@aifabrix/miso-client 3.1.1 → 3.2.0

package/dist/utils/data-client.js

@@ -3,135 +3,23 @@
  * DataClient - Browser-compatible HTTP client wrapper around MisoClient
  * Provides enhanced HTTP capabilities with ISO 27001 compliance, caching, retry, and more
  */
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.DataClient = void 0;
 exports.dataClient = dataClient;
 const index_1 = require("../index");
-const data_client_types_1 = require("../types/data-client.types");
 const data_masker_1 = require("./data-masker");
-const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
-const token_utils_1 = require("./token-utils");
-/**
- * Check if running in browser environment
- */
-function isBrowser() {
-    return (typeof globalThis.window !== "undefined" &&
-        typeof globalThis.localStorage !== "undefined" &&
-        typeof globalThis.fetch !== "undefined");
-}
-/**
- * Get value from localStorage (browser only)
- */
-function getLocalStorage(key) {
-    if (!isBrowser())
-        return null;
-    try {
-        return globalThis.localStorage.getItem(key);
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * Set value in localStorage (browser only)
- */
-function setLocalStorage(key, value) {
-    if (!isBrowser())
-        return;
-    try {
-        globalThis.localStorage.setItem(key, value);
-    }
-    catch {
-        // Ignore localStorage errors (SSR, private browsing, etc.)
-    }
-}
-/**
- * Remove value from localStorage (browser only)
- */
-function removeLocalStorage(key) {
-    if (!isBrowser())
-        return;
-    try {
-        globalThis.localStorage.removeItem(key);
-    }
-    catch {
-        // Ignore localStorage errors (SSR, private browsing, etc.)
-    }
-}
-/**
- * Extract userId from JWT token
- */
-function extractUserIdFromToken(token) {
-    try {
-        const decoded = jsonwebtoken_1.default.decode(token);
-        if (!decoded)
-            return null;
-        return (decoded.sub || decoded.userId || decoded.user_id || decoded.id);
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * Calculate cache key from endpoint and options
- */
-function generateCacheKey(endpoint, options) {
-    const method = options?.method || "GET";
-    const body = options?.body ? JSON.stringify(options.body) : "";
-    return `data-client:${method}:${endpoint}:${body}`;
-}
-/**
- * Truncate large payloads before masking (performance optimization)
- */
-function truncatePayload(data, maxSize) {
-    const json = JSON.stringify(data);
-    if (json.length <= maxSize) {
-        return { data, truncated: false };
-    }
-    return {
-        data: { _message: "Payload truncated for performance", _size: json.length },
-        truncated: true,
-    };
-}
-/**
- * Calculate request/response sizes
- */
-function calculateSize(data) {
-    try {
-        return JSON.stringify(data).length;
-    }
-    catch {
-        return 0;
-    }
-}
-/**
- * Check if error is retryable
- */
-function isRetryableError(statusCode, _error) {
-    if (!statusCode)
-        return true; // Network errors are retryable
-    if (statusCode >= 500)
-        return true; // Server errors
-    if (statusCode === 408)
-        return true; // Timeout
-    if (statusCode === 429)
-        return true; // Rate limit
-    if (statusCode === 401 || statusCode === 403)
-        return false; // Auth errors
-    if (statusCode >= 400 && statusCode < 500)
-        return false; // Client errors
-    return false;
-}
-/**
- * Calculate exponential backoff delay
- */
-function calculateBackoffDelay(attempt, baseDelay, maxDelay) {
-    const delay = Math.min(baseDelay * Math.pow(2, attempt), maxDelay);
-    return delay + Math.random() * 1000; // Add jitter
-}
+const data_client_utils_1 = require("./data-client-utils");
+const data_client_cache_1 = require("./data-client-cache");
+const data_client_request_1 = require("./data-client-request");
+const data_client_auth_1 = require("./data-client-auth");
+const data_client_redirect_1 = require("./data-client-redirect");
+const browser_permission_service_1 = require("../services/browser-permission.service");
+const browser_role_service_1 = require("../services/browser-role.service");
+const cache_service_1 = require("../services/cache.service");
+const http_client_1 = require("../utils/http-client");
+const internal_http_client_1 = require("../utils/internal-http-client");
+const logger_service_1 = require("../services/logger.service");
+const redis_service_1 = require("../services/redis.service");
 class DataClient {
     constructor(config) {
         this.misoClient = null;
@@ -145,6 +33,8 @@ class DataClient {
             cacheHits: 0,
             cacheMisses: 0,
         };
+        this.permissionService = null;
+        this.roleService = null;
         this.config = {
             tokenKeys: ["token", "accessToken", "authToken"],
             loginUrl: "/login",
@@ -172,7 +62,7 @@ class DataClient {
         };
         // Security: Warn if clientSecret is provided in browser environment
         // This is a security risk as clientSecret should never be exposed in client-side code
-        if (isBrowser() && this.config.misoConfig?.clientSecret) {
+        if ((0, data_client_utils_1.isBrowser)() && this.config.misoConfig?.clientSecret) {
             console.warn("⚠️ SECURITY WARNING: clientSecret detected in browser environment. " +
                 "Client secrets should NEVER be exposed in client-side code. " +
                 "Use the client token pattern instead (clientToken + onClientTokenRefresh). " +
@@ -180,68 +70,79 @@ class DataClient {
         }
         // Initialize MisoClient if config provided
         if (this.config.misoConfig) {
-            this.misoClient = new index_1.MisoClient(this.config.misoConfig);
+            // Automatically bridge DataClient.getEnvironmentToken() to MisoClient
+            // This allows MisoClient's logger service to get client tokens automatically
+            // Users don't need to manually provide onClientTokenRefresh!
