokenStorage } from './tokenStorage';\nimport { CompositeToken, TokenRefresher } from './tokenRefresher';\nimport { JwtCompositeToken, RefreshTokenStatusCapable } from './jwtToken';\n\n/\n Manages JWT token refreshing operations and provides status information\n /\nexport class JwtTokenManager implements RefreshTokenStatusCapable {\n private refreshInProgress?: Promise<void>;\n\n /\n Creates a new JwtTokenManager instance\n * @param tokenStorage The storage used to persist tokens\n * @param tokenRefresher The refresher used to refresh expired tokens\n /\n constructor(\n public readonly tokenStorage: TokenStorage,\n public readonly tokenRefresher: TokenRefresher,\n ) {\n }\n\n /\n Gets the current JWT composite token from storage\n * @returns The current token or null if none exists\n /\n get currentToken(): JwtCompositeToken \| null {\n return this.tokenStorage.get();\n }\n\n /\n Refreshes the JWT token\n * @param currentToken Optional current token to refresh. If not provided, uses the stored token.\n * @returns Promise that resolves when refresh is complete\n * @throws Error if no token is found or refresh fails\n /\n async refresh(currentToken?: CompositeToken): Promise<void> {\n if (!currentToken) {\n const jwtToken = this.currentToken;\n if (!jwtToken) {\n throw new Error('No token found');\n }\n currentToken = jwtToken.token;\n }\n if (this.refreshInProgress) {\n return this.refreshInProgress;\n }\n\n this.refreshInProgress = this.tokenRefresher\n .refresh(currentToken)\n .then(newToken => {\n this.tokenStorage.setCompositeToken(newToken);\n })\n .catch(error => {\n this.tokenStorage.remove();\n throw error;\n })\n .finally(() => {\n this.refreshInProgress = undefined;\n });\n\n return this.refreshInProgress;\n }\n\n /\n Indicates if the current token needs to be refreshed\n * @returns true if the access token is expired and needs refresh, false otherwise\n /\n get isRefreshNeeded(): boolean {\n if (!this.currentToken) {\n return false;\n }\n return this.currentToken.isRefreshNeeded;\n }\n\n /\n Indicates if the current token can be refreshed\n * @returns true if the refresh token is still valid, false otherwise\n /\n get isRefreshable(): boolean {\n if (!this.currentToken) {\n return false;\n }\n return this.currentToken.isRefreshable;\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { FetchExchange, RequestInterceptor } from '@ahoo-wang/fetcher';\nimport { TokenStorage } from './tokenStorage';\n\n/\n Configuration options for resource attribution\n /\nexport interface ResourceAttributionOptions {\n /\n The path parameter key used for tenant ID in URL templates\n /\n tenantId?: string;\n /\n The path parameter key used for owner ID in URL templates\n /\n ownerId?: string;\n /\n Storage mechanism for retrieving current authentication tokens\n /\n tokenStorage: TokenStorage;\n}\n\n/\n Name identifier for the ResourceAttributionRequestInterceptor\n /\nexport const RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME =\n 'ResourceAttributionRequestInterceptor';\n/\n Order priority for the ResourceAttributionRequestInterceptor, set to maximum safe integer to ensure it runs last\n /\nexport const RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER =\n Number.MAX_SAFE_INTEGER;\n\n/\n Request interceptor that automatically adds tenant and owner ID path parameters to requests\n * based on the current authentication token. This is useful for multi-tenant applications where\n * requests need to include tenant-specific information in the URL path.\n /\nexport class ResourceAttributionRequestInterceptor\n implements RequestInterceptor {\n readonly name = RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME;\n readonly order = RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER;\n private readonly tenantIdPathKey: string;\n private readonly ownerIdPathKey: string;\n private readonly tokenStorage: TokenStorage;\n\n /\n Creates a new ResourceAttributionRequestInterceptor\n * @param options - Configuration options for resource attribution including tenantId, ownerId and tokenStorage\n /\n constructor({\n tenantId = 'tenantId',\n ownerId = 'ownerId',\n tokenStorage,\n }: ResourceAttributionOptions) {\n this.tenantIdPathKey = tenantId;\n this.ownerIdPathKey = ownerId;\n this.tokenStorage = tokenStorage;\n }\n\n /\n Intercepts outgoing requests and automatically adds tenant and owner ID path parameters\n * if they are defined in the URL template but not provided in the request.\n * @param exchange - The fetch exchange containing the request information\n /\n intercept(exchange: FetchExchange): void {\n const currentToken = this.tokenStorage.get();\n if (!currentToken) {\n return;\n }\n const principal = currentToken.access.payload;\n if (!principal) {\n return;\n }\n if (!principal.tenantId && !principal.sub) {\n return;\n }\n\n // Extract path parameters from the URL template\n const extractedPathParams =\n exchange.fetcher.urlBuilder.urlTemplateResolver.extractPathParams(\n exchange.request.url,\n );\n const tenantIdPathKey = this.tenantIdPathKey;\n const requestPathParams = exchange.ensureRequestUrlParams().path;\n const tenantId = principal.tenantId;\n\n // Add tenant ID to path parameters if it's part of the URL template and not already provided\n if (\n tenantId &&\n extractedPathParams.includes(tenantIdPathKey) &&\n !requestPathParams[tenantIdPathKey]\n ) {\n requestPathParams[tenantIdPathKey] = tenantId;\n }\n\n const ownerIdPathKey = this.ownerIdPathKey;\n const ownerId = principal.sub;\n\n // Add owner ID to path parameters if it's part of the URL template and not already provided\n if (\n ownerId &&\n extractedPathParams.includes(ownerIdPathKey) &&\n !requestPathParams[ownerIdPathKey]\n ) {\n requestPathParams[ownerIdPathKey] = ownerId;\n }\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Fetcher, ResultExtractors } from '@ahoo-wang/fetcher';\nimport { IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY } from './cosecRequestInterceptor';\n\n/\n Interface for access tokens.\n /\nexport interface AccessToken {\n accessToken: string;\n}\n\n/\n Interface for refresh tokens.\n /\nexport interface RefreshToken {\n refreshToken: string;\n}\n\n/\n Composite token interface that contains both access and refresh tokens.\n \n accessToken and refreshToken always appear in pairs, no need to split them.\n /\nexport interface CompositeToken extends AccessToken, RefreshToken {\n}\n\n/\n Interface for token refreshers.\n \n Provides a method to refresh tokens.\n /\nexport interface TokenRefresher {\n /\n Refresh the given token and return a new CompositeToken.\n \n @param token The token to refresh\n * @returns A Promise that resolves to a new CompositeToken\n /\n refresh(token: CompositeToken): Promise<CompositeToken>;\n}\n\nexport interface CoSecTokenRefresherOptions {\n fetcher: Fetcher;\n endpoint: string;\n}\n\n/\n CoSecTokenRefresher is a class that implements the TokenRefresher interface\n * for refreshing composite tokens through a configured endpoint.\n /\nexport class CoSecTokenRefresher implements TokenRefresher {\n /\n Creates a new instance of CoSecTokenRefresher.