@bravobit/bb-foundation 0.15.4 → 0.16.1

package/fesm2020/bravobit-bb-foundation-auth.mjs

@@ -0,0 +1,928 @@
+import * as i4 from '@angular/common/http';
+import { HttpContextToken, HttpContext, HttpErrorResponse, HTTP_INTERCEPTORS, HttpClientModule } from '@angular/common/http';
+import * as i0 from '@angular/core';
+import { Injectable, Optional, Directive, Input, APP_INITIALIZER, NgModule } from '@angular/core';
+import { shareReplay, map, tap, distinctUntilChanged, switchMap, catchError, filter, take, finalize } from 'rxjs/operators';
+import * as i6 from '@angular/platform-browser';
+import { makeStateKey } from '@angular/platform-browser';
+import { firstValueFrom, BehaviorSubject, of, throwError } from 'rxjs';
+import { Router } from '@angular/router';
+import * as i1 from '@bravobit/bb-foundation/storage';
+import * as i3 from '@bravobit/bb-foundation';
+import * as i7 from '@bravobit/bb-foundation/http';
+import { HttpError } from '@bravobit/bb-foundation/http';
+
+class AuthConfig {
+}
+
+const USE_AUTHORIZATION = new HttpContextToken(() => true);
+
+class JwtHelper {
+    constructor() {
+        this.baseDecodeUnicode = (value) => {
+            return decodeURIComponent(atob(value).replace(/(.)/g, (_, p) => {
+                let code = p.charCodeAt(0).toString(16).toUpperCase();
+                if (code.length < 2) {
+                    code = '0' + code;
+                }
+                return '%' + code;
+            }));
+        };
+        this.parse = (data) => {
+            return {
+                id: data['iss'] || null,
+                type: data['typ'] || null,
+                audience: data['aud'] || null,
+                issuer: data['iss'] || null,
+                subject: data['sub'] || null,
+                role: data['role'] || null,
+                notValidBefore: this.parseDate(data['nbf']),
+                expiresAt: this.parseDate(data['exp']),
+                issuedAt: this.parseDate(data['iat'])
+            };
+        };
+        this.parseDate = (epochInSeconds) => {
+            if (!epochInSeconds || epochInSeconds <= 0) {
+                return null;
+            }
+            return new Date(epochInSeconds * 1000);
+        };
+    }
+    decode(token) {
+        try {
+            if (token === null || token === undefined) {
+                return null;
+            }
+            const json = JSON.parse(this.urlDecode(token.split('.')[1]));
+            return this.parse(json);
+        }
+        catch {
+            return null;
+        }
+    }
+    urlDecode(token) {
+        const value = token || '';
+        let output = value
+            .replace(/-/g, '+')
+            .replace(/_/g, '/');
+        switch (output.length % 4) {
+            case 0:
+                break;
+            case 2:
+                output += '==';
+                break;
+            case 3:
+                output += '=';
+                break;
+            default:
+                throw 'Illegal base64url string!';
+        }
+        try {
+            return this.baseDecodeUnicode(output);
+        }
+        catch {
+            return atob(output);
+        }
+    }
+}
+
+class AuthMapper {
+    constructor() {
+        // Routes.
+        this.me = 'auth/me';
+        this.register = 'auth/register';
+        this.resendCode = 'auth/resend';
+        this.logout = 'auth/logout';
+        this.refresh = 'auth/refresh';
+        this.requestPassword = 'auth/reset';
+        this.resetPassword = 'auth/reset-password';
+    }
+    role(data) {
+        return (data && data.role) || null;
+    }
+    toRegister(data) {
+        // Retrieve the params.
+        const { token, refresh_token, user } = data;
+        // Map the data to the correct format.
+        return { accessToken: token, refreshToken: refresh_token, user: user };
+    }
+    toRefresh(data) {
+        // Retrieve the params.
+        const { token, refresh_token } = data;
+        // Map the data to the correct format.