+            const misoConfigWithRefresh = {
+                ...this.config.misoConfig,
+                // Only auto-bridge if:
+                // 1. User hasn't provided onClientTokenRefresh (allow override)
+                // 2. We're in browser (server-side uses clientSecret)
+                // 3. No clientSecret provided (would use that instead)
+                onClientTokenRefresh: this.config.misoConfig.onClientTokenRefresh ||
+                    ((0, data_client_utils_1.isBrowser)() && !this.config.misoConfig.clientSecret
+                        ? async () => {
+                            const token = await this.getEnvironmentToken();
+                            if (!token) {
+                                throw new Error("Failed to get client token");
+                            }
+                            // Get expiration from localStorage (set by getEnvironmentToken)
+                            const expiresAtStr = (0, data_client_utils_1.getLocalStorage)("miso:client-token-expires-at");
+                            const expiresAt = expiresAtStr
+                                ? parseInt(expiresAtStr, 10)
+                                : Date.now() + 3600000; // Default 1 hour
+                            const expiresIn = Math.floor((expiresAt - Date.now()) / 1000);
+                            return {
+                                token,
+                                expiresIn: expiresIn > 0 ? expiresIn : 3600, // Default 1 hour if invalid
+                            };
+                        }
+                        : undefined),
+            };
+            this.misoClient = new index_1.MisoClient(misoConfigWithRefresh);
         }
         // Initialize DataMasker with config path if provided
         if (this.config.misoConfig?.sensitiveFieldsConfig) {
             data_masker_1.DataMasker.setConfigPath(this.config.misoConfig.sensitiveFieldsConfig);
         }
+        // Initialize browser-compatible permission and role services
+        // These services need HttpClient and CacheService, so they're initialized after MisoClient
+        if (this.misoClient && this.config.misoConfig) {
+            // Create InternalHttpClient first (base HTTP functionality)
+            const internalClient = new internal_http_client_1.InternalHttpClient(this.config.misoConfig);
+            // Create Redis service (will be undefined for browser, but needed for LoggerService)
+            const redis = new redis_service_1.RedisService(this.config.misoConfig.redis);
+            // Create LoggerService with InternalHttpClient (needs httpClient.request() and httpClient.config)
+            const logger = new logger_service_1.LoggerService(internalClient, redis);
+            // Create HttpClient that wraps InternalHttpClient with logger
+            const httpClient = new http_client_1.HttpClient(this.config.misoConfig, logger);
+            // Update LoggerService to use the new HttpClient (for logging)
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            logger.httpClient = httpClient;
+            // Create CacheService without Redis (in-memory only for browser)
+            const cacheService = new cache_service_1.CacheService(undefined);
+            // Create browser-compatible services
+            this.permissionService = new browser_permission_service_1.BrowserPermissionService(httpClient, cacheService);
+            this.roleService = new browser_role_service_1.BrowserRoleService(httpClient, cacheService);
+        }
     }
     /**
      * Get authentication token from localStorage
      */
     getToken() {
-        if (!isBrowser())
-            return null;
-        const keys = this.config.tokenKeys || ["token", "accessToken", "authToken"];
-        for (const key of keys) {
-            const token = getLocalStorage(key);
-            if (token)
-                return token;
-        }
-        return null;
+        return (0, data_client_auth_1.getToken)(this.config.tokenKeys);
     }
     /**
      * Check if client token is available (from localStorage cache or config)
      */
     hasClientToken() {
-        if (!isBrowser()) {
-            // Server-side: check if misoClient config has clientSecret
-            if (this.misoClient && this.config.misoConfig?.clientSecret) {
-                return true;
-            }
-            return false;
-        }
-        // Browser-side: check localStorage cache
-        const cachedToken = getLocalStorage("miso:client-token");
-        if (cachedToken) {
-            const expiresAtStr = getLocalStorage("miso:client-token-expires-at");
-            if (expiresAtStr) {
-                const expiresAt = parseInt(expiresAtStr, 10);
-                if (expiresAt > Date.now()) {
-                    return true; // Valid cached token
-                }
-            }
-        }
-        // Check config token
-        if (this.config.misoConfig?.clientToken) {
-            return true;
-        }
-        // Check if misoClient config has onClientTokenRefresh callback (browser pattern)
-        if (this.config.misoConfig?.onClientTokenRefresh) {
-            return true; // Has means to get client token
-        }
-        // Check if misoClient config has clientSecret (server-side fallback)
-        if (this.config.misoConfig?.clientSecret) {
-            return true;
-        }
-        return false;
+        return (0, data_client_auth_1.hasClientToken)(this.misoClient, this.config.misoConfig);
     }
     /**
      * Check if any authentication token is available (user token OR client token)
      */
     hasAnyToken() {
-        return this.getToken() !== null || this.hasClientToken();
+        return (0, data_client_auth_1.hasAnyToken)(this.config.tokenKeys, this.misoClient, this.config.misoConfig);
     }
     /**
      * Get client token for requests
@@ -249,31 +150,7 @@ class DataClient {
      * @returns Client token string or null if unavailable
      */
     async getClientToken() {
-        if (!isBrowser()) {
-            // Server-side: return null (client token handled by MisoClient)
-            return null;
-        }
-        // Check localStorage cache first
-        const cachedToken = getLocalStorage("miso:client-token");
-        const expiresAtStr = getLocalStorage("miso:client-token-expires-at");
-        if (cachedToken && expiresAtStr) {
-            const expiresAt = parseInt(expiresAtStr, 10);
-            if (expiresAt > Date.now()) {
-                return cachedToken; // Valid cached token
-            }
-        }
-        // Check config token
-        if (this.config.misoConfig?.clientToken) {
-            return this.config.misoConfig.clientToken;
-        }
-        // Try to get via getEnvironmentToken() (may throw if unavailable)
-        try {
-            return await this.getEnvironmentToken();
-        }
-        catch (error) {
-            console.warn("Failed to get client token:", error);
-            return null;
-        }