\n \n @param options The configuration options for the token refresher including fetcher and endpoint\n /\n constructor(public readonly options: CoSecTokenRefresherOptions) {\n }\n\n /\n Refresh the given token and return a new CompositeToken.\n \n @param token The token to refresh\n * @returns A Promise that resolves to a new CompositeToken\n /\n refresh(token: CompositeToken): Promise<CompositeToken> {\n // Send a POST request to the configured endpoint with the token as body\n // and extract the response as JSON to return a new CompositeToken\n\n return this.options.fetcher.post<CompositeToken>(\n this.options.endpoint,\n {\n body: token,\n },\n {\n resultExtractor: ResultExtractors.Json,\n attributes: new Map([[IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY, true]]),\n },\n );\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { JwtCompositeToken, JwtCompositeTokenSerializer } from './jwtToken';\nimport { CompositeToken } from './tokenRefresher';\nimport { EarlyPeriodCapable } from './jwts';\nimport {\n createListenableStorage,\n KeyStorage,\n} from '@ahoo-wang/fetcher-storage';\n\nexport const DEFAULT_COSEC_TOKEN_KEY = 'cosec-token';\n\n/\n Storage class for managing access and refresh tokens.\n */\nexport class TokenStorage\n extends KeyStorage<JwtCompositeToken>\n implements EarlyPeriodCapable {\n constructor(\n key: string = DEFAULT_COSEC_TOKEN_KEY,\n public readonly earlyPeriod: number = 0,\n ) {\n super({\n key,\n storage: createListenableStorage(),\n serializer: new JwtCompositeTokenSerializer(earlyPeriod),\n });\n }\n\n setCompositeToken(compositeToken: CompositeToken) {\n this.set(new JwtCompositeToken(compositeToken));\n }\n}\n"],"names":["_CoSecHeaders","CoSecHeaders","_ResponseCodes","ResponseCodes","AuthorizeResults","NanoIdGenerator","nanoid","idGenerator","COSEC_REQUEST_INTERCEPTOR_NAME","COSEC_REQUEST_INTERCEPTOR_ORDER","REQUEST_BODY_INTERCEPTOR_ORDER","IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY","CoSecRequestInterceptor","options","exchange","requestId","deviceId","requestHeaders","AUTHORIZATION_REQUEST_INTERCEPTOR_NAME","AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER","AuthorizationRequestInterceptor","currentToken","AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME","AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER","AuthorizationResponseInterceptor","response","error","DEFAULT_COSEC_DEVICE_ID_KEY","DeviceIdStorage","KeyStorage","key","IdentitySerializer","createListenableStorage","parseJwtPayload","token","parts","base64","paddedBase64","jsonPayload","c","isTokenExpired","earlyPeriod","payload","expAt","JwtToken","JwtCompositeToken","JwtCompositeTokenSerializer","value","compositeToken","jwtCompositeTokenSerializer","JwtTokenManager","tokenStorage","tokenRefresher","jwtToken","newToken","RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME","RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER","ResourceAttributionRequestInterceptor","tenantId","ownerId","principal","extractedPathParams","tenantIdPathKey","requestPathParams","ownerIdPathKey","CoSecTokenRefresher","ResultExtractors","DEFAULT_COSEC_TOKEN_KEY","TokenStorage"],"mappings":"gaAmBO,MAAMA,EAAN,MAAMA,CAAa,CAK1B,EAJEA,EAAgB,UAAY,kBAC5BA,EAAgB,OAAS,eACzBA,EAAgB,cAAgB,gBAChCA,EAAgB,WAAa,mBAJxB,IAAMC,EAAND,EAOA,MAAME,EAAN,MAAMA,CAAc,CAE3B,EADEA,EAAgB,aAAe,IAD1B,IAAMC,EAAND,EAuCA,MAAME,EAAmB,CAC9B,MAAO,CAAE,WAAY,GAAM,OAAQ,OAAA,EACnC,cAAe,CAAE,WAAY,GAAO,OAAQ,eAAA,EAC5C,cAAe,CAAE,WAAY,GAAO,OAAQ,eAAA,EAC5C,cAAe,CAAE,WAAY,GAAO,OAAQ,eAAA,EAC5C,kBAAmB,CAAE,WAAY,GAAO,OAAQ,mBAAA,CAClD,EChDO,MAAMC,CAAuC,CAMlD,YAAqB,CACnB,OAAOC,SAAA,CACT,CACF,CAEO,MAAMC,EAAc,IAAIF,ECLlBG,EAAiC,0BAMjCC,EACXC,EAAAA,+BAAiC,IAEtBC,EAAqC,uBAkB3C,MAAMC,CAAsD,CASjE,YAAYC,EAA8B,CAR1C,KAAS,KAAOL,EAChB,KAAS,MAAQC,EAQf,KAAK,QAAUI,CACjB,CAwBA,MAAM,UAAUC,EAAyB,CAEvC,MAAMC,EAAYR,EAAY,WAAA,EAGxBS,EAAW,KAAK,QAAQ,gBAAgB,YAAA,EAGxCC,EAAiBH,EAAS,qBAAA,EAGhCG,EAAehB,EAAa,MAAM,EAAI,KAAK,QAAQ,MACnDgB,EAAehB,EAAa,SAAS,EAAIe,EACzCC,EAAehB,EAAa,UAAU,EAAIc,CAC5C,CACF,CCjFO,MAAMG,EACX,kCACWC,EACXV,EAAkC,IAY7B,MAAMW,CAA8D,CASzE,YAA6BP,EAA0C,CAA1C,KAAA,QAAAA,EAR7B,KAAS,KAAOK,EAChB,KAAS,MAAQC,CAQjB,CAaA,MAAM,UAAUL,EAAwC,CAEtD,IAAIO,EAAe,KAAK,QAAQ,aAAa,aAE7C,MAAMJ,EAAiBH,EAAS,qBAAA,EAG5B,CAACO,GAAgBJ,EAAehB,EAAa,aAAa,IAM5D,CAACa,EAAS,WAAW,IAAIH,CAAkC,GAC3DU,EAAa,iBACbA,EAAa,eAEb,MAAM,KAAK,QAAQ,aAAa,QAAA,EAIlCA,EAAe,KAAK,QAAQ,aAAa,aAGrCA,IACFJ,EAAehB,EAAa,aAAa,EACvC,UAAUoB,EAAa,OAAO,KAAK,IAEzC,CACF,CCxEO,MAAMC,EACX,mCAMWC,EACX,OAAO,iBAAmB,IAYrB,MAAMC,CAAgE,CAS3E,YAAYX,EAA0C,CARtD,KAAS,KAAOS,EAChB,KAAS,MAAQC,EAQf,KAAK,QAAUV,CACjB,CAMA,MAAM,UAAUC,EAAwC,CACtD,MAAMW,EAAWX,EAAS,SAE1B,GAAKW,GAKDA,EAAS,SAAWtB,EAAc,cAIjC,KAAK,QAAQ,aAAa,cAG/B,GAAI,CACF,MAAM,KAAK,QAAQ,aAAa,QAAA,EAEhC,MAAMW,EAAS,QAAQ,aAAa,SAASA,CAAQ,CACvD,OAASY,EAAO,CAEd,WAAK,QAAQ,aAAa,aAAa,OAAA,EACjCA,CACR,CACF,CACF,CC9DO,MAAMC,EAA8B,kBAKpC,MAAMC,UAAwBC,EAAAA,UAAmB,CACtD,YAAYC,EAAcH,EAA6B,CACrD,MAAM,CACJ,IAAAG,EACA,WAAY,IAAIC,EAAAA,mBAChB,QAASC,EAAAA,wBAAA,CAAwB,CAClC,CACH,CAOA,kBAA2B,CACzB,OAAOzB,EAAY,WAAA,CACrB,CAOA,aAAsB,CAEpB,IAAIS,EAAW,KAAK,IAAA,EACpB,OAAKA,IAEHA,EAAW,KAAK,iBAAA,EAChB,KAAK,IAAIA,CAAQ,GAGZA,CACT,CACF,CC+BO,SAASiB,EAAsCC,EAAyB,CAC7E,GAAI,CACF,MAAMC,EAAQD,EAAM,MAAM,GAAG,EAC7B,GAAIC,EAAM,SAAW,EACnB,OAAO,KAIT,MAAMC,EADYD,EAAM,CAAC,EACA,QAAQ,KAAM,GAAG,EAAE,QAAQ,KAAM,GAAG,EAGvDE,EAAeD,EAAO,OAC1BA,EAAO,QAAW,EAAKA,EAAO,OAAS,GAAM,EAC7C,GAAA,EAGIE,EAAc,mBAClB,KAAKD,CAAY,EACd,MAAM,EAAE,EACR,IAAI,SAASE,EAAG,CACf,MAAO,KAAO,KAAOA,EAAE,WAAW,CAAC,EAAE,SAAS,EAAE,GAAG,MAAM,EAAE,CAC7D,CAAC,EACA,KAAK,EAAE,CAAA,EAEZ,OAAO,KAAK,MAAMD,CAAW,CAC/B,OAASZ,EAAO,CAEd,eAAQ,MAAM,4BAA6BA,CAAK,EACzC,IACT,CACF,CAyBO,SAASc,EACdN,EACAO,EAAsB,EACb,CACT,MAAMC,EAAU,OAAOR,GAAU,SAAWD,EAAgBC,CAAK,EAAIA,EACrE,GAAI,CAACQ,EACH,MAAO,GAGT,MAAMC,EAAQD,EAAQ,IACtB,OAAKC,EAIO,KAAK,IAAA,EAAQ,IACZA,EAAQF,EAJZ,EAKX,CC1HO,MAAMG,CACmB,CAM9B,YACkBV,EACAO,EAAsB,EACtC,CAFgB,KAAA,MAAAP,EACA,KAAA,YAAAO,EAEhB,KAAK,QAAUR,EAAyBC,CAAK,CAC/C,CAMA,IAAI,WAAqB,CACvB,OAAK,KAAK,QAGHM,EAAe,KAAK,QAAS,KAAK,WAAW,EAF3C,EAGX,CACF,CAkBO,MAAMK,CAC8C,CAOzD,YACkBX,EACAO,EAAsB,EACtC,CAFgB,KAAA,MAAAP,EACA,KAAA,YAAAO,EAEhB,KAAK,OAAS,IAAIG,EAASV,EAAM,YAAaO,CAAW,EACzD,KAAK,QAAU,IAAIG,EAASV,EAAM,aAAcO,CAAW,CAC7D,CAMA,IAAI,iBAA2B,CAC7B,OAAO,KAAK,OAAO,SACrB,CAMA,IAAI,eAAyB,CAC3B,MAAO,CAAC,KAAK,QAAQ,SACvB,CACF,CAKO,MAAMK,CAC0D,CACrE,YAA4BL,EAAsB,EAAG,CAAzB,KAAA,YAAAA,CAC5B,CAOA,YAAYM,EAAkC,CAC5C,MAAMC,EAAiB,KAAK,MAAMD,CAAK,EACvC,OAAO,IAAIF,EAAkBG,EAAgB,KAAK,WAAW,CAC/D,CAOA,UAAUD,EAAkC,CAC1C,OAAO,KAAK,UAAUA,EAAM,KAAK,CACnC,CACF,CAEO,MAAME,EAA8B,IAAIH,EC1HxC,MAAMI,CAAqD,CAQhE,YACkBC,EACAC,EAChB,CAFgB,KAAA,aAAAD,EACA,KAAA,eAAAC,CAElB,CAMA,IAAI,cAAyC,CAC3C,OAAO,KAAK,aAAa,IAAA,CAC3B,CAQA,MAAM,QAAQ/B,EAA8C,CAC1D,GAAI,CAACA,EAAc,CACjB,MAAMgC,EAAW,KAAK,aACtB,GAAI,CAACA,EACH,MAAM,IAAI,MAAM,gBAAgB,EAElChC,EAAegC,EAAS,KAC1B,CACA,OAAI,KAAK,kBACA,KAAK,mBAGd,KAAK,kBAAoB,KAAK,eAC3B,QAAQhC,CAAY,EACpB,KAAKiC,GAAY,CAChB,KAAK,aAAa,kBAAkBA,CAAQ,CAC9C,CAAC,EACA,MAAM5B,GAAS,CACd,WAAK,aAAa,OAAA,EACZA,CACR,CAAC,EACA,QAAQ,IAAM,CACb,KAAK,kBAAoB,MAC3B,CAAC,EAEI,KAAK,kBACd,CAMA,IAAI,iBAA2B,CAC7B,OAAK,KAAK,aAGH,KAAK,aAAa,gBAFhB,EAGX,CAMA,IAAI,eAAyB,CAC3