+        return { accessToken: token, refreshToken: refresh_token };
+    }
+}
+AuthMapper.ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: AuthMapper, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+AuthMapper.ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: AuthMapper });
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: AuthMapper, decorators: [{
+            type: Injectable
+        }] });
+
+class AuthVerifyProvider {
+    constructor(_code, _verifyToken, _endpoint) {
+        this._code = _code;
+        this._verifyToken = _verifyToken;
+        this._endpoint = _endpoint;
+    }
+    async authenticate(httpClient) {
+        // Execute API call.
+        const data$ = await httpClient.post(this._endpoint, {
+            token: this._code,
+            verify_token: this._verifyToken
+        });
+        const { token, refresh_token, user } = await firstValueFrom(data$);
+        // Map the data to the correct format.
+        return { accessToken: token, refreshToken: refresh_token, user: user };
+    }
+}
+
+class AuthEmailProvider {
+    constructor(_email, _password, _endpoint) {
+        this._email = _email;
+        this._password = _password;
+        this._endpoint = _endpoint;
+    }
+    async authenticate(httpClient) {
+        // Execute API call.
+        const data$ = await httpClient.post(this._endpoint, {
+            email: this._email,
+            password: this._password
+        });
+        const { token, refresh_token, user, provider, verify_token } = await firstValueFrom(data$);
+        // Map the data to the correct format.
+        return {
+            accessToken: token,
+            refreshToken: refresh_token,
+            user: user,
+            provider: provider,
+            verifyToken: verify_token
+        };
+    }
+}
+
+class AuthSession {
+    constructor(options) {
+        // Readonly data.
+        this._jwt = new JwtHelper();
+        // Token strings.
+        this._accessTokenString = null;
+        this._refreshTokenString = null;
+        // Token payloads.
+        this._accessTokenPayload = null;
+        this._refreshTokenPayload = null;
+        // Private user data.
+        this._user$ = new BehaviorSubject(null);
+        // Public user data.
+        this.user = this._user$.pipe(shareReplay(1));
+        this.generateKey = (applicationId, key) => {
+            return [applicationId, key].join('_');
+        };
+        this.isTokenValid = (token) => {
+            if (!token) {
+                return false;
+            }
+            return token?.expiresAt?.getTime() > Date.now();
+        };
+        const applicationId = options?.id ?? 'ng';
+        // Setting up the readonly storage keys.
+        this._accessTokenStorageKey = this.generateKey(applicationId, 'au_act');
+        this._refreshTokenStorageKey = this.generateKey(applicationId, 'au_rft');
+        this._userStorageKey = this.generateKey(applicationId, 'au_usr');
+        // Setting up the storage.
+        this._storage = options?.storage ?? null;
+        // Init methods.
+        this.restoreFromStorage();
+    }
+    get accessToken() {
+        return this.isTokenValid(this._accessTokenPayload)
+            ? this._accessTokenString
+            : null;
+    }
+    get refreshToken() {
+        return this.isTokenValid(this.refreshTokenPayload)
+            ? this._refreshTokenString
+            : null;
+    }
+    get accessTokenPayload() {
+        return this._accessTokenPayload ?? null;
+    }
+    get refreshTokenPayload() {
+        return this._refreshTokenPayload ?? null;
+    }
+    authenticated() {
+        return this.isTokenValid(this._accessTokenPayload) || this.isTokenValid(this._refreshTokenPayload);
+    }
+    setTokens(accessToken, refreshToken) {
+        this.setAccessToken(accessToken);
+        this.setRefreshToken(refreshToken);
+        this.syncTokensInStorage();
+    }
+    setUser(user) {
+        this._user$.next(user ?? null);
+        this.syncUserInStorage();
+    }
+    clear() {
+        this.setTokens(null, null);
+        this.setUser(null);
+    }
+    restoreFromStorage() {
+        if (!this._storage) {
+            return;
+        }
+        // Set the access token.
+        const accessToken = this._storage.get(this._accessTokenStorageKey);
+        this.setAccessToken(accessToken);
+        // Set the refresh token.
+        const refreshToken = this._storage.get(this._refreshTokenStorageKey);
+        this.setRefreshToken(refreshToken);
+        // Set the user if we have any correct token payloads.