+        return (0, data_client_auth_1.getClientToken)(this.config.misoConfig, this.config.baseUrl, () => this.getEnvironmentToken());
     }
     /**
      * Build controller URL from configuration
@@ -281,19 +158,7 @@ class DataClient {
      * @returns Controller base URL or null if not configured
      */
     getControllerUrl() {
-        if (!this.config.misoConfig) {
-            return null;
-        }
-        // Browser: prefer controllerPublicUrl, fallback to controllerUrl
-        if (isBrowser()) {
-            return this.config.misoConfig.controllerPublicUrl ||
-                this.config.misoConfig.controllerUrl ||
-                null;
-        }
-        // Server: prefer controllerPrivateUrl, fallback to controllerUrl
-        return this.config.misoConfig.controllerPrivateUrl ||
-            this.config.misoConfig.controllerUrl ||
-            null;
+        return (0, data_client_auth_1.getControllerUrl)(this.config.misoConfig);
     }
     /**
      * Check if user is authenticated
@@ -307,71 +172,7 @@ class DataClient {
      * @param redirectUrl - Optional redirect URL to return to after login (defaults to current page URL)
      */
     async redirectToLogin(redirectUrl) {
-        if (!isBrowser())
-            return;
-        // Get redirect URL - use provided URL or current page URL
-        const currentUrl = globalThis.window.location.href;
-        const finalRedirectUrl = redirectUrl || currentUrl;
-        // Build controller URL
-        const controllerUrl = this.getControllerUrl();
-        if (!controllerUrl) {
-            // Fallback to static loginUrl if controller URL not configured
-            const loginUrl = this.config.loginUrl || "/login";
-            const fullUrl = /^https?:\/\//i.test(loginUrl)
-                ? loginUrl
-                : `${globalThis.window.location.origin}${loginUrl.startsWith("/") ? loginUrl : `/${loginUrl}`}`;
-            globalThis.window.location.href = fullUrl;
-            return;
-        }
-        try {
-            // Get client token
-            const clientToken = await this.getClientToken();
-            // Build login endpoint URL with query parameters
-            const loginEndpoint = `${controllerUrl}/api/v1/auth/login`;
-            const url = new URL(loginEndpoint);
-            url.searchParams.set("redirect", finalRedirectUrl);
-            // Build headers
-            const headers = {
-                "Content-Type": "application/json",
-            };
-            // Add x-client-token header if available
-            if (clientToken) {
-                headers["x-client-token"] = clientToken;
-            }
-            // Make fetch request
-            const response = await fetch(url.toString(), {
-                method: "GET",
-                headers,
-                credentials: "include", // Include cookies for CORS
-            });
-            if (!response.ok) {
-                throw new Error(`Login request failed: ${response.status} ${response.statusText}`);
-            }
-            const data = (await response.json());
-            // Extract loginUrl (support both nested and flat formats)
-            const loginUrl = data.data?.loginUrl || data.loginUrl;
-            if (loginUrl) {
-                // Redirect to the login URL returned by controller
-                globalThis.window.location.href = loginUrl;
-            }
-            else {
-                // Fallback if loginUrl not in response
-                const fallbackLoginUrl = this.config.loginUrl || "/login";
-                const fullUrl = /^https?:\/\//i.test(fallbackLoginUrl)
-                    ? fallbackLoginUrl
-                    : `${globalThis.window.location.origin}${fallbackLoginUrl.startsWith("/") ? fallbackLoginUrl : `/${fallbackLoginUrl}`}`;
-                globalThis.window.location.href = fullUrl;
-            }
-        }
-        catch (error) {
-            // On error, fallback to static loginUrl
-            console.error("Failed to get login URL from controller:", error);
-            const loginUrl = this.config.loginUrl || "/login";
-            const fullUrl = /^https?:\/\//i.test(loginUrl)
-                ? loginUrl
-                : `${globalThis.window.location.origin}${loginUrl.startsWith("/") ? loginUrl : `/${loginUrl}`}`;
-            globalThis.window.location.href = fullUrl;
-        }
+        return (0, data_client_redirect_1.redirectToLogin)(this.config, () => this.getClientToken(), redirectUrl);
     }
     /**
      * Logout user and redirect
@@ -379,70 +180,7 @@ class DataClient {
      * @param redirectUrl - Optional redirect URL after logout (defaults to logoutUrl or loginUrl)
      */
     async logout(redirectUrl) {
-        if (!isBrowser())
-            return;
-        const token = this.getToken();
-        // Build controller URL
-        const controllerUrl = this.getControllerUrl();
-        // Call logout API if controller URL available and token exists
-        if (controllerUrl && token) {
-            try {
-                // Get client token
-                const clientToken = await this.getClientToken();
-                // Build logout endpoint URL
-                const logoutEndpoint = `${controllerUrl}/api/v1/auth/logout`;
-                // Build headers
-                const headers = {
-                    "Content-Type": "application/json",
-                };
-                // Add x-client-token header if available
-                if (clientToken) {
-                    headers["x-client-token"] = clientToken;
-                }
-                // Make fetch request
-                const response = await fetch(logoutEndpoint, {
-                    method: "POST",
-                    headers,
-                    body: JSON.stringify({ token }),
-                    credentials: "include", // Include cookies for CORS
-                });
-                if (!response.ok) {
-                    // Log error but continue with cleanup (logout should always clear local state)
-                    const errorText = await response.text().catch(() => "Unknown error");
-                    console.error(`Logout API call failed: ${response.status} ${response.statusText}. ${errorText}`);
-                }
-            }
-            catch (error) {
-                // Log error but continue with cleanup (logout should always clear local state)
-                console.error("Logout API call failed:", error);
-            }
-        }
-        // Clear tokens from localStorage (always, even if API call failed)
-        const keys = this.config.tokenKeys || ["token", "accessToken", "authToken"];
-        keys.forEach(key => {
-            try {
-                const storage = globalThis.localStorage;
-                if (storage) {
-                    storage.removeItem(key);
-                }
-            }
-            catch (e) {
-                // Ignore localStorage errors (SSR, private browsing, etc.)