B,OAAK,KAAK,aAGH,KAAK,aAAa,cAFhB,EAGX,CACF,CC5DO,MAAM6B,EACX,wCAIWC,EACX,OAAO,iBAOF,MAAMC,CACmB,CAW9B,YAAY,CACE,SAAAC,EAAW,WACX,QAAAC,EAAU,UACV,aAAAR,CAAA,EAC6B,CAd3C,KAAS,KAAOI,EAChB,KAAS,MAAQC,EAcf,KAAK,gBAAkBE,EACvB,KAAK,eAAiBC,EACtB,KAAK,aAAeR,CACtB,CAOA,UAAUrC,EAA+B,CACvC,MAAMO,EAAe,KAAK,aAAa,IAAA,EACvC,GAAI,CAACA,EACH,OAEF,MAAMuC,EAAYvC,EAAa,OAAO,QAItC,GAHI,CAACuC,GAGD,CAACA,EAAU,UAAY,CAACA,EAAU,IACpC,OAIF,MAAMC,EACJ/C,EAAS,QAAQ,WAAW,oBAAoB,kBAC9CA,EAAS,QAAQ,GAAA,EAEfgD,EAAkB,KAAK,gBACvBC,EAAoBjD,EAAS,uBAAA,EAAyB,KACtD4C,EAAWE,EAAU,SAIzBF,GACAG,EAAoB,SAASC,CAAe,GAC5C,CAACC,EAAkBD,CAAe,IAElCC,EAAkBD,CAAe,EAAIJ,GAGvC,MAAMM,EAAiB,KAAK,eACtBL,EAAUC,EAAU,IAIxBD,GACAE,EAAoB,SAASG,CAAc,GAC3C,CAACD,EAAkBC,CAAc,IAEjCD,EAAkBC,CAAc,EAAIL,EAExC,CACF,CC1DO,MAAMM,CAA8C,CAMzD,YAA4BpD,EAAqC,CAArC,KAAA,QAAAA,CAC5B,CAQA,QAAQqB,EAAgD,CAItD,OAAO,KAAK,QAAQ,QAAQ,KAC1B,KAAK,QAAQ,SACb,CACE,KAAMA,CAAA,EAER,CACE,gBAAiBgC,EAAAA,iBAAiB,KAClC,eAAgB,IAAI,CAAC,CAACvD,EAAoC,EAAI,CAAC,CAAC,CAAA,CAClE,CAEJ,CACF,CCvEO,MAAMwD,EAA0B,cAKhC,MAAMC,UACHvC,EAAAA,UACsB,CAC9B,YACEC,EAAcqC,EACE1B,EAAsB,EACtC,CACA,MAAM,CACJ,IAAAX,EACA,QAASE,EAAAA,wBAAA,EACT,WAAY,IAAIc,EAA4BL,CAAW,CAAA,CACxD,EANe,KAAA,YAAAA,CAOlB,CAEA,kBAAkBO,EAAgC,CAChD,KAAK,IAAI,IAAIH,EAAkBG,CAAc,CAAC,CAChD,CACF"}
1	+ {"version":3,"file":"index.umd.js","sources":["../src/types.ts","../src/idGenerator.ts","../src/cosecRequestInterceptor.ts","../src/authorizationRequestInterceptor.ts","../src/authorizationResponseInterceptor.ts","../src/deviceIdStorage.ts","../src/jwts.ts","../src/jwtToken.ts","../src/jwtTokenManager.ts","../src/resourceAttributionRequestInterceptor.ts","../src/tokenRefresher.ts","../src/tokenStorage.ts"],"sourcesContent":["/\n Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { DeviceIdStorage } from './deviceIdStorage';\nimport { JwtTokenManager } from './jwtTokenManager';\n\n/\n CoSec HTTP headers enumeration.\n /\nexport class CoSecHeaders {\n static readonly DEVICE_ID = 'CoSec-Device-Id';\n static readonly APP_ID = 'CoSec-App-Id';\n static readonly AUTHORIZATION = 'Authorization';\n static readonly REQUEST_ID = 'CoSec-Request-Id';\n}\n\nexport class ResponseCodes {\n static readonly UNAUTHORIZED = 401;\n}\n\nexport interface AppIdCapable {\n /\n Application ID to be sent in the CoSec-App-Id header.\n /\n appId: string;\n}\n\nexport interface DeviceIdStorageCapable {\n deviceIdStorage: DeviceIdStorage;\n}\n\nexport interface JwtTokenManagerCapable {\n tokenManager: JwtTokenManager;\n}\n\n/\n CoSec options interface.\n /\nexport interface CoSecOptions\n extends AppIdCapable,\n DeviceIdStorageCapable,\n JwtTokenManagerCapable {\n}\n\n/\n Authorization result interface.\n /\nexport interface AuthorizeResult {\n authorized: boolean;\n reason: string;\n}\n\n/\n Authorization result constants.\n /\nexport const AuthorizeResults = {\n ALLOW: { authorized: true, reason: 'Allow' },\n EXPLICIT_DENY: { authorized: false, reason: 'Explicit Deny' },\n IMPLICIT_DENY: { authorized: false, reason: 'Implicit Deny' },\n TOKEN_EXPIRED: { authorized: false, reason: 'Token Expired' },\n TOO_MANY_REQUESTS: { authorized: false, reason: 'Too Many Requests' },\n};\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { nanoid } from 'nanoid';\n\nexport interface IdGenerator {\n generateId(): string;\n}\n\n/\n Nano ID implementation of IdGenerator.\n * Generates unique request IDs using Nano ID.\n /\nexport class NanoIdGenerator implements IdGenerator {\n /\n Generate a unique request ID.\n \n @returns A unique request ID\n /\n generateId(): string {\n return nanoid();\n }\n}\n\nexport const idGenerator = new NanoIdGenerator();\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n FetchExchange,\n REQUEST_BODY_INTERCEPTOR_ORDER,\n type RequestInterceptor,\n} from '@ahoo-wang/fetcher';\nimport { AppIdCapable, CoSecHeaders, DeviceIdStorageCapable } from './types';\nimport { idGenerator } from './idGenerator';\n\nexport interface CoSecRequestOptions\n extends AppIdCapable,\n DeviceIdStorageCapable {\n}\n\n/\n The name of the CoSecRequestInterceptor.\n /\nexport const COSEC_REQUEST_INTERCEPTOR_NAME = 'CoSecRequestInterceptor';\n\n/\n The order of the CoSecRequestInterceptor.\n * Set to REQUEST_BODY_INTERCEPTOR_ORDER + 1000 to ensure it runs after RequestBodyInterceptor.\n /\nexport const COSEC_REQUEST_INTERCEPTOR_ORDER =\n REQUEST_BODY_INTERCEPTOR_ORDER + 1000;\n\nexport const IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY = 'Ignore-Refresh-Token';\n\n/\n Interceptor that automatically adds CoSec authentication headers to requests.\n \n This interceptor adds the following headers to each request:\n * - CoSec-Device-Id: Device identifier (stored in localStorage or generated)\n * - CoSec-App-Id: Application identifier\n * - CoSec-Request-Id: Unique request identifier for each request\n \n @remarks\n * This interceptor runs after RequestBodyInterceptor but before FetchInterceptor.\n * The order is set to COSEC_REQUEST_INTERCEPTOR_ORDER to ensure it runs after\n * request body processing but before the actual HTTP request is made. This positioning\n * allows for proper authentication header addition after all request body transformations\n * are complete, ensuring that the final request is properly authenticated before\n * being sent over the network.\n /\nexport class CoSecRequestInterceptor implements RequestInterceptor {\n readonly name = COSEC_REQUEST_INTERCEPTOR_NAME;\n readonly order = COSEC_REQUEST_INTERCEPTOR_ORDER;\n private options: CoSecRequestOptions;\n\n /\n Creates a new CoSecRequestInterceptor instance.\n * @param options - The CoSec configuration options including appId, deviceIdStorage, and tokenManager\n /\n constructor(options: CoSecRequestOptions) {\n this.options = options;\n }\n\n /\n Intercept requests to add CoSec authentication headers.\n \n This method adds the following headers to each request:\n * - CoSec-App-Id: The application identifier from the CoSec options\n * - CoSec-Device-Id: A unique device identifier, either retrieved from storage or generated\n * - CoSec-Request-Id: A unique identifier for this specific request\n \n @param exchange - The fetch exchange containing the request to process\n \n @remarks\n * This method runs after RequestBodyInterceptor but before FetchInterceptor.\n * It ensures that authentication headers are added to the request after all\n * body processing is complete. The positioning allows for proper authentication\n * header addition after all request body transformations are finished, ensuring\n * that the final request is properly authenticated before being sent over the network.\n * This execution order prevents authentication headers from being overwritten by\n * subsequent request processing interceptors.\n \n The method also handles token refreshing when the current token is expired but still refreshable.\n * It will attempt to refresh the token before adding the Authorization header to the request.