+        if (this._accessTokenPayload || this._refreshTokenPayload) {
+            const user = this._storage.get(this._userStorageKey);
+            this._user$.next(user ?? null); // Note: just settings here instead of setUser() because of syncing to the storage.
+        }
+    }
+    syncTokensInStorage() {
+        if (!this._storage) {
+            return;
+        }
+        // Set the access token if completely valid.
+        if (!!this.accessToken) {
+            this._storage.set(this._accessTokenStorageKey, this._accessTokenString, {
+                expires: this._accessTokenPayload?.expiresAt
+            });
+        }
+        else {
+            this._storage.remove(this._accessTokenStorageKey);
+        }
+        // Set the refresh token if completely valid.
+        if (!!this.refreshToken) {
+            this._storage.set(this._refreshTokenStorageKey, this._refreshTokenString, {
+                expires: this._refreshTokenPayload?.expiresAt
+            });
+        }
+        else {
+            this._storage.remove(this._refreshTokenStorageKey);
+        }
+    }
+    syncUserInStorage() {
+        if (!this._storage) {
+            return;
+        }
+        const user = this._user$.getValue();
+        if (!user) {
+            return this._storage.remove(this._userStorageKey);
+        }
+        const date = new Date();
+        date.setFullYear(date.getFullYear() + 1);
+        this._storage.set(this._userStorageKey, user, {
+            expires: new Date(date.getTime())
+        });
+    }
+    setAccessToken(value) {
+        this._accessTokenString = value ?? null;
+        this._accessTokenPayload = this._jwt.decode(this._accessTokenString);
+    }
+    setRefreshToken(value) {
+        this._refreshTokenString = value ?? null;
+        this._refreshTokenPayload = this._jwt.decode(this._refreshTokenString);
+    }
+}
+
+class Auth {
+    constructor(_storage, _mapper, _injector, _platform, _httpClient, _config, _state, _httpConfig) {
+        this._storage = _storage;
+        this._mapper = _mapper;
+        this._injector = _injector;
+        this._platform = _platform;
+        this._httpClient = _httpClient;
+        this._config = _config;
+        this._state = _state;
+        this._httpConfig = _httpConfig;
+        // Readonly data.
+        this._authStateKey = makeStateKey(`bbAuthStateKey`);
+        this._httpAlias = this._httpConfig?.defaultAlias ?? null;
+        this._refreshHandler = null;
+        // Starting the new session.
+        this.session = new AuthSession({
+            id: this._config?.applicationId,
+            storage: this._storage.select(["cookie" /* Cookie */, "local" /* Local */])
+        });
+        this.user = this.session.user;
+    }
+    initialize() {
+        return async () => {
+            // Check if the app should bootstrap the authentication.
+            const shouldBootstrap = this._config?.bootstrap ?? true;
+            if (!shouldBootstrap) {
+                return this.handleAutoRefreshing();
+            }
+            // Only retrieve from the server when we are actually authenticated.
+            if (!this.session.authenticated()) {
+                return;
+            }
+            // Get the key from the server state.
+            if (this._state && this._state?.hasKey(this._authStateKey)) {
+                const user = this._state?.get(this._authStateKey, null) ?? null;
+                return this.session.setUser(user);
+            }
+            // Try to fetch the user from the server.
+            const user$ = this.me();
+            const user = await firstValueFrom(user$, { defaultValue: null });
+            // Set the state if exists.
+            if (this._state) {
+                this._state?.set(this._authStateKey, user ?? null);
+            }
+            // Save the user in the storage and handle auto refreshing.
+            this.session.setUser(user);
+            this.handleAutoRefreshing();
+        };
+    }
+    me() {
+        const url = this.getUrl('auth/me');
+        return this._httpClient.get(url);
+    }
+    async signIn(provider, as) {
+        const { accessToken, refreshToken, user, ...result } = await provider.authenticate(this._httpClient);
+        // Check if the role matches.