-            }
-        });
-        // Clear HTTP cache
-        this.clearCache();
-        // Determine redirect URL: redirectUrl param > logoutUrl config > loginUrl config > '/login'
-        const finalRedirectUrl = redirectUrl ||
-            this.config.logoutUrl ||
-            this.config.loginUrl ||
-            "/login";
-        // Construct full URL
-        const fullUrl = /^https?:\/\//i.test(finalRedirectUrl)
-            ? finalRedirectUrl
-            : `${globalThis.window.location.origin}${finalRedirectUrl.startsWith("/") ? finalRedirectUrl : `/${finalRedirectUrl}`}`;
-        // Redirect
-        globalThis.window.location.href = fullUrl;
+        return (0, data_client_auth_1.logout)(this.config, () => this.getToken(), () => this.getClientToken(), () => this.clearCache(), redirectUrl);
     }
     /**
      * Set interceptors
@@ -488,7 +226,7 @@ class DataClient {
      * Get request metrics
      */
     getMetrics() {
-        const responseTimes = this.metrics.responseTimes.sort((a, b) => a - b);
+        const responseTimes = (this.metrics.responseTimes || []).sort((a, b) => a - b);
         const len = responseTimes.length;
         return {
             totalRequests: this.metrics.totalRequests,
@@ -512,141 +250,21 @@ class DataClient {
                 : 0,
         };
     }
-    /**
-     * Check if endpoint should skip audit logging
-     */
-    shouldSkipAudit(endpoint) {
-        if (!this.config.audit?.enabled)
-            return true;
-        const skipEndpoints = this.config.audit.skipEndpoints || [];
-        return skipEndpoints.some((skip) => endpoint.includes(skip));
-    }
-    /**
-     * Log audit event (ISO 27001 compliance)
-     * Skips audit logging if no authentication token is available (user token OR client token)
-     */
-    async logAuditEvent(method, url, statusCode, duration, requestSize, responseSize, error, requestHeaders, responseHeaders, requestBody, responseBody) {
-        if (this.shouldSkipAudit(url) || !this.misoClient)
-            return;
-        // Skip audit logging if no authentication token is available
-        // This prevents 401 errors when attempting to audit log unauthenticated requests
-        if (!this.hasAnyToken()) {
-            // Silently skip audit logging for unauthenticated requests
-            // This is expected behavior and prevents 401 errors
-            return;
-        }
-        try {
-            const token = this.getToken();
-            const userId = token ? extractUserIdFromToken(token) : undefined;
-            const auditLevel = this.config.audit?.level || "standard";
-            // Build audit context based on level
-            const auditContext = {
-                method,
-                url,
-                statusCode,
-                duration,
-            };
-            if (userId) {
-                auditContext.userId = userId;
-            }
-            // Minimal level: only basic info
-            if (auditLevel === "minimal") {
-                await this.misoClient.log.audit(`http.request.${method.toLowerCase()}`, url, auditContext, { token: token || undefined });
-                return;
-            }
-            // Standard/Detailed/Full levels: include headers and bodies (masked)
-            const maxResponseSize = this.config.audit?.maxResponseSize || 10000;
-            const maxMaskingSize = this.config.audit?.maxMaskingSize || 50000;
-            // Truncate and mask request body
-            let maskedRequestBody = undefined;
-            if (requestBody !== undefined) {
-                const truncated = truncatePayload(requestBody, maxMaskingSize);
-                if (!truncated.truncated) {
-                    maskedRequestBody = data_masker_1.DataMasker.maskSensitiveData(truncated.data);
-                }
-                else {
-                    maskedRequestBody = truncated.data;
-                }
-            }
-            // Truncate and mask response body (for standard, detailed, full levels)
-            let maskedResponseBody = undefined;
-            if (responseBody !== undefined) {
-                const truncated = truncatePayload(responseBody, maxResponseSize);
-                if (!truncated.truncated) {
-                    maskedResponseBody = data_masker_1.DataMasker.maskSensitiveData(truncated.data);
-                }
-                else {
-                    maskedResponseBody = truncated.data;
-                }
-            }
-            // Mask headers
-            const maskedRequestHeaders = requestHeaders
-                ? data_masker_1.DataMasker.maskSensitiveData(requestHeaders)
-                : undefined;
-            const maskedResponseHeaders = responseHeaders
-                ? data_masker_1.DataMasker.maskSensitiveData(responseHeaders)
-                : undefined;
-            // Add to context based on level (standard, detailed, full all include headers/bodies)
-            if (maskedRequestHeaders)
-                auditContext.requestHeaders = maskedRequestHeaders;
-            if (maskedResponseHeaders)
-                auditContext.responseHeaders = maskedResponseHeaders;
-            if (maskedRequestBody !== undefined)
-                auditContext.requestBody = maskedRequestBody;
-            if (maskedResponseBody !== undefined)
-                auditContext.responseBody = maskedResponseBody;
-            // Add sizes for detailed/full levels
-            if (auditLevel === "detailed" || auditLevel === "full") {
-                if (requestSize !== undefined)
-                    auditContext.requestSize = requestSize;
-                if (responseSize !== undefined)
-                    auditContext.responseSize = responseSize;
-            }
-            if (error) {
-                const maskedError = data_masker_1.DataMasker.maskSensitiveData({
-                    message: error.message,
-                    name: error.name,
-                    stack: error.stack,
-                });
-                auditContext.error = maskedError;
-            }
-            await this.misoClient.log.audit(`http.request.${method.toLowerCase()}`, url, auditContext, { token: token || undefined });
-        }
-        catch (auditError) {
-            // Handle audit logging errors gracefully
-            // Don't fail main request if audit logging fails
-            const error = auditError;
-            const statusCode = error.statusCode || error.response?.status;
-            if (statusCode === 401) {
-                // User not authenticated - this is expected for unauthenticated requests