\n /\n async intercept(exchange: FetchExchange) {\n // Generate a unique request ID for this request\n const requestId = idGenerator.generateId();\n\n // Get or create a device ID\n const deviceId = this.options.deviceIdStorage.getOrCreate();\n\n // Ensure request headers object exists\n const requestHeaders = exchange.ensureRequestHeaders();\n\n // Add CoSec headers to the request\n requestHeaders[CoSecHeaders.APP_ID] = this.options.appId;\n requestHeaders[CoSecHeaders.DEVICE_ID] = deviceId;\n requestHeaders[CoSecHeaders.REQUEST_ID] = requestId;\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { FetchExchange, RequestInterceptor } from '@ahoo-wang/fetcher';\nimport {\n COSEC_REQUEST_INTERCEPTOR_ORDER,\n IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY,\n} from './cosecRequestInterceptor';\nimport { CoSecHeaders, JwtTokenManagerCapable } from './types';\n\n// eslint-disable-next-line @typescript-eslint/no-empty-object-type\nexport interface AuthorizationInterceptorOptions\n extends JwtTokenManagerCapable {\n}\n\nexport const AUTHORIZATION_REQUEST_INTERCEPTOR_NAME =\n 'AuthorizationRequestInterceptor';\nexport const AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER =\n COSEC_REQUEST_INTERCEPTOR_ORDER + 1000;\n\n/\n Request interceptor that automatically adds Authorization header to requests.\n \n This interceptor handles JWT token management by:\n * 1. Adding Authorization header with Bearer token if not already present\n * 2. Refreshing tokens when needed and possible\n * 3. Skipping refresh when explicitly requested via attributes\n \n The interceptor runs after CoSecRequestInterceptor but before FetchInterceptor in the chain.\n /\nexport class AuthorizationRequestInterceptor implements RequestInterceptor {\n readonly name = AUTHORIZATION_REQUEST_INTERCEPTOR_NAME;\n readonly order = AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER;\n\n /\n Creates an AuthorizationRequestInterceptor instance.\n \n @param options - Configuration options containing the token manager\n /\n constructor(private readonly options: AuthorizationInterceptorOptions) {\n }\n\n /\n Intercepts the request exchange to add authorization headers.\n \n This method performs the following operations:\n * 1. Checks if a token exists and if Authorization header is already set\n * 2. Refreshes the token if needed, possible, and not explicitly ignored\n * 3. Adds the Authorization header with Bearer token if a token is available\n \n @param exchange - The fetch exchange containing request information\n * @returns Promise that resolves when the interception is complete\n /\n async intercept(exchange: FetchExchange): Promise<void> {\n // Get the current token from token manager\n let currentToken = this.options.tokenManager.currentToken;\n\n const requestHeaders = exchange.ensureRequestHeaders();\n\n // Skip if no token exists or Authorization header is already set\n if (!currentToken \|\| requestHeaders[CoSecHeaders.AUTHORIZATION]) {\n return;\n }\n\n // Refresh token if needed and refreshable\n if (\n !exchange.attributes.has(IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY) &&\n currentToken.isRefreshNeeded &&\n currentToken.isRefreshable\n ) {\n await this.options.tokenManager.refresh();\n }\n\n // Get the current token again (might have been refreshed)\n currentToken = this.options.tokenManager.currentToken;\n\n // Add Authorization header if we have a token\n if (currentToken) {\n requestHeaders[CoSecHeaders.AUTHORIZATION] =\n `Bearer ${currentToken.access.token}`;\n }\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { ResponseCodes } from './types';\nimport { FetchExchange, type ResponseInterceptor } from '@ahoo-wang/fetcher';\nimport { AuthorizationInterceptorOptions } from './authorizationRequestInterceptor';\n\n/\n The name of the AuthorizationResponseInterceptor.\n /\nexport const AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME =\n 'AuthorizationResponseInterceptor';\n\n/\n The order of the AuthorizationResponseInterceptor.\n * Set to a high negative value to ensure it runs early in the interceptor chain.\n /\nexport const AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER =\n Number.MIN_SAFE_INTEGER + 1000;\n\n/\n CoSecResponseInterceptor is responsible for handling unauthorized responses (401)\n * by attempting to refresh the authentication token and retrying the original request.\n \n This interceptor:\n * 1. Checks if the response status is 401 (UNAUTHORIZED)\n * 2. If so, and if there's a current token, attempts to refresh it\n * 3. On successful refresh, stores the new token and retries the original request\n * 4. On refresh failure, clears stored tokens and propagates the error\n /\nexport class AuthorizationResponseInterceptor implements ResponseInterceptor {\n readonly name = AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME;\n readonly order = AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER;\n private options: AuthorizationInterceptorOptions;\n\n /\n Creates a new AuthorizationResponseInterceptor instance.\n * @param options - The CoSec configuration options including token storage and refresher\n /\n constructor(options: AuthorizationInterceptorOptions) {\n this.options = options;\n }\n\n /\n Intercepts the response and handles unauthorized responses by refreshing tokens.\n * @param exchange - The fetch exchange containing request and response information\n /\n async intercept(exchange: FetchExchange): Promise<void> {\n const response = exchange.response;\n // If there's no response, nothing to intercept\n if (!response) {\n return;\n }\n\n // Only handle unauthorized responses (401)\n if (response.status !== ResponseCodes.UNAUTHORIZED) {\n return;\n }\n\n if (!this.options.tokenManager.isRefreshable) {\n return;\n }\n try {\n await this.options.tokenManager.refresh();\n // Retry the original request with the new token\n await exchange.fetcher.interceptors.exchange(exchange);\n } catch (error) {\n // If token refresh fails, clear stored tokens and re-throw the error\n this.options.tokenManager.tokenStorage.remove();\n throw error;\n }\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { idGenerator } from './idGenerator';\nimport {\n KeyStorage, KeyStorageOptions,\n} from '@ahoo-wang/fetcher-storage';\nimport { BroadcastTypedEventBus, SerialTypedEventBus } from '@ahoo-wang/fetcher-eventbus';\n\nexport const DEFAULT_COSEC_DEVICE_ID_KEY = 'cosec-device-id';\n\n// eslint-disable-next-line @typescript-eslint/no-empty-object-type\nexport interface DeviceIdStorageOptions extends KeyStorageOptions<string> {\n}\n\n/\n Storage class for managing device identifiers.\n /\nexport class DeviceIdStorage extends KeyStorage<string> {\n constructor(options: DeviceIdStorageOptions = {\n key: DEFAULT_COSEC_DEVICE_ID_KEY,\n eventBus: new BroadcastTypedEventBus(new SerialTypedEventBus(DEFAULT_COSEC_DEVICE_ID_KEY)),\n }) {\n super(options);\n }\n\n /\n Generate a new device ID.\n \n @returns A newly generated device ID\n /\n generateDeviceId(): string {\n return idGenerator.generateId();\n }\n\n /\n Get or create a device ID.\n \n @returns The existing device ID if available, otherwise a newly generated one\n /\n getOrCreate(): string {\n // Try to get existing device ID from storage\n let deviceId = this.get();\n if (!deviceId) {\n // Generate a new device ID and store it\n deviceId = this.generateDeviceId();\n this.set(deviceId);\n }\n\n return deviceId;\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n/\n Interface representing a JWT payload as defined in RFC 7519.