+        if (as && !as.includes(this._mapper.role(user))) {
+            throw new Error('Invalid role.');
+        }
+        // Validate if the provider is one of the available
+        // providers then return the user object and the provider.
+        const apiProvider = result?.provider ?? null;
+        const apiVerifyToken = result?.verifyToken ?? null;
+        const availableProviders = ['email', 'sms', 'totp'];
+        if (availableProviders.includes(apiProvider)) {
+            return { user, provider: apiProvider, verifyToken: apiVerifyToken };
+        }
+        // Set the tokens in storage.
+        this.setTokens(accessToken, refreshToken);
+        // Set the user in storage.
+        this.session.setUser(user);
+        // Return the user.
+        return { user };
+    }
+    async signInWithEmail(email, password, as) {
+        const url = this.getUrl('auth/login');
+        return this.signIn(new AuthEmailProvider(email, password, url), as);
+    }
+    async signInWithVerifyCode(code, verifyToken) {
+        const url = this.getUrl('auth/verify');
+        return this.signIn(new AuthVerifyProvider(code, verifyToken, url));
+    }
+    async resendVerifyCode(verifyToken) {
+        const url = this.getUrl('auth/resend');
+        const result$ = this._httpClient.post(url, {
+            verify_token: verifyToken
+        });
+        return firstValueFrom(result$);
+    }
+    async register(data, options) {
+        // Execute API call.
+        const url = this.getUrl('auth/register');
+        const result$ = this._httpClient.post(url, data, options);
+        const result = await firstValueFrom(result$);
+        // Map to the correct response.
+        const { accessToken, refreshToken, user } = this._mapper.toRegister(result);
+        // Set the tokens in storage.
+        this.setTokens(accessToken, refreshToken);
+        // Set the user in storage.
+        this.session.setUser(user);
+        // Return the user.
+        return user;
+    }
+    logout() {
+        // If we don't have a refresh token just clear the session.
+        // Note: We do this because else we try to invalidate
+        // an "undefined" refresh token.
+        const refreshToken = this.session.refreshToken;
+        if (!refreshToken) {
+            return this.session.clear();
+        }
+        // We do have a refresh token, so try to
+        // invalidate it in the backend.
+        try {
+            const url = this.getUrl('auth/logout');
+            const observable$ = this._httpClient.get(url, {
+                headers: { Authorization: refreshToken }
+            });
+            firstValueFrom(observable$).then(_ => _);
+        }
+        catch {
+            // Do nothing because the tokens will be deleted anyways from the session.
+        }
+        // Delete the tokens from the session.
+        return this.session.clear();
+    }
+    refresh() {
+        // If the refresh token does
+        // not exist just return an observable of null.
+        const refreshToken = this.session.refreshToken;
+        if (!refreshToken) {
+            return of(null);
+        }
+        // Perform the refresh call.
+        const scheme = this._config?.scheme ?? 'Bearer';
+        const url = this.getUrl('auth/refresh');
+        const context = new HttpContext()
+            .set(USE_AUTHORIZATION, false);
+        return this._httpClient.get(url, {
+            headers: { Authorization: `${scheme} ${refreshToken}` },
+            context: context
+        }).pipe(map(data => this._mapper.toRefresh(data)), tap(({ accessToken, refreshToken }) => this.setTokens(accessToken, refreshToken)), map(({ accessToken }) => accessToken));
+    }
+    async requestPassword(email, extraParams = {}) {
+        const url = this.getUrl('auth/reset');
+        const observable$ = this._httpClient.post(url, { ...extraParams, email });
+        return firstValueFrom(observable$);
+    }
+    async resetPassword(token, newPassword, extraParams = {}) {
+        const url = this.getUrl('auth/reset-password');
+        const observable$ = this._httpClient.post(url, { ...extraParams, token, password: newPassword });
+        return firstValueFrom(observable$);
+    }
+    guard(type, redirectUrl) {
+        let newUrl = null;
+        // Get the correct new url.
