@aifabrix/builder 2.6.1 → 2.6.3

package/lib/cli.js

@@ -437,8 +437,12 @@ function setupCommands(program) {
     });
 
   // Secrets management commands
-  program
-    .command('secrets set <key> <value>')
+  const secretsCmd = program
+    .command('secrets')
+    .description('Manage secrets in secrets files');
+
+  secretsCmd
+    .command('set <key> <value>')
     .description('Set a secret value in secrets file')
     .option('--shared', 'Save to general secrets file (from config.yaml aifabrix-secrets) instead of user secrets')
     .action(async(key, value, options) => {

package/lib/config.js

@@ -226,13 +226,23 @@ async function setCurrentEnvironment(environment) {
  * @returns {boolean} True if token is expired
  */
 function isTokenExpired(expiresAt) {
-  if (!expiresAt) {
-    return true;
-  }
+  if (!expiresAt) return true;
   const expirationTime = new Date(expiresAt).getTime();
   const now = Date.now();
-  // Add 5 minute buffer to refresh before actual expiration
-  return now >= (expirationTime - 5 * 60 * 1000);
+  return now >= (expirationTime - 5 * 60 * 1000); // 5 minute buffer
+}
+
+/**
+ * Check if token should be refreshed proactively (within 15 minutes of expiry)
+ * Helps keep Keycloak sessions alive by refreshing before SSO Session Idle timeout (30 minutes)
+ * @param {string} expiresAt - ISO timestamp string
+ * @returns {boolean} True if token should be refreshed proactively
+ */
+function shouldRefreshToken(expiresAt) {
+  if (!expiresAt) return true;
+  const expirationTime = new Date(expiresAt).getTime();
+  const now = Date.now();
+  return now >= (expirationTime - 15 * 60 * 1000); // 15 minutes buffer
 }
 
 /**
@@ -242,9 +252,7 @@ function isTokenExpired(expiresAt) {
  */
 async function getDeviceToken(controllerUrl) {
   const config = await getConfig();
-  if (!config.device || !config.device[controllerUrl]) {
-    return null;
-  }
+  if (!config.device || !config.device[controllerUrl]) return null;
   const deviceToken = config.device[controllerUrl];
   return {
     controller: controllerUrl,
@@ -262,12 +270,8 @@ async function getDeviceToken(controllerUrl) {
  */
 async function getClientToken(environment, appName) {
   const config = await getConfig();
-  if (!config.environments || !config.environments[environment]) {
-    return null;
-  }
-  if (!config.environments[environment].clients || !config.environments[environment].clients[appName]) {
-    return null;
-  }
+  if (!config.environments || !config.environments[environment]) return null;
+  if (!config.environments[environment].clients || !config.environments[environment].clients[appName]) return null;
   return config.environments[environment].clients[appName];
 }
 
@@ -281,14 +285,8 @@ async function getClientToken(environment, appName) {
  */
 async function saveDeviceToken(controllerUrl, token, refreshToken, expiresAt) {
   const config = await getConfig();
-  if (!config.device) {
-    config.device = {};
-  }
-  config.device[controllerUrl] = {
-    token: token,
-    refreshToken: refreshToken,
-    expiresAt: expiresAt
-  };
+  if (!config.device) config.device = {};
+  config.device[controllerUrl] = { token, refreshToken, expiresAt };
   await saveConfig(config);
 }
 
@@ -303,20 +301,10 @@ async function saveDeviceToken(controllerUrl, token, refreshToken, expiresAt) {
  */
 async function saveClientToken(environment, appName, controllerUrl, token, expiresAt) {
   const config = await getConfig();
-  if (!config.environments) {
-    config.environments = {};
-  }
-  if (!config.environments[environment]) {
-    config.environments[environment] = { clients: {} };
-  }
-  if (!config.environments[environment].clients) {
-    config.environments[environment].clients = {};
-  }
-  config.environments[environment].clients[appName] = {
-    controller: controllerUrl,
-    token: token,
-    expiresAt: expiresAt
-  };
+  if (!config.environments) config.environments = {};
+  if (!config.environments[environment]) config.environments[environment] = { clients: {} };
+  if (!config.environments[environment].clients) config.environments[environment].clients = {};
+  config.environments[environment].clients[appName] = { controller: controllerUrl, token, expiresAt };
   await saveConfig(config);
 }
 