-                // Silently skip to avoid noise (we already check hasAnyToken() before attempting)
-                // This catch block handles edge cases where token becomes unavailable between check and audit call
-            }
-            else {
-                // Other errors - log warning but don't fail request
-                console.warn("Failed to log audit event:", auditError);
-            }
-        }
-    }
     /**
      * Make HTTP request with all features (caching, retry, deduplication, audit)
      */
     async request(method, endpoint, options) {
         const startTime = Date.now();
         const fullUrl = `${this.config.baseUrl}${endpoint}`;
-        const cacheKey = generateCacheKey(endpoint, options);
+        const cacheKey = (0, data_client_cache_1.getCacheKeyForRequest)(endpoint, options);
         const isGetRequest = method.toUpperCase() === "GET";
-        const cacheEnabled = (this.config.cache?.enabled !== false) &&
-            isGetRequest &&
-            (options?.cache?.enabled !== false);
+        const cacheEnabled = (0, data_client_cache_1.isCacheEnabled)(method, this.config.cache, options);
         // Check cache for GET requests
         if (cacheEnabled) {
-            const cached = this.cache.get(cacheKey);
-            if (cached && cached.expiresAt > Date.now()) {
-                this.metrics.cacheHits++;
-                return cached.data;
+            const cached = (0, data_client_cache_1.getCachedEntry)(this.cache, cacheKey, this.metrics);
+            if (cached !== null) {
+                return cached;
             }
-            this.metrics.cacheMisses++;
         }
         // Check for duplicate concurrent requests (only for GET requests)
         if (isGetRequest) {
@@ -656,7 +274,7 @@ class DataClient {
             }
         }
         // Create request promise
-        const requestPromise = this.executeRequest(method, fullUrl, endpoint, options, cacheKey, cacheEnabled, startTime);
+        const requestPromise = (0, data_client_request_1.executeHttpRequest)(method, fullUrl, endpoint, this.config, this.cache, cacheKey, cacheEnabled, startTime, this.misoClient, () => this.hasAnyToken(), () => this.getToken(), () => this.handleAuthError(), this.interceptors, this.metrics, options);
         // Store pending request (only for GET requests)
         if (isGetRequest) {
             this.pendingRequests.set(cacheKey, requestPromise);
@@ -672,221 +290,11 @@ class DataClient {
             }
         }
     }
-    /**
-     * Execute HTTP request with retry logic
-     */
-    async executeRequest(method, fullUrl, endpoint, options, cacheKey, cacheEnabled, startTime) {
-        const maxRetries = options?.retries !== undefined
-            ? options.retries
-            : this.config.retry?.maxRetries || 3;
-        const retryEnabled = this.config.retry?.enabled !== false;
-        let lastError;
-        for (let attempt = 0; attempt <= maxRetries; attempt++) {
-            try {
-                const response = await this.makeFetchRequest(method, fullUrl, options);
-                const duration = Date.now() - startTime;
-                // Update metrics
-                this.metrics.totalRequests++;
-                this.metrics.responseTimes.push(duration);
-                // Parse response
-                const data = await this.parseResponse(response);
-                // Cache successful GET responses
-                if (cacheEnabled && response.ok) {
-                    const ttl = options?.cache?.ttl || this.config.cache?.defaultTTL || 300;
-                    this.cache.set(cacheKey, {
-                        data,
-                        expiresAt: Date.now() + ttl * 1000,
-                        key: cacheKey,
-                    });
-                    // Enforce max cache size
-                    if (this.cache.size > (this.config.cache?.maxSize || 100)) {
-                        const firstKey = this.cache.keys().next().value;
-                        if (firstKey)
-                            this.cache.delete(firstKey);
-                    }
-                }
-                // Apply response interceptor
-                if (this.interceptors.onResponse) {
-                    return await this.interceptors.onResponse(response, data);
-                }
-                // Audit logging
-                if (!options?.skipAudit) {
-                    const requestSize = options?.body
-                        ? calculateSize(options.body)
-                        : undefined;
-                    const responseSize = calculateSize(data);
-                    await this.logAuditEvent(method, endpoint, response.status, duration, requestSize, responseSize, undefined, this.extractHeaders(options?.headers), this.extractHeaders(response.headers), options?.body, data);
-                }
-                // Handle error responses
-                if (!response.ok) {
-                    if (response.status === 401) {
-                        this.handleAuthError();
-                        throw new data_client_types_1.AuthenticationError("Authentication required", response);
-                    }
-                    throw new data_client_types_1.ApiError(`Request failed with status ${response.status}`, response.status, response);
-                }
-                return data;
-            }
-            catch (error) {
-                lastError = error;
-                const duration = Date.now() - startTime;
-                // Extract statusCode from error (handle AuthenticationError and ApiError)
-                const errorObj = error;
-                let statusCode = errorObj.statusCode;
-                // Explicitly check for AuthenticationError (401) - don't retry auth errors
-                if (errorObj.name === "AuthenticationError" || statusCode === 401) {
-                    statusCode = 401;
-                }
-                // Check if retryable - 401/403 errors should never retry
-                const isRetryable = statusCode !== 401 &&
-                    statusCode !== 403 &&
-                    retryEnabled &&
-                    attempt < maxRetries &&
-                    isRetryableError(statusCode, error);
-                if (!isRetryable) {
-                    this.metrics.totalFailures++;
-                    // Audit log error
-                    if (!options?.skipAudit) {
-                        await this.logAuditEvent(method, endpoint, error.statusCode || 0, duration, options?.body ? calculateSize(options.body) : undefined, undefined, error, this.extractHeaders(options?.headers), undefined, options?.body, undefined);