+        switch (type) {
+            case 'authenticated':
+                newUrl = this._config?.loggedInUrl ?? null;
+                break;
+            case 'unauthenticated':
+                newUrl = this._config?.redirectUrl ?? null;
+                break;
+        }
+        // Append a redirect url if the user is deemed
+        // unauthenticated.
+        if (type === 'unauthenticated') {
+            const setRedirectOnFailedAuth = this._config?.setRedirectOnFailedAuth ?? true;
+            if (setRedirectOnFailedAuth && redirectUrl && newUrl) {
+                newUrl += `?redirectUrl=${redirectUrl}`;
+            }
+        }
+        // Parse the url if it exists.
+        if (this.router && newUrl) {
+            return this.router.parseUrl(newUrl);
+        }
+        // Return false if the user is not allowed.
+        return false;
+    }
+    clearAndRedirect() {
+        // 1. Delete the tokens from the session.
+        this.session.clear();
+        // 2. Compose the route url.
+        const redirectUrl = this._config?.redirectUrl ?? null;
+        // 3. Route back if the user provided a redirect url.
+        if (this.router && redirectUrl) {
+            this.router.navigate([redirectUrl]).then(_ => _);
+        }
+    }
+    setTokens(accessToken, refreshToken) {
+        // Set the tokens in our session.
+        this.session.setTokens(accessToken, refreshToken);
+        // We need to update the auto refresh of the refresh token.
+        this.handleAutoRefreshing();
+    }
+    handleAutoRefreshing() {
+        const shouldAutoRefresh = this._config?.autoRefresh ?? false;
+        if (!shouldAutoRefresh) {
+            return;
+        }
+        const expiresAt = this.session.refreshTokenPayload?.expiresAt ?? null;
+        if (expiresAt === null || !this._platform.isBrowser) {
+            return;
+        }
+        const differenceInMilliseconds = expiresAt.getTime() - Date.now();
+        const offsetInMilliseconds = 10000; // 10 seconds.
+        // We want to start the refresh 10 seconds before it expires.
+        const actualTiming = differenceInMilliseconds - offsetInMilliseconds;
+        if (actualTiming <= 0) {
+            return;
+        }
+        // We need to cap the timings because if
+        // we get large numbers it might cause unwanted results.
+        const maxTiming = 1000 * 60 * 60 * 24; // 24 hours.
+        const cappedTiming = Math.max(1, Math.min(actualTiming, maxTiming));
+        try {
+            if (this._refreshHandler !== null) {
+                clearTimeout?.(this._refreshHandler);
+                this._refreshHandler = null;
+            }
+            this._refreshHandler = setTimeout?.(() => this.autoRefresh(), cappedTiming);
+        }
+        catch {
+            // Just ignore it.
+        }
+    }
+    async autoRefresh() {
+        try {
+            // We just need to wait for it to refresh.
+            const refresh$ = this.refresh();
+            await firstValueFrom(refresh$);
+        }
+        catch {
+            // Something went wrong refreshing, we need to clear.