@@ -468,6 +456,7 @@ const exportsObj = {
   getCurrentEnvironment,
   setCurrentEnvironment,
   isTokenExpired,
+  shouldRefreshToken,
   getDeviceToken,
   getClientToken,
   saveDeviceToken,

package/lib/utils/api.js

@@ -236,14 +236,30 @@ async function authenticatedApiCall(url, options = {}, token) {
       if (refreshedToken && refreshedToken.token) {
         // Retry request with new token
         headers['Authorization'] = `Bearer ${refreshedToken.token}`;
-        return makeApiCall(url, {
+        const retryResponse = await makeApiCall(url, {
           ...options,
           headers
         });
+        return retryResponse;
+      }
+
+      // Token refresh failed or no refresh token available
+      // Return a more helpful error message
+      if (!refreshedToken) {
+        return {
+          ...response,
+          error: 'Authentication failed: Token expired and refresh failed. Please login again using: aifabrix login',
+          formattedError: 'Authentication failed: Token expired and refresh failed. Please login again using: aifabrix login'
+        };
       }
     } catch (refreshError) {
-      // Refresh failed, return original 401 error
-      // This allows the caller to handle the authentication error
+      // Refresh failed, return original 401 error with additional context
+      const errorMessage = refreshError.message || String(refreshError);
+      return {
+        ...response,
+        error: `Authentication failed: ${errorMessage}. Please login again using: aifabrix login`,
+        formattedError: `Authentication failed: ${errorMessage}. Please login again using: aifabrix login`
+      };
     }
   }
 

package/lib/utils/token-manager.js

@@ -86,6 +86,17 @@ function isTokenExpired(expiresAt) {
   return config.isTokenExpired(expiresAt);
 }
 
+/**
+ * Check if token should be refreshed proactively
+ * Returns true if token is within 15 minutes of expiry
+ * This helps keep Keycloak sessions alive by refreshing before the SSO Session Idle timeout (30 minutes)
+ * @param {string} expiresAt - ISO timestamp string
+ * @returns {boolean} True if token should be refreshed proactively
+ */
+function shouldRefreshToken(expiresAt) {
+  return config.shouldRefreshToken(expiresAt);
+}
+
 /**
  * Refresh client token using credentials from secrets.local.yaml
  * Gets new token from API and saves it to config.yaml
@@ -184,7 +195,7 @@ async function getOrRefreshClientToken(environment, appName, controllerUrl) {
  * @param {string} controllerUrl - Controller URL
  * @param {string} refreshToken - Refresh token
  * @returns {Promise<{token: string, refreshToken: string, expiresAt: string}>} New token info
- * @throws {Error} If refresh fails
+ * @throws {Error} If refresh fails or refresh token is expired/invalid
  */
 async function refreshDeviceToken(controllerUrl, refreshToken) {
   if (!controllerUrl || typeof controllerUrl !== 'string') {
@@ -194,27 +205,41 @@ async function refreshDeviceToken(controllerUrl, refreshToken) {
     throw new Error('Refresh token is required');
   }
 
-  // Call API refresh endpoint
-  const tokenResponse = await apiRefreshDeviceToken(controllerUrl, refreshToken);
+  try {
+    // Call API refresh endpoint
+    const tokenResponse = await apiRefreshDeviceToken(controllerUrl, refreshToken);
 