-                    }
-                    // Apply error interceptor
-                    if (this.interceptors.onError) {
-                        throw await this.interceptors.onError(error);
-                    }
-                    throw error;
-                }
-                // Calculate backoff delay
-                const baseDelay = this.config.retry?.baseDelay || 1000;
-                const maxDelay = this.config.retry?.maxDelay || 10000;
-                const delay = calculateBackoffDelay(attempt, baseDelay, maxDelay);
-                // Wait before retry
-                await new Promise((resolve) => setTimeout(resolve, delay));
-            }
-        }
-        // All retries exhausted
-        this.metrics.totalFailures++;
-        if (lastError) {
-            if (this.interceptors.onError) {
-                throw await this.interceptors.onError(lastError);
-            }
-            throw lastError;
-        }
-        throw new Error("Request failed after retries");
-    }
-    /**
-     * Make fetch request with timeout and authentication
-     */
-    async makeFetchRequest(method, url, options) {
-        // Build headers
-        const headers = new Headers(this.config.defaultHeaders);
-        if (options?.headers) {
-            if (options.headers instanceof Headers) {
-                options.headers.forEach((value, key) => headers.set(key, value));
-            }
-            else {
-                Object.entries(options.headers).forEach(([key, value]) => {
-                    headers.set(key, String(value));
-                });
-            }
-        }
-        // Add authentication
-        if (!options?.skipAuth) {
-            const token = this.getToken();
-            if (token) {
-                headers.set("Authorization", `Bearer ${token}`);
-            }
-            // Note: MisoClient client-token is handled server-side, not in browser
-        }
-        // Create abort controller for timeout
-        const timeout = options?.timeout || this.config.timeout || 30000;
-        const controller = new AbortController();
-        const timeoutId = setTimeout(() => controller.abort(), timeout);
-        // Merge signals
-        const signal = options?.signal
-            ? this.mergeSignals(controller.signal, options.signal)
-            : controller.signal;
-        try {
-            const response = await fetch(url, {
-                method,
-                headers,
-                body: options?.body,
-                signal,
-                ...options,
-            });
-            clearTimeout(timeoutId);
-            return response;
-        }
-        catch (error) {
-            clearTimeout(timeoutId);
-            if (error instanceof Error && error.name === "AbortError") {
-                throw new data_client_types_1.TimeoutError(`Request timeout after ${timeout}ms`, timeout);
-            }
-            throw new data_client_types_1.NetworkError(`Network error: ${error instanceof Error ? error.message : "Unknown error"}`, error instanceof Error ? error : undefined);
-        }
-    }
-    /**
-     * Merge AbortSignals
-     */
-    mergeSignals(signal1, signal2) {
-        const controller = new AbortController();
-        const abort = () => {
-            controller.abort();
-            signal1.removeEventListener("abort", abort);
-            signal2.removeEventListener("abort", abort);
-        };
-        if (signal1.aborted || signal2.aborted) {
-            controller.abort();
-            return controller.signal;
-        }
-        signal1.addEventListener("abort", abort);
-        signal2.addEventListener("abort", abort);
-        return controller.signal;
-    }
-    /**
-     * Parse response based on content type
-     */
-    async parseResponse(response) {
-        const contentType = response.headers.get("content-type") || "";
-        if (contentType.includes("application/json")) {
-            return (await response.json());
-        }
-        if (contentType.includes("text/")) {
-            return (await response.text());
-        }
-        return (await response.blob());
-    }
-    /**
-     * Extract headers from Headers object or Record
-     */
-    extractHeaders(headers) {
-        if (!headers)
-            return undefined;
-        if (headers instanceof Headers) {
-            const result = {};
-            headers.forEach((value, key) => {
-                result[key] = value;
-            });
-            return result;
-        }
-        if (Array.isArray(headers)) {
-            const result = {};
-            headers.forEach(([key, value]) => {
-                result[key] = String(value);
-            });
-            return result;
-        }
-        // Convert Record<string, string | readonly string[]> to Record<string, string>
-        const result = {};
-        Object.entries(headers).forEach(([key, value]) => {
-            result[key] = Array.isArray(value) ? value.join(", ") : String(value);
-        });
-        return result;
-    }
     /**
      * Handle authentication error
      */
     handleAuthError() {
-        if (isBrowser()) {
+        if ((0, data_client_utils_1.isBrowser)()) {
             // Fire and forget - redirect doesn't need to complete before throwing error
             this.redirectToLogin().catch((error) => {
                 console.error("Failed to redirect to login:", error);
@@ -968,6 +376,245 @@ class DataClient {
         });
         return this.request("DELETE", endpoint, finalOptions);
     }
+    // ==================== AUTHORIZATION METHODS ====================
+    /**
+     * Get user permissions (uses token from localStorage if not provided)
+     * @param token - Optional user authentication token (auto-retrieved from localStorage if not provided)
+     * @returns Array of permission strings
+     */
+    async getPermissions(token) {
+        if (!this.misoClient || !this.permissionService) {
+            return [];
+        }
+        const userToken = token || this.getToken();
+        if (!userToken) {
+            return [];
+        }
+        return this.permissionService.getPermissions(userToken);
+    }
+    /**
+     * Check if user has specific permission
+     * @param permission - Permission to check
+     * @param token - Optional user authentication token (auto-retrieved from localStorage if not provided)
+     * @returns True if user has the permission
+     */
+    async hasPermission(permission, token) {
+        if (!this.misoClient || !this.permissionService) {
+            return false;
+        }