+            this.clearAndRedirect();
+        }
+    }
+    get router() {
+        return this._injector.get(Router);
+    }
+    getUrl(endpoint) {
+        return [this._httpAlias, endpoint]
+            .filter(item => !!item)
+            .join('/');
+    }
+}
+Auth.ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: Auth, deps: [{ token: i1.Storage }, { token: AuthMapper }, { token: i0.Injector }, { token: i3.Platform }, { token: i4.HttpClient }, { token: AuthConfig, optional: true }, { token: i6.TransferState, optional: true }, { token: i7.HttpConfig, optional: true }], target: i0.ɵɵFactoryTarget.Injectable });
+Auth.ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: Auth });
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: Auth, decorators: [{
+            type: Injectable
+        }], ctorParameters: function () { return [{ type: i1.Storage }, { type: AuthMapper }, { type: i0.Injector }, { type: i3.Platform }, { type: i4.HttpClient }, { type: AuthConfig, decorators: [{
+                    type: Optional
+                }] }, { type: i6.TransferState, decorators: [{
+                    type: Optional
+                }] }, { type: i7.HttpConfig, decorators: [{
+                    type: Optional
+                }] }]; } });
+
+class BbAuthenticated {
+    constructor(_auth, _template, _viewContainerRef) {
+        this._auth = _auth;
+        this._template = _template;
+        this._viewContainerRef = _viewContainerRef;
+    }
+    ngOnInit() {
+        this._subscription = this._auth.user.pipe(map(user => !!user), distinctUntilChanged()).subscribe(isAuthenticated => {
+            if (!isAuthenticated) {
+                return this._viewContainerRef.clear();
+            }
+            this._viewContainerRef.createEmbeddedView(this._template);
+        });
+    }
+    ngOnDestroy() {
+        this._subscription?.unsubscribe();
+    }
+}
+BbAuthenticated.ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: BbAuthenticated, deps: [{ token: Auth }, { token: i0.TemplateRef }, { token: i0.ViewContainerRef }], target: i0.ɵɵFactoryTarget.Directive });
+BbAuthenticated.ɵdir = i0.ɵɵngDeclareDirective({ minVersion: "12.0.0", version: "13.1.0", type: BbAuthenticated, selector: "[bbAuthenticated]", ngImport: i0 });
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: BbAuthenticated, decorators: [{
+            type: Directive,
+            args: [{
+                    selector: '[bbAuthenticated]'
+                }]
+        }], ctorParameters: function () { return [{ type: Auth }, { type: i0.TemplateRef }, { type: i0.ViewContainerRef }]; } });
+
+class BbRole {
+    constructor(_auth, _template, _viewContainerRef) {
+        this._auth = _auth;
+        this._template = _template;
+        this._viewContainerRef = _viewContainerRef;
+        this.getAllowedRoles = (value) => {
+            return Array.isArray(value) ? value : [value];
+        };
+    }
+    ngOnInit() {
+        this._subscription = this._auth.user.pipe(map(user => user?.role ?? null), distinctUntilChanged()).subscribe(role => {
+            const allowedRoles = this.getAllowedRoles(this.bbRole);
+            if (!allowedRoles.includes(role)) {
+                return this._viewContainerRef.clear();
+            }
+            this._viewContainerRef.createEmbeddedView(this._template);
+        });
+    }
+    ngOnDestroy() {
+        this._subscription?.unsubscribe();
+    }
+}
+BbRole.ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: BbRole, deps: [{ token: Auth }, { token: i0.TemplateRef }, { token: i0.ViewContainerRef }], target: i0.ɵɵFactoryTarget.Directive });
+BbRole.ɵdir = i0.ɵɵngDeclareDirective({ minVersion: "12.0.0", version: "13.1.0", type: BbRole, selector: "[bbRole]", inputs: { bbRole: "bbRole" }, ngImport: i0 });
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: BbRole, decorators: [{
+            type: Directive,
+            args: [{
+                    selector: '[bbRole]'
+                }]
+        }], ctorParameters: function () { return [{ type: Auth }, { type: i0.TemplateRef }, { type: i0.ViewContainerRef }]; }, propDecorators: { bbRole: [{
+                type: Input
+            }] } });
+
+class Permissions {
+    constructor(_auth, _config) {
+        this._auth = _auth;
+        this._config = _config;
+        // Data.
+        this._permissions = this._config?.permissions ?? {};
+        this._role$ = this._auth.user.pipe(map(user => user?.role ?? null), distinctUntilChanged());
+    }
+    has(value) {
+        const requiredPermissions = Array.isArray(value)
+            ? value
+            : [value];
+        return this._role$.pipe(map(role => {
+            if (role === null || role === undefined) {
+                return false;
+            }
+            for (const requiredPermission of requiredPermissions) {
+                const result = this.validatePermission(requiredPermission, role);
+                if (!result) {
+                    return false;
+                }
+            }
+            return true;
+        }));
+    }
+    validatePermission(type, role) {
+        const permission = this._permissions?.[type] ?? null;
+        if (!permission) {
+            console?.warn?.(`Permissions: Invalid permission requested "${type}".`);
+            return false;
+        }
+        if (permission?.length <= 0) {
+            console?.warn?.(`Permissions: No roles were set, please add some roles to this permission.`);
+            return false;
+        }
+        // If the permission includes a "*" we allow everyone.