-  const token = tokenResponse.access_token;
-  const newRefreshToken = tokenResponse.refresh_token || refreshToken; // Use new refresh token if provided, otherwise keep old one
-  const expiresIn = tokenResponse.expires_in || 3600;
-  const expiresAt = new Date(Date.now() + expiresIn * 1000).toISOString();
+    const token = tokenResponse.access_token;
+    const newRefreshToken = tokenResponse.refresh_token || refreshToken; // Use new refresh token if provided, otherwise keep old one
+    const expiresIn = tokenResponse.expires_in || 3600;
+    const expiresAt = new Date(Date.now() + expiresIn * 1000).toISOString();
 
-  // Save new token and refresh token to config
-  await config.saveDeviceToken(controllerUrl, token, newRefreshToken, expiresAt);
+    // Save new token and refresh token to config
+    await config.saveDeviceToken(controllerUrl, token, newRefreshToken, expiresAt);
 
-  return {
-    token,
-    refreshToken: newRefreshToken,
-    expiresAt
-  };
+    return {
+      token,
+      refreshToken: newRefreshToken,
+      expiresAt
+    };
+  } catch (error) {
+    // Check if error indicates refresh token expiry (case-insensitive)
+    const errorMessage = (error.message || String(error)).toLowerCase();
+    if (errorMessage.includes('expired') ||
+        errorMessage.includes('invalid') ||
+        errorMessage.includes('401') ||
+        errorMessage.includes('unauthorized')) {
+      throw new Error('Refresh token has expired. Please login again using: aifabrix login');
+    }
+    // Re-throw other errors as-is
+    throw error;
+  }
 }
 
 /**
  * Get or refresh device token for controller
- * Checks if token exists and is valid, refreshes if expired using refresh token
+ * Checks if token exists and is valid, refreshes proactively if within 15 minutes of expiry
+ * This helps keep Keycloak sessions alive by refreshing before the SSO Session Idle timeout (30 minutes)
  * @param {string} controllerUrl - Controller URL
  * @returns {Promise<{token: string, controller: string}|null>} Token and controller URL, or null if not available
  */
@@ -226,18 +251,23 @@ async function getOrRefreshDeviceToken(controllerUrl) {
     return null;
   }
 
-  // Check if token is expired
-  if (!isTokenExpired(tokenInfo.expiresAt)) {
-    // Token is valid
+  // Check if token should be refreshed proactively (within 15 minutes of expiry)
+  // This ensures we refresh before Keycloak's SSO Session Idle timeout (30 minutes)
+  const needsRefresh = shouldRefreshToken(tokenInfo.expiresAt);
+
+  if (!needsRefresh) {
+    // Token is valid and doesn't need refresh yet
     return {
       token: tokenInfo.token,
       controller: tokenInfo.controller
     };
   }
 
-  // Token is expired, try to refresh if refresh token exists
+  // Token needs refresh (expired or within 15 minutes of expiry)
+  // Try to refresh if refresh token exists
   if (!tokenInfo.refreshToken) {
     // No refresh token available
+    logger.warn('Access token expired and no refresh token available. Please login again using: aifabrix login');
     return null;
   }
 
@@ -248,8 +278,13 @@ async function getOrRefreshDeviceToken(controllerUrl) {
       controller: controllerUrl
     };
   } catch (error) {
-    // Refresh failed, return null
-    logger.warn(`Failed to refresh device token: ${error.message}`);
+    // Refresh failed - check if it's a refresh token expiry
+    const errorMessage = error.message || String(error);
+    if (errorMessage.includes('Refresh token has expired')) {
+      logger.warn(`Refresh token expired: ${errorMessage}`);
+    } else {
+      logger.warn(`Failed to refresh device token: ${errorMessage}`);
+    }
     return null;
   }
 }
@@ -370,6 +405,7 @@ module.exports = {
   getDeviceToken,
   getClientToken,
   isTokenExpired,
+  shouldRefreshToken,
   refreshClientToken,
   refreshDeviceToken,
   loadClientCredentials,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aifabrix/builder",
-  "version": "2.6.1",
+  "version": "2.6.3",
   "description": "AI Fabrix Local Fabric & Deployment SDK",
   "main": "lib/index.js",
   "bin": {