+        const userToken = token || this.getToken();
+        if (!userToken) {
+            return false;
+        }
+        return this.permissionService.hasPermission(userToken, permission);
+    }
+    /**
+     * Check if user has any of the specified permissions
+     * @param permissions - Permissions to check
+     * @param token - Optional user authentication token (auto-retrieved from localStorage if not provided)
+     * @returns True if user has any of the permissions
+     */
+    async hasAnyPermission(permissions, token) {
+        if (!this.misoClient || !this.permissionService) {
+            return false;
+        }
+        const userToken = token || this.getToken();
+        if (!userToken) {
+            return false;
+        }
+        return this.permissionService.hasAnyPermission(userToken, permissions);
+    }
+    /**
+     * Check if user has all of the specified permissions
+     * @param permissions - Permissions to check
+     * @param token - Optional user authentication token (auto-retrieved from localStorage if not provided)
+     * @returns True if user has all of the permissions
+     */
+    async hasAllPermissions(permissions, token) {
+        if (!this.misoClient || !this.permissionService) {
+            return false;
+        }
+        const userToken = token || this.getToken();
+        if (!userToken) {
+            return false;
+        }
+        return this.permissionService.hasAllPermissions(userToken, permissions);
+    }
+    /**
+     * Force refresh permissions from controller (bypass cache)
+     * @param token - Optional user authentication token (auto-retrieved from localStorage if not provided)
+     * @returns Array of permission strings
+     */
+    async refreshPermissions(token) {
+        if (!this.misoClient || !this.permissionService) {
+            return [];
+        }
+        const userToken = token || this.getToken();
+        if (!userToken) {
+            return [];
+        }
+        return this.permissionService.refreshPermissions(userToken);
+    }
+    /**
+     * Clear cached permissions for a user
+     * @param token - Optional user authentication token (auto-retrieved from localStorage if not provided)
+     */
+    async clearPermissionsCache(token) {
+        if (!this.misoClient || !this.permissionService) {
+            return;
+        }
+        const userToken = token || this.getToken();
+        if (!userToken) {
+            return;
+        }
+        return this.permissionService.clearPermissionsCache(userToken);
+    }
+    /**
+     * Get user roles (uses token from localStorage if not provided)
+     * @param token - Optional user authentication token (auto-retrieved from localStorage if not provided)
+     * @returns Array of role strings
+     */
+    async getRoles(token) {
+        if (!this.misoClient || !this.roleService) {
+            return [];
+        }
+        const userToken = token || this.getToken();
+        if (!userToken) {
+            return [];
+        }
+        return this.roleService.getRoles(userToken);
+    }
+    /**
+     * Check if user has specific role
+     * @param role - Role to check
+     * @param token - Optional user authentication token (auto-retrieved from localStorage if not provided)
+     * @returns True if user has the role
+     */
+    async hasRole(role, token) {
+        if (!this.misoClient || !this.roleService) {
+            return false;
+        }
+        const userToken = token || this.getToken();
+        if (!userToken) {
+            return false;
+        }
+        return this.roleService.hasRole(userToken, role);
+    }
+    /**
+     * Check if user has any of the specified roles
+     * @param roles - Roles to check
+     * @param token - Optional user authentication token (auto-retrieved from localStorage if not provided)
+     * @returns True if user has any of the roles
+     */
+    async hasAnyRole(roles, token) {
+        if (!this.misoClient || !this.roleService) {
+            return false;
+        }
+        const userToken = token || this.getToken();
+        if (!userToken) {
+            return false;
+        }
+        return this.roleService.hasAnyRole(userToken, roles);
+    }
+    /**
+     * Check if user has all of the specified roles
+     * @param roles - Roles to check
+     * @param token - Optional user authentication token (auto-retrieved from localStorage if not provided)
+     * @returns True if user has all of the roles
+     */
+    async hasAllRoles(roles, token) {
+        if (!this.misoClient || !this.roleService) {
+            return false;
+        }
+        const userToken = token || this.getToken();
+        if (!userToken) {
+            return false;
+        }
+        return this.roleService.hasAllRoles(userToken, roles);
+    }
+    /**
+     * Force refresh roles from controller (bypass cache)
+     * @param token - Optional user authentication token (auto-retrieved from localStorage if not provided)
+     * @returns Array of role strings
+     */
+    async refreshRoles(token) {
+        if (!this.misoClient || !this.roleService) {
+            return [];
+        }
+        const userToken = token || this.getToken();
+        if (!userToken) {
+            return [];
+        }
+        return this.roleService.refreshRoles(userToken);
+    }
+    /**
+     * Clear cached roles for a user
+     * @param token - Optional user authentication token (auto-retrieved from localStorage if not provided)
+     */
+    async clearRolesCache(token) {
+        if (!this.misoClient || !this.roleService) {
+            return;
+        }
+        const userToken = token || this.getToken();
+        if (!userToken) {
+            return;
+        }
+        return this.roleService.clearRolesCache(userToken);
+    }
+    // ==================== AUTHENTICATION METHODS ====================
+    /**
+     * Validate token (uses localStorage token if not provided)
+     * @param token - Optional user authentication token (auto-retrieved from localStorage if not provided)
+     * @returns True if token is valid
+     */
+    async validateToken(token) {
+        if (!this.misoClient) {
+            return false;
+        }
+        const userToken = token || this.getToken();
+        if (!userToken) {
+            return false;
+        }
+        return this.misoClient.validateToken(userToken);
+    }
+    /**
+     * Get user info from token (uses localStorage token if not provided)
+     * @param token - Optional user authentication token (auto-retrieved from localStorage if not provided)