+        if (permission.includes('*')) {
+            return true;
+        }
+        // Validate the role against the permissions.
+        return permission?.includes(role) ?? false;
+    }
+}
+Permissions.ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: Permissions, deps: [{ token: Auth }, { token: AuthConfig, optional: true }], target: i0.ɵɵFactoryTarget.Injectable });
+Permissions.ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: Permissions });
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: Permissions, decorators: [{
+            type: Injectable
+        }], ctorParameters: function () { return [{ type: Auth }, { type: AuthConfig, decorators: [{
+                    type: Optional
+                }] }]; } });
+
+class BbPermission {
+    constructor(_permissions, _templateRef, _viewContainerRef) {
+        this._permissions = _permissions;
+        this._templateRef = _templateRef;
+        this._viewContainerRef = _viewContainerRef;
+        // Data.
+        this._permission$ = new BehaviorSubject([]);
+        this._valid = false;
+        this._elseTemplateRef = null;
+        this._thenViewRef = null;
+        this._elseViewRef = null;
+        this.getAllowedPermissions = (value) => {
+            return Array.isArray(value) ? value : [value];
+        };
+        this.assertTemplate = (property, templateRef) => {
+            const isTemplateRefOrNull = !!(!templateRef || templateRef.createEmbeddedView);
+            if (!isTemplateRefOrNull) {
+                throw new Error(`${property} must be a TemplateRef.`);
+            }
+        };
+    }
+    set bbPermission(value) {
+        const permissions = this.getAllowedPermissions(value);
+        this._permission$.next(permissions);
+        this.updateView();
+    }
+    set bbPermissionElse(templateRef) {
+        this.assertTemplate('bbPermissionElse', templateRef);
+        this._elseTemplateRef = templateRef;
+        this.updateView();
+    }
+    ngOnInit() {
+        const check$ = this._permission$.pipe(switchMap(permissions => this._permissions.has(permissions)));
+        this._subscription = check$.subscribe(valid => {
+            this._valid = valid;
+            this.updateView();
+        });
+    }
+    ngOnDestroy() {
+        this._subscription?.unsubscribe();
+    }
+    updateView() {
+        if (this._valid) {
+            if (!this._thenViewRef) {
+                this._viewContainerRef.clear();
+                this._elseViewRef = null;
+                if (this._templateRef) {
+                    this._thenViewRef = this._viewContainerRef.createEmbeddedView(this._templateRef);
+                }
+            }
+        }
+        else {
+            if (!this._elseViewRef) {
+                this._viewContainerRef.clear();
+                this._thenViewRef = null;
+                if (this._elseTemplateRef) {
+                    this._elseViewRef = this._viewContainerRef.createEmbeddedView(this._elseTemplateRef);
+                }
+            }
+        }
+    }
+}
+BbPermission.ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: BbPermission, deps: [{ token: Permissions }, { token: i0.TemplateRef }, { token: i0.ViewContainerRef }], target: i0.ɵɵFactoryTarget.Directive });
+BbPermission.ɵdir = i0.ɵɵngDeclareDirective({ minVersion: "12.0.0", version: "13.1.0", type: BbPermission, selector: "[bbPermission]", inputs: { bbPermission: "bbPermission", bbPermissionElse: "bbPermissionElse" }, ngImport: i0 });
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: BbPermission, decorators: [{
+            type: Directive,
+            args: [{
+                    selector: '[bbPermission]'
+                }]
+        }], ctorParameters: function () { return [{ type: Permissions }, { type: i0.TemplateRef }, { type: i0.ViewContainerRef }]; }, propDecorators: { bbPermission: [{
+                type: Input
+            }], bbPermissionElse: [{
+                type: Input
+            }] } });
+
+class BbAnonymousGuard {
+    constructor(_auth) {
+        this._auth = _auth;
+    }
+    async canActivate(_, state) {
+        // Check if the user is authenticated.