\n * Contains standard JWT claims as well as custom properties.\n /\nexport interface JwtPayload {\n /\n JWT ID - provides a unique identifier for the JWT.\n /\n jti?: string;\n /\n Subject - identifies the principal that is the subject of the JWT.\n /\n sub?: string;\n /\n Issuer - identifies the principal that issued the JWT.\n /\n iss?: string;\n /\n Audience - identifies the recipients that the JWT is intended for.\n * Can be a single string or an array of strings.\n /\n aud?: string \| string[];\n /\n Expiration Time - identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.\n * Represented as NumericDate (seconds since Unix epoch).\n /\n exp?: number;\n /\n Not Before - identifies the time before which the JWT MUST NOT be accepted for processing.\n * Represented as NumericDate (seconds since Unix epoch).\n /\n nbf?: number;\n /\n Issued At - identifies the time at which the JWT was issued.\n * Represented as NumericDate (seconds since Unix epoch).\n /\n iat?: number;\n\n /\n Allows additional custom properties to be included in the payload.\n /\n [key: string]: any;\n}\n\n/\n Interface representing a JWT payload with CoSec-specific extensions.\n * Extends the standard JwtPayload interface with additional CoSec-specific properties.\n /\nexport interface CoSecJwtPayload extends JwtPayload {\n /\n Tenant identifier - identifies the tenant scope for the JWT.\n /\n tenantId?: string;\n /\n Policies - array of policy identifiers associated with the JWT.\n * These are security policies defined internally by Cosec.\n /\n policies?: string[];\n /\n Roles - array of role identifiers associated with the JWT.\n * Role IDs indicate what roles the token belongs to.\n /\n roles?: string[];\n /\n Attributes - custom key-value pairs providing additional information about the JWT.\n /\n attributes?: Record<string, any>;\n}\n\n/\n Parses a JWT token and extracts its payload.\n \n This function decodes the payload part of a JWT token, handling Base64URL decoding\n * and JSON parsing. It validates the token structure and returns null for invalid tokens.\n \n @param token - The JWT token string to parse\n * @returns The parsed JWT payload or null if parsing fails\n /\nexport function parseJwtPayload<T extends JwtPayload>(token: string): T \| null {\n try {\n if (typeof token !== 'string') {\n return null;\n }\n const parts = token.split('.');\n if (parts.length !== 3) {\n return null;\n }\n\n const base64Url = parts[1];\n const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');\n\n // Add padding if needed\n const paddedBase64 = base64.padEnd(\n base64.length + ((4 - (base64.length % 4)) % 4),\n '=',\n );\n\n const jsonPayload = decodeURIComponent(\n atob(paddedBase64)\n .split('')\n .map(function(c) {\n return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);\n })\n .join(''),\n );\n return JSON.parse(jsonPayload) as T;\n } catch (error) {\n // Avoid exposing sensitive information in error logs\n console.error('Failed to parse JWT token', error);\n return null;\n }\n}\n\nexport interface EarlyPeriodCapable {\n /\n The time in seconds before actual expiration when the token should be considered expired (default: 0)\n /\n readonly earlyPeriod: number;\n}\n\n/\n Checks if a JWT token is expired based on its expiration time (exp claim).\n \n This function determines if a JWT token has expired by comparing its exp claim\n * with the current time. If the token is a string, it will be parsed first.\n * Tokens without an exp claim are considered not expired.\n \n The early period parameter allows for early token expiration, which is useful\n * for triggering token refresh before the token actually expires. This helps\n * avoid race conditions where a token expires between the time it is checked and\n * the time it is used.\n \n @param token - The JWT token to check, either as a string or as a JwtPayload object\n * @param earlyPeriod - The time in seconds before actual expiration when the token should be considered expired (default: 0)\n * @returns true if the token is expired (or will expire within the early period) or cannot be parsed, false otherwise\n /\nexport function isTokenExpired(\n token: string \| CoSecJwtPayload,\n earlyPeriod: number = 0,\n): boolean {\n const payload = typeof token === 'string' ? parseJwtPayload(token) : token;\n if (!payload) {\n return true;\n }\n\n const expAt = payload.exp;\n if (!expAt) {\n return false;\n }\n\n const now = Date.now() / 1000;\n return now > expAt - earlyPeriod;\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n CoSecJwtPayload,\n EarlyPeriodCapable,\n isTokenExpired,\n JwtPayload,\n parseJwtPayload,\n} from './jwts';\nimport { CompositeToken } from './tokenRefresher';\nimport { Serializer } from '@ahoo-wang/fetcher-storage';\n\n/\n Interface for JWT token with typed payload\n * @template Payload The type of the JWT payload\n /\nexport interface IJwtToken<Payload extends JwtPayload>\n extends EarlyPeriodCapable {\n readonly token: string;\n readonly payload: Payload \| null;\n\n isExpired: boolean;\n}\n\n/\n Class representing a JWT token with typed payload\n * @template Payload The type of the JWT payload\n /\nexport class JwtToken<Payload extends JwtPayload>\n implements IJwtToken<Payload> {\n public readonly payload: Payload \| null;\n\n /\n Creates a new JwtToken instance\n /\n constructor(\n public readonly token: string,\n public readonly earlyPeriod: number = 0,\n ) {\n this.payload = parseJwtPayload<Payload>(token);\n }\n\n /\n Checks if the token is expired\n * @returns true if the token is expired, false otherwise\n /\n get isExpired(): boolean {\n if (!this.payload) {\n return true;\n }\n return isTokenExpired(this.payload, this.earlyPeriod);\n }\n}\n\nexport interface RefreshTokenStatusCapable {\n /\n Checks if the access token needs to be refreshed\n * @returns true if the access token is expired, false otherwise\n /\n readonly isRefreshNeeded: boolean;\n /\n Checks if the refresh token is still valid and can be used to refresh the access token\n * @returns true if the refresh token is not expired, false otherwise\n /\n readonly isRefreshable: boolean;\n}\n\n/\n Class representing a composite token containing both access and refresh tokens\n /\nexport class JwtCompositeToken\n implements EarlyPeriodCapable, RefreshTokenStatusCapable {\n public readonly access: JwtToken<CoSecJwtPayload>;\n public readonly refresh: JwtToken<JwtPayload>;\n\n /\n Creates a new JwtCompositeToken instance\n /\n constructor(\n public readonly token: CompositeToken,\n public readonly earlyPeriod: number = 0,\n ) {\n this.access = new JwtToken(token.accessToken, earlyPeriod);\n this.refresh = new JwtToken(token.refreshToken, earlyPeriod);\n }\n\n /\n Checks if the access token needs to be refreshed\n * @returns true if the access token is expired, false otherwise\n /\n get isRefreshNeeded(): boolean {\n return this.access.isExpired;\n }\n\n /\n Checks if the refresh token is still valid and can be used to refresh the access token\n * @returns true if the refresh token is not expired, false otherwise\n /\n get isRefreshable(): boolean {\n return !this.refresh.isExpired;\n }\n}\n\n/\n Serializer for JwtCompositeToken that handles conversion to and from JSON strings\n /\nexport class JwtCompositeTokenSerializer\n implements Serializer<string, JwtCompositeToken>, EarlyPeriodCapable {\n constructor(public readonly earlyPeriod: number = 0) {\n }\n\n /\n Deserializes a JSON string to a JwtCompositeToken\n * @param value The JSON string representation of a composite token\n * @returns A JwtCompositeToken instance\n /\n deserialize(value: string): JwtCompositeToken {\n const compositeToken = JSON.parse(value) as CompositeToken;\n return new JwtCompositeToken(compositeToken, this.earlyPeriod);\n }\n\n /\n Serializes a JwtCompositeToken to a JSON string\n * @param value The JwtCompositeToken to serialize\n * @returns A JSON string representation of the composite token\n /\n serialize(value: JwtCompositeToken): string {\n return JSON.stringify(value.token);\n }\n}\n\nexport const jwtCompositeTokenSerializer = new JwtCompositeTokenSerializer();\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { TokenStorage } from './tokenStorage';\nimport { CompositeToken, TokenRefresher } from './tokenRefresher';\nimport { JwtCompositeToken, RefreshTokenStatusCapable } from './jwtToken';\n\n/\n Manages JWT token refreshing operations and provides status information\n /\nexport class JwtTokenManager implements RefreshTokenStatusCapable {\n private refreshInProgress?: Promise<void>;\n\n /\n Creates a new JwtTokenManager instance\n * @param tokenStorage The storage used to persist tokens\n * @param tokenRefresher The refresher used to refresh expired tokens\n /\n constructor(\n public readonly tokenStorage: TokenStorage,\n public readonly tokenRefresher: TokenRefresher,\n ) {\n }\n\n /\n Gets the current JWT composite token from storage\n * @returns The current token or null if none exists\n /\n get currentToken(): JwtCompositeToken \| null {\n return this.tokenStorage.get();\n }\n\n /\n Refreshes the JWT token\n * @param currentToken Optional current token to refresh. If not provided, uses the stored token.\n * @returns Promise that resolves when refresh is complete\n * @throws Error if no token is found or refresh fails\n /\n async refresh(currentToken?: CompositeToken): Promise<void> {\n if (!currentToken) {\n const jwtToken = this.currentToken;\n if (!jwtToken) {\n throw new Error('No token found');\n }\n currentToken = jwtToken.token;\n }\n if (this.refreshInProgress) {\n return this.refreshInProgress;\n }\n\n this.refreshInProgress = this.tokenRefresher\n .refresh(currentToken)\n .then(newToken => {\n this.tokenStorage.setCompositeToken(newToken);\n })\n .catch(error => {\n this.tokenStorage.remove();\n throw error;\n })\n .finally(() => {\n this.refreshInProgress = undefined;\n });\n\n return this.refreshInProgress;\n }\n\n /\n Indicates if the current token needs to be refreshed\n * @returns true if the access token is expired and needs refresh, false otherwise\n /\n get isRefreshNeeded(): boolean {\n if (!this.currentToken) {\n return false;\n }\n return this.currentToken.isRefreshNeeded;\n }\n\n /\n Indicates if the current token can be refreshed\n * @returns true if the refresh token is still valid, false otherwise\n /\n get isRefreshable(): boolean {\n if (!this.currentToken) {\n return false;\n }\n return this.currentToken.isRefreshable;\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { FetchExchange, RequestInterceptor } from '@ahoo-wang/fetcher';\nimport { TokenStorage } from './tokenStorage';\n\n/\n Configuration options for resource attribution\n /\nexport interface ResourceAttributionOptions {\n /\n The path parameter key used for tenant ID in URL templates\n /\n tenantId?: string;\n /\n The path parameter key used for owner ID in URL templates\n /\n ownerId?: string;\n /\n Storage mechanism for retrieving current authentication tokens\n /\n tokenStorage: TokenStorage;\n}\n\n/\n Name identifier for the ResourceAttributionRequestInterceptor\n /\nexport const RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME =\n 'ResourceAttributionRequestInterceptor';\n/\n Order priority for the ResourceAttributionRequestInterceptor, set to maximum safe integer to ensure it runs last\n /\nexport const RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER =\n Number.MAX_SAFE_INTEGER;\n\n/\n Request interceptor that automatically adds tenant and owner ID path parameters to requests\n * based on the current authentication token. This is useful for multi-tenant applications where\n * requests need to include tenant-specific information in the URL path.\n /\nexport class ResourceAttributionRequestInterceptor\n implements RequestInterceptor {\n readonly name = RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME;\n readonly order = RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER;\n private readonly tenantIdPathKey: string;\n private readonly ownerIdPathKey: string;\n private readonly tokenStorage: TokenStorage;\n\n /\n Creates a new ResourceAttributionRequestInterceptor\n * @param options - Configuration options for resource attribution including tenantId, ownerId and tokenStorage\n /\n constructor({\n tenantId = 'tenantId',\n ownerId = 'ownerId',\n tokenStorage,\n }: ResourceAttributionOptions) {\n this.tenantIdPathKey = tenantId;\n this.ownerIdPathKey = ownerId;\n this.tokenStorage = tokenStorage;\n }\n\n /\n Intercepts outgoing requests and automatically adds tenant and owner ID path parameters\n * if they are defined in the URL template but not provided in the request.\n * @param exchange - The fetch exchange containing the request information\n /\n intercept(exchange: FetchExchange): void {\n const currentToken = this.tokenStorage.get();\n if (!currentToken) {\n return;\n }\n const principal = currentToken.access.payload;\n if (!principal) {\n return;\n }\n if (!principal.tenantId && !principal.sub) {\n return;\n }\n\n // Extract path parameters from the URL template\n const extractedPathParams =\n exchange.fetcher.urlBuilder.urlTemplateResolver.extractPathParams(\n exchange.request.url,\n );\n const tenantIdPathKey = this.tenantIdPathKey;\n const requestPathParams = exchange.ensureRequestUrlParams().path;\n const tenantId = principal.tenantId;\n\n // Add tenant ID to path parameters if it's part of the URL template and not already provided\n if (\n tenantId &&\n extractedPathParams.includes(tenantIdPathKey) &&\n !requestPathParams[tenantIdPathKey]\n ) {\n requestPathParams[tenantIdPathKey] = tenantId;\n }\n\n const ownerIdPathKey = this.ownerIdPathKey;\n const ownerId = principal.sub;\n\n // Add owner ID to path parameters if it's part of the URL template and not already provided\n if (\n ownerId &&\n extractedPathParams.includes(ownerIdPathKey) &&\n !requestPathParams[ownerIdPathKey]\n ) {\n requestPathParams[ownerIdPathKey] = ownerId;\n }\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Fetcher, ResultExtractors } from '@ahoo-wang/fetcher';\nimport { IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY } from './cosecRequestInterceptor';\n\n/\n Interface for access tokens.