+     * @returns User info or null if not authenticated
+     */
+    async getUser(token) {
+        if (!this.misoClient) {
+            return null;
+        }
+        const userToken = token || this.getToken();
+        if (!userToken) {
+            return null;
+        }
+        return this.misoClient.getUser(userToken);
+    }
+    /**
+     * Get user info from API endpoint (uses localStorage token if not provided)
+     * @param token - Optional user authentication token (auto-retrieved from localStorage if not provided)
+     * @returns User info or null if not authenticated
+     */
+    async getUserInfo(token) {
+        if (!this.misoClient) {
+            return null;
+        }
+        const userToken = token || this.getToken();
+        if (!userToken) {
+            return null;
+        }
+        return this.misoClient.getUserInfo(userToken);
+    }
+    /**
+     * Check if authenticated (alias for validateToken)
+     * @param token - Optional user authentication token (auto-retrieved from localStorage if not provided)
+     * @returns True if authenticated
+     */
+    async isAuthenticatedAsync(token) {
+        return this.validateToken(token);
+    }
     /**
      * Get environment token (browser-side)
      * Checks localStorage cache first, then calls backend endpoint if needed
@@ -977,93 +624,7 @@ class DataClient {
      * @throws Error if token fetch fails
      */
     async getEnvironmentToken() {
-        if (!isBrowser()) {
-            throw new Error("getEnvironmentToken() is only available in browser environment");
-        }
-        const cacheKey = "miso:client-token";
-        const expiresAtKey = "miso:client-token-expires-at";
-        // Check cache first
-        const cachedToken = getLocalStorage(cacheKey);
-        const expiresAtStr = getLocalStorage(expiresAtKey);
-        if (cachedToken && expiresAtStr) {
-            const expiresAt = parseInt(expiresAtStr, 10);
-            const now = Date.now();
-            // If token is still valid, return cached token
-            if (expiresAt > now) {
-                return cachedToken;
-            }
-            // Token expired, remove from cache
-            removeLocalStorage(cacheKey);
-            removeLocalStorage(expiresAtKey);
-        }
-        // Cache miss or expired - fetch from backend
-        const clientTokenUri = this.config.misoConfig?.clientTokenUri || "/api/v1/auth/client-token";
-        // Build full URL
-        const fullUrl = /^https?:\/\//i.test(clientTokenUri)
-            ? clientTokenUri
-            : `${this.config.baseUrl}${clientTokenUri}`;
-        try {
-            // Make request to backend endpoint
-            const response = await fetch(fullUrl, {
-                method: "POST",
-                headers: {
-                    "Content-Type": "application/json",
-                },
-                credentials: "include", // Include cookies for CORS
-            });
-            if (!response.ok) {
-                const errorText = await response.text();
-                throw new Error(`Failed to get environment token: ${response.status} ${response.statusText}. ${errorText}`);
-            }
-            const data = (await response.json());
-            // Extract token from response (support both nested and flat formats)
-            const token = data.data?.token || data.token || data.accessToken || data.access_token;
-            if (!token || typeof token !== "string") {
-                throw new Error("Invalid response format: token not found in response");
-            }
-            // Calculate expiration time (default to 1 hour if not provided)
-            const expiresIn = data.data?.expiresIn || data.expiresIn || data.expires_in || 3600;
-            const expiresAt = Date.now() + expiresIn * 1000;
-            // Cache token
-            setLocalStorage(cacheKey, token);
-            setLocalStorage(expiresAtKey, expiresAt.toString());
-            // Log audit event if misoClient available
-            if (this.misoClient && !this.shouldSkipAudit(clientTokenUri)) {
-                try {
-                    await this.misoClient.log.audit("client.token.request.success", clientTokenUri, {
-                        method: "POST",
-                        url: clientTokenUri,
-                        statusCode: response.status,
-                        cached: false,
-                    }, {});
-                }
-                catch (auditError) {
-                    // Silently fail audit logging to avoid breaking requests
-                    console.warn("Failed to log audit event:", auditError);
-                }
-            }
-            return token;
-        }
-        catch (error) {
-            // Log audit event for error if misoClient available
-            if (this.misoClient && !this.shouldSkipAudit(clientTokenUri)) {
-                try {
-                    const errorMessage = error instanceof Error ? error.message : "Unknown error";
-                    await this.misoClient.log.audit("client.token.request.failed", clientTokenUri, {
-                        method: "POST",
-                        url: clientTokenUri,
-                        statusCode: 0,
-                        error: errorMessage,
-                        cached: false,
-                    }, {});
-                }
-                catch (auditError) {
-                    // Silently fail audit logging to avoid breaking requests
-                    console.warn("Failed to log audit event:", auditError);
-                }
-            }
-            throw error;
-        }
+        return (0, data_client_auth_1.getEnvironmentToken)(this.config, this.misoClient);
     }
     /**
      * Get client token information (browser-side)
@@ -1072,21 +633,7 @@ class DataClient {
      * @returns Client token info or null if token not available
      */
     getClientTokenInfo() {
-        if (!isBrowser()) {
-            return null;
-        }
-        // Try to get token from cache first
-        const cachedToken = getLocalStorage("miso:client-token");
-        if (cachedToken) {
-            return (0, token_utils_1.extractClientTokenInfo)(cachedToken);
-        }
-        // Try to get token from config (if provided)
-        const configToken = this.config.misoConfig?.clientToken;
-        if (configToken) {
-            return (0, token_utils_1.extractClientTokenInfo)(configToken);
-        }
-        // No token available
-        return null;
+        return (0, data_client_auth_1.getClientTokenInfo)(this.config.misoConfig);
     }
 }
 exports.DataClient = DataClient;