\n /\nexport interface AccessToken {\n accessToken: string;\n}\n\n/\n Interface for refresh tokens.\n /\nexport interface RefreshToken {\n refreshToken: string;\n}\n\n/\n Composite token interface that contains both access and refresh tokens.\n \n accessToken and refreshToken always appear in pairs, no need to split them.\n /\nexport interface CompositeToken extends AccessToken, RefreshToken {\n}\n\n/\n Interface for token refreshers.\n \n Provides a method to refresh tokens.\n /\nexport interface TokenRefresher {\n /\n Refresh the given token and return a new CompositeToken.\n \n @param token The token to refresh\n * @returns A Promise that resolves to a new CompositeToken\n /\n refresh(token: CompositeToken): Promise<CompositeToken>;\n}\n\nexport interface CoSecTokenRefresherOptions {\n fetcher: Fetcher;\n endpoint: string;\n}\n\n/\n CoSecTokenRefresher is a class that implements the TokenRefresher interface\n * for refreshing composite tokens through a configured endpoint.\n /\nexport class CoSecTokenRefresher implements TokenRefresher {\n /\n Creates a new instance of CoSecTokenRefresher.\n \n @param options The configuration options for the token refresher including fetcher and endpoint\n /\n constructor(public readonly options: CoSecTokenRefresherOptions) {\n }\n\n /\n Refresh the given token and return a new CompositeToken.\n \n @param token The token to refresh\n * @returns A Promise that resolves to a new CompositeToken\n /\n refresh(token: CompositeToken): Promise<CompositeToken> {\n // Send a POST request to the configured endpoint with the token as body\n // and extract the response as JSON to return a new CompositeToken\n\n return this.options.fetcher.post<CompositeToken>(\n this.options.endpoint,\n {\n body: token,\n },\n {\n resultExtractor: ResultExtractors.Json,\n attributes: new Map([[IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY, true]]),\n },\n );\n }\n}\n","/\n * Copyright [2021-present] [ahoo wang <ahoowang@qq.com> (https://github.com/Ahoo-Wang)].\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * http://www.apache.org/licenses/LICENSE-2.0\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { JwtCompositeToken, JwtCompositeTokenSerializer } from './jwtToken';\nimport { CompositeToken } from './tokenRefresher';\nimport { EarlyPeriodCapable } from './jwts';\nimport {\n KeyStorage, KeyStorageOptions,\n} from '@ahoo-wang/fetcher-storage';\nimport { PartialBy } from '@ahoo-wang/fetcher';\nimport { BroadcastTypedEventBus, SerialTypedEventBus } from '@ahoo-wang/fetcher-eventbus';\n\nexport const DEFAULT_COSEC_TOKEN_KEY = 'cosec-token';\n\nexport interface TokenStorageOptions extends Omit<KeyStorageOptions<JwtCompositeToken>, 'serializer'>, PartialBy<EarlyPeriodCapable, 'earlyPeriod'> {\n\n}\n\n/\n Storage class for managing access and refresh tokens.\n */\nexport class TokenStorage\n extends KeyStorage<JwtCompositeToken>\n implements EarlyPeriodCapable {\n public readonly earlyPeriod: number;\n\n constructor(\n options: TokenStorageOptions = {\n key: DEFAULT_COSEC_TOKEN_KEY,\n eventBus: new BroadcastTypedEventBus(new SerialTypedEventBus(DEFAULT_COSEC_TOKEN_KEY)),\n },\n ) {\n super({\n serializer: new JwtCompositeTokenSerializer(options.earlyPeriod),\n ...options,\n });\n this.earlyPeriod = options.earlyPeriod ?? 0;\n }\n\n setCompositeToken(compositeToken: CompositeToken) {\n this.set(new JwtCompositeToken(compositeToken));\n }\n}\n"],"names":["_CoSecHeaders","CoSecHeaders","_ResponseCodes","ResponseCodes","AuthorizeResults","NanoIdGenerator","nanoid","idGenerator","COSEC_REQUEST_INTERCEPTOR_NAME","COSEC_REQUEST_INTERCEPTOR_ORDER","REQUEST_BODY_INTERCEPTOR_ORDER","IGNORE_REFRESH_TOKEN_ATTRIBUTE_KEY","CoSecRequestInterceptor","options","exchange","requestId","deviceId","requestHeaders","AUTHORIZATION_REQUEST_INTERCEPTOR_NAME","AUTHORIZATION_REQUEST_INTERCEPTOR_ORDER","AuthorizationRequestInterceptor","currentToken","AUTHORIZATION_RESPONSE_INTERCEPTOR_NAME","AUTHORIZATION_RESPONSE_INTERCEPTOR_ORDER","AuthorizationResponseInterceptor","response","error","DEFAULT_COSEC_DEVICE_ID_KEY","DeviceIdStorage","KeyStorage","BroadcastTypedEventBus","SerialTypedEventBus","parseJwtPayload","token","parts","base64","paddedBase64","jsonPayload","c","isTokenExpired","earlyPeriod","payload","expAt","JwtToken","JwtCompositeToken","JwtCompositeTokenSerializer","value","compositeToken","jwtCompositeTokenSerializer","JwtTokenManager","tokenStorage","tokenRefresher","jwtToken","newToken","RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_NAME","RESOURCE_ATTRIBUTION_REQUEST_INTERCEPTOR_ORDER","ResourceAttributionRequestInterceptor","tenantId","ownerId","principal","extractedPathParams","tenantIdPathKey","requestPathParams","ownerIdPathKey","CoSecTokenRefresher","ResultExtractors","DEFAULT_COSEC_TOKEN_KEY","TokenStorage"],"mappings":"yfAmBO,MAAMA,EAAN,MAAMA,CAAa,CAK1B,EAJEA,EAAgB,UAAY,kBAC5BA,EAAgB,OAAS,eACzBA,EAAgB,cAAgB,gBAChCA,EAAgB,WAAa,mBAJxB,IAAMC,EAAND,EAOA,MAAME,EAAN,MAAMA,CAAc,CAE3B,EADEA,EAAgB,aAAe,IAD1B,IAAMC,EAAND,EAuCA,MAAME,EAAmB,CAC9B,MAAO,CAAE,WAAY,GAAM,OAAQ,OAAA,EACnC,cAAe,CAAE,WAAY,GAAO,OAAQ,eAAA,EAC5C,cAAe,CAAE,WAAY,GAAO,OAAQ,eAAA,EAC5C,cAAe,CAAE,WAAY,GAAO,OAAQ,eAAA,EAC5C,kBAAmB,CAAE,WAAY,GAAO,OAAQ,mBAAA,CAClD,EChDO,MAAMC,CAAuC,CAMlD,YAAqB,CACnB,OAAOC,SAAA,CACT,CACF,CAEO,MAAMC,EAAc,IAAIF,ECLlBG,EAAiC,0BAMjCC,EACXC,EAAAA,+BAAiC,IAEtBC,EAAqC,uBAkB3C,MAAMC,CAAsD,CASjE,YAAYC,EAA8B,CAR1C,KAAS,KAAOL,EAChB,KAAS,MAAQC,EAQf,KAAK,QAAUI,CACjB,CAwBA,MAAM,UAAUC,EAAyB,CAEvC,MAAMC,EAAYR,EAAY,WAAA,EAGxBS,EAAW,KAAK,QAAQ,gBAAgB,YAAA,EAGxCC,EAAiBH,EAAS,qBAAA,EAGhCG,EAAehB,EAAa,MAAM,EAAI,KAAK,QAAQ,MACnDgB,EAAehB,EAAa,SAAS,EAAIe,EACzCC,EAAehB,EAAa,UAAU,EAAIc,CAC5C,CACF,CCjFO,MAAMG,EACX,kCACWC,EACXV,EAAkC,IAY7B,MAAMW,CAA8D,CASzE,YAA6BP,EAA0C,CAA1C,KAAA,QAAAA,EAR7B,KAAS,KAAOK,EAChB,KAAS,MAAQC,CAQjB,CAaA,MAAM,UAAUL,EAAwC,CAEtD,IAAIO,EAAe,KAAK,QAAQ,aAAa,aAE7C,MAAMJ,EAAiBH,EAAS,qBAAA,EAG5B,CAACO,GAAgBJ,EAAehB,EAAa,aAAa,IAM5D,CAACa,EAAS,WAAW,IAAIH,CAAkC,GAC3DU,EAAa,iBACbA,EAAa,eAEb,MAAM,KAAK,QAAQ,aAAa,QAAA,EAIlCA,EAAe,KAAK,QAAQ,aAAa,aAGrCA,IACFJ,EAAehB,EAAa,aAAa,EACvC,UAAUoB,EAAa,OAAO,KAAK,IAEzC,CACF,CCxEO,MAAMC,EACX,mCAMWC,EACX,OAAO,iBAAmB,IAYrB,MAAMC,CAAgE,CAS3E,YAAYX,EAA0C,CARtD,KAAS,KAAOS,EAChB,KAAS,MAAQC,EAQf,KAAK,QAAUV,CACjB,CAMA,MAAM,UAAUC,EAAwC,CACtD,MAAMW,EAAWX,EAAS,SAE1B,GAAKW,GAKDA,EAAS,SAAWtB,EAAc,cAIjC,KAAK,QAAQ,aAAa,cAG/B,GAAI,CACF,MAAM,KAAK,QAAQ,aAAa,QAAA,EAEhC,MAAMW,EAAS,QAAQ,aAAa,SAASA,CAAQ,CACvD,OAASY,EAAO,CAEd,WAAK,QAAQ,aAAa,aAAa,OAAA,EACjCA,CACR,CACF,CACF,CC/DO,MAAMC,EAA8B,kBASpC,MAAMC,UAAwBC,EAAAA,UAAmB,CACtD,YAAYhB,EAAkC,CAC5C,IAAKc,EACL,SAAU,IAAIG,EAAAA,uBAAuB,IAAIC,EAAAA,oBAAoBJ,CAA2B,CAAC,CAAA,EACxF,CACD,MAAMd,CAAO,CACf,CAOA,kBAA2B,CACzB,OAAON,EAAY,WAAA,CACrB,CAOA,aAAsB,CAEpB,IAAIS,EAAW,KAAK,IAAA,EACpB,OAAKA,IAEHA,EAAW,KAAK,iBAAA,EAChB,KAAK,IAAIA,CAAQ,GAGZA,CACT,CACF,CC6BO,SAASgB,EAAsCC,EAAyB,CAC7E,GAAI,CACF,GAAI,OAAOA,GAAU,SACnB,OAAO,KAET,MAAMC,EAAQD,EAAM,MAAM,GAAG,EAC7B,GAAIC,EAAM,SAAW,EACnB,OAAO,KAIT,MAAMC,EADYD,EAAM,CAAC,EACA,QAAQ,KAAM,GAAG,EAAE,QAAQ,KAAM,GAAG,EAGvDE,EAAeD,EAAO,OAC1BA,EAAO,QAAW,EAAKA,EAAO,OAAS,GAAM,EAC7C,GAAA,EAGIE,EAAc,mBAClB,KAAKD,CAAY,EACd,MAAM,EAAE,EACR,IAAI,SAASE,EAAG,CACf,MAAO,KAAO,KAAOA,EAAE,WAAW,CAAC,EAAE,SAAS,EAAE,GAAG,MAAM,EAAE,CAC7D,CAAC,EACA,KAAK,EAAE,CAAA,EAEZ,OAAO,KAAK,MAAMD,CAAW,CAC/B,OAASX,EAAO,CAEd,eAAQ,MAAM,4BAA6BA,CAAK,EACzC,IACT,CACF,CAyBO,SAASa,EACdN,EACAO,EAAsB,EACb,CACT,MAAMC,EAAU,OAAOR,GAAU,SAAWD,EAAgBC,CAAK,EAAIA,EACrE,GAAI,CAACQ,EACH,MAAO,GAGT,MAAMC,EAAQD,EAAQ,IACtB,OAAKC,EAIO,KAAK,IAAA,EAAQ,IACZA,EAAQF,EAJZ,EAKX,CC7HO,MAAMG,CACmB,CAM9B,YACkBV,EACAO,EAAsB,EACtC,CAFgB,KAAA,MAAAP,EACA,KAAA,YAAAO,EAEhB,KAAK,QAAUR,EAAyBC,CAAK,CAC/C,CAMA,IAAI,WAAqB,CACvB,OAAK,KAAK,QAGHM,EAAe,KAAK,QAAS,KAAK,WAAW,EAF3C,EAGX,CACF,CAkBO,MAAMK,CAC8C,CAOzD,YACkBX,EACAO,EAAsB,EACtC,CAFgB,KAAA,MAAAP,EACA,KAAA,YAAAO,EAEhB,KAAK,OAAS,IAAIG,EAASV,EAAM,YAAaO,CAAW,EACzD,KAAK,QAAU,IAAIG,EAASV,EAAM,aAAcO,CAAW,CAC7D,CAMA,IAAI,iBAA2B,CAC7B,OAAO,KAAK,OAAO,SACrB,CAMA,IAAI,eAAyB,CAC3B,MAAO,CAAC,KAAK,QAAQ,SACvB,CACF,CAKO,MAAMK,CAC0D,CACrE,YAA4BL,EAAsB,EAAG,CAAzB,KAAA,YAAAA,CAC5B,CAOA,YAAYM,EAAkC,CAC5C,MAAMC,EAAiB,KAAK,MAAMD,CAAK,EACvC,OAAO,IAAIF,EAAkBG,EAAgB,KAAK,WAAW,CAC/D,CAOA,UAAUD,EAAkC,CAC1C,OAAO,KAAK,UAAUA,EAAM,KAAK,CACnC,CACF,CAEO,MAAME,EAA8B,IAAIH,EC1HxC,MAAMI,CAAqD,CAQhE,YACkBC,EACAC,EAChB,CAFgB,KAAA,aAAAD,EACA,KAAA,eAAAC,CAElB,CAMA,IAAI,cAAyC,CAC3C,OAAO,KAAK,aAAa,IAAA,CAC3B,CAQA,MAAM,QAAQ9B,EAA8C,CAC1D,GAAI,CAACA,EAAc,CACjB,MAAM+B,EAAW,KAAK,aACtB,GAAI,CAACA,EACH,MAAM,IAAI,MAAM,gBAAgB,EAElC/B,EAAe+B,EAAS,KAC1B,CACA,OAAI,KAAK,kBACA,KAAK,mBAGd,KAAK,kBAAoB,KAAK,eAC3B,QAAQ/B,CAAY,EACpB,KAAKgC,GAAY,CAChB,KAAK,aAAa,kBAAkBA,CAAQ,CAC9C,CAAC,EACA,MAAM3B,GAAS,CACd,WAAK,aAAa,OAAA,EACZA,CACR,CAAC,EACA,QAAQ,IAAM,CACb,KAAK,kBAAoB,MAC3B,CAAC,EAEI,KAAK,kBACd,CAMA,IAAI,iBAA2B,CAC7B,OAAK,KAAK,aAGH,KAAK,aAAa,gBAFhB,EAGX,CAMA,IAAI,eAAyB,CAC3B,OAAK,KAAK,aAGH,KAAK,aAAa,cAFhB,EAGX,CACF,CC5DO,MAAM4B,EACX,wCAIWC,EACX,OAAO,iBAOF,MAAMC,CACmB,CAW9B,YAAY,CACE,SAAAC,EAAW,WACX,QAAAC,EAAU,UACV,aAAAR,CAAA,EAC6B,CAd3C,KAAS,KAAOI,EAChB,KAAS,MAAQC,EAcf,KAAK,gBAAkBE,EACvB,KAAK,eAAiBC,EACtB,KAAK,aAAeR,CACtB,CAOA,UAAUpC,EAA+B,CACvC,MAAMO,EAAe,KAAK,aAAa,IAAA,EACvC,GAAI,CAACA,EACH,OAEF,MAAMsC,EAAYtC,EAAa,OAAO,QAItC,GAHI,CAACsC,GAGD,CAACA,EAAU,UAAY,CAACA,EAAU,IACpC,OAIF,MAAMC,EACJ9C,EAAS,QAAQ,WAAW,oBAAoB,kBAC9CA,EAAS,QAAQ,GAAA,EAEf+C,EAAkB,KAAK,gBACvBC,EAAoBhD,EAAS,uBAAA,EAAyB,KACtD2C,EAAWE,EAAU,SAIzBF,GACAG,EAAoB,SAASC,CAAe,GAC5C,CAACC,EAAkBD,CAAe,IAElCC,EAAkBD,CAAe,EAAIJ,GAGvC,MAAMM,EAAiB,KAAK,eACtBL,EAAUC,EAAU,IAIxBD,GACAE,EAAoB,SAASG,CAAc,GAC3C,CAACD,EAAkBC,CAAc,IAEjCD,EAAkBC,CAAc,EAAIL,EAExC,CACF,CC1DO,MAAMM,CAA8C,CAMzD,YAA4BnD,EAAqC,CAArC,KAAA,QAAAA,CAC5B,CAQA,QAAQoB,EAAgD,CAItD,OAAO,KAAK,QAAQ,QAAQ,KAC1B,KAAK,QAAQ,SACb,CACE,KAAMA,CAAA,EAER,CACE,gBAAiBgC,EAAAA,iBAAiB,KAClC,eAAgB,IAAI,CAAC,CAACtD,EAAoC,EAAI,CAAC,CAAC,CAAA,CAClE,CAEJ,CACF,CCtEO,MAAMuD,EAA0B,cAShC,MAAMC,UACHtC,EAAAA,UACsB,CAG9B,YACEhB,EAA+B,CAC7B,IAAKqD,EACL,SAAU,IAAIpC,EAAAA,uBAAuB,IAAIC,EAAAA,oBAAoBmC,CAAuB,CAAC,CAAA,EAEvF,CACA,MAAM,CACJ,WAAY,IAAIrB,EAA4BhC,EAAQ,WAAW,EAC/D,GAAGA,CAAA,CACJ,EACD,KAAK,YAAcA,EAAQ,aAAe,CAC5C,CAEA,kBAAkBkC,EAAgC,CAChD,KAAK,IAAI,IAAIH,EAAkBG,CAAc,CAAC,CAChD,CACF"}

package/dist/jwts.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"jwts.d.ts","sourceRoot":"","sources":["../src/jwts.ts"],"names":[],"mappings":"AAYA;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED;;;GAGG;AACH,MAAM,WAAW,eAAgB,SAAQ,UAAU;IACjD;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CAClC;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,CAAC,SAAS,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC,GAAG,IAAI,~~CA8B7E~~;AAED,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,cAAc,CAC5B,KAAK,EAAE,MAAM,GAAG,eAAe,EAC/B,WAAW,GAAE,MAAU,GACtB,OAAO,CAaT"}
1	+ {"version":3,"file":"jwts.d.ts","sourceRoot":"","sources":["../src/jwts.ts"],"names":[],"mappings":"AAYA;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED;;;GAGG;AACH,MAAM,WAAW,eAAgB,SAAQ,UAAU;IACjD;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CAClC;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,CAAC,SAAS,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC,GAAG,IAAI,CAiC7E;AAED,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,cAAc,CAC5B,KAAK,EAAE,MAAM,GAAG,eAAe,EAC/B,WAAW,GAAE,MAAU,GACtB,OAAO,CAaT"}

package/dist/tokenStorage.d.ts CHANGED Viewed

@@ -1,14 +1,17 @@
 import { JwtCompositeToken } from './jwtToken';
 import { CompositeToken } from './tokenRefresher';
 import { EarlyPeriodCapable } from './jwts';
-import { KeyStorage } from '@ahoo-wang/fetcher-storage';
+import { KeyStorage, KeyStorageOptions } from '@ahoo-wang/fetcher-storage';
+import { PartialBy } from '@ahoo-wang/fetcher';
 export declare const DEFAULT_COSEC_TOKEN_KEY = "cosec-token";
+export interface TokenStorageOptions extends Omit<KeyStorageOptions<JwtCompositeToken>, 'serializer'>, PartialBy<EarlyPeriodCapable, 'earlyPeriod'> {
+}
 /**
  * Storage class for managing access and refresh tokens.
  */
 export declare class TokenStorage extends KeyStorage<JwtCompositeToken> implements EarlyPeriodCapable {
     readonly earlyPeriod: number;
-    constructor(key?: string, earlyPeriod?: number);
+    constructor(options?: TokenStorageOptions);
     setCompositeToken(compositeToken: CompositeToken): void;
 }
 //# sourceMappingURL=tokenStorage.d.ts.map

package/dist/tokenStorage.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"tokenStorage.d.ts","sourceRoot":"","sources":["../src/tokenStorage.ts"],"names":[],"mappings":"AAaA,OAAO,EAAE,iBAAiB,EAA+B,MAAM,YAAY,CAAC;AAC5E,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,QAAQ,CAAC;AAC5C,OAAO,~~EAEL~~,UAAU,~~EACX~~,MAAM,4BAA4B,CAAC;~~AAEpC~~,eAAO,MAAM,uBAAuB,gBAAgB,CAAC;AAErD;;GAEG;AACH,qBAAa,YACX,SAAQ,UAAU,CAAC,iBAAiB,CACpC,YAAW,kBAAkB;~~aAGX~~,WAAW,EAAE,MAAM;~~gBADnC~~,~~GAAG~~,GAAE,~~MAAgC,EACrB,WAAW,GAAE,MAAU~~;~~IASzC~~,iBAAiB,CAAC,cAAc,EAAE,cAAc;CAGjD"}
1	+ {"version":3,"file":"tokenStorage.d.ts","sourceRoot":"","sources":["../src/tokenStorage.ts"],"names":[],"mappings":"AAaA,OAAO,EAAE,iBAAiB,EAA+B,MAAM,YAAY,CAAC;AAC5E,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,QAAQ,CAAC;AAC5C,OAAO,EACL,UAAU,EAAE,iBAAiB,EAC9B,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAG/C,eAAO,MAAM,uBAAuB,gBAAgB,CAAC;AAErD,MAAM,WAAW,mBAAoB,SAAQ,IAAI,CAAC,iBAAiB,CAAC,iBAAiB,CAAC,EAAE,YAAY,CAAC,EAAE,SAAS,CAAC,kBAAkB,EAAE,aAAa,CAAC;CAElJ;AAED;;GAEG;AACH,qBAAa,YACX,SAAQ,UAAU,CAAC,iBAAiB,CACpC,YAAW,kBAAkB;IAC7B,SAAgB,WAAW,EAAE,MAAM,CAAC;gBAGlC,OAAO,GAAE,mBAGR;IASH,iBAAiB,CAAC,cAAc,EAAE,cAAc;CAGjD"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ahoo-wang/fetcher-cosec",
-  "version": "2.8.8",
+  "version": "2.9.0",
   "description": "CoSec authentication integration for Fetcher HTTP client with enterprise-grade security features. Provides automatic token management, device ID persistence, and request tracking.",
   "keywords": [
     "fetch",
@@ -40,6 +40,7 @@
   ],
   "peerDependencies": {
     "@ahoo-wang/fetcher": "^2.3.4",
+    "@ahoo-wang/fetcher-eventbus": "^2.8.5",
     "@ahoo-wang/fetcher-storage": "^2.3.4"
   },
   "dependencies": {