+        const isAuthenticated$ = await this._auth.user.pipe(map(user => !!user));
+        // If the user is not authenticated it can
+        // access the anonymous page.
+        const isAuthenticated = await firstValueFrom(isAuthenticated$, { defaultValue: null });
+        if (!isAuthenticated) {
+            return true;
+        }
+        // Return the user back to the authenticated page.
+        return this._auth.guard('authenticated', state.url);
+    }
+    canActivateChild(childRoute, state) {
+        return this.canActivate(childRoute, state);
+    }
+}
+BbAnonymousGuard.ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: BbAnonymousGuard, deps: [{ token: Auth }], target: i0.ɵɵFactoryTarget.Injectable });
+BbAnonymousGuard.ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: BbAnonymousGuard, providedIn: 'root' });
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: BbAnonymousGuard, decorators: [{
+            type: Injectable,
+            args: [{
+                    providedIn: 'root'
+                }]
+        }], ctorParameters: function () { return [{ type: Auth }]; } });
+
+class BbAuthenticatedGuard {
+    constructor(_auth) {
+        this._auth = _auth;
+    }
+    async canActivate(_, state) {
+        // Check if the user is authenticated.
+        const isAuthenticated$ = await this._auth.user.pipe(map(user => !!user));
+        // If the user is authenticated it can
+        // access the authenticated page.
+        const isAuthenticated = await firstValueFrom(isAuthenticated$, { defaultValue: null });
+        if (isAuthenticated) {
+            return true;
+        }
+        // The user is not authorized to see that
+        // page so un-authorize him.
+        return this._auth.guard('unauthenticated', state.url);
+    }
+    canActivateChild(childRoute, state) {
+        return this.canActivate(childRoute, state);
+    }
+}
+BbAuthenticatedGuard.ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: BbAuthenticatedGuard, deps: [{ token: Auth }], target: i0.ɵɵFactoryTarget.Injectable });
+BbAuthenticatedGuard.ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: BbAuthenticatedGuard, providedIn: 'root' });
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: BbAuthenticatedGuard, decorators: [{
+            type: Injectable,
+            args: [{
+                    providedIn: 'root'
+                }]
+        }], ctorParameters: function () { return [{ type: Auth }]; } });
+
+class AuthInterceptor {
+    constructor(_auth, _config) {
+        this._auth = _auth;
+        this._config = _config;
+        // Readonly data.
+        this._authHeaderString = 'Authorization';
+        // Data.
+        this.isRefreshing = false;
+        this.refreshingAccessToken$ = new BehaviorSubject(null);
+        this.getAccessToken = (request) => {
+            // Get the token based on header.
+            if (request.headers.has('Authorization')) {
+                return request.headers.get('Authorization');
+            }
+            // Return the default access token.
+            return this._auth.session.accessToken;
+        };
+        this.addAuthorizationHeader = (request, accessToken = null) => {
+            // Remove auth header when we do not have
+            // an access token.
+            if (!accessToken) {
+                return request.clone({
+                    headers: request.headers.delete(this._authHeaderString)
+                });
+            }
+            // Add the auth header to the request.
+            return request.clone({
+                setHeaders: { [this._authHeaderString]: this.getFullAuthorizationHeader(accessToken) }
+            });
+        };
+        this.getFullAuthorizationHeader = (token) => {
+            const authScheme = this._config?.scheme ?? 'Bearer';
+            return [authScheme, token].join(' ');
+        };
+    }
+    intercept(request, next) {
+        // 1. Check if the user wants to use the authorization for this request.
+        if (!request.context.get(USE_AUTHORIZATION)) {
+            return next.handle(request);
+        }
+        // 2. Compose the new request.
+        const accessToken = this.getAccessToken(request);
+        const newRequest = this.addAuthorizationHeader(request, accessToken);
+        // 3. Handle all errors.
+        return next.handle(newRequest).pipe(catchError(error => {
+            // Handle the HTTP401 error.
+            if ((error instanceof HttpErrorResponse || error instanceof HttpError) && error?.status === 401) {
+                return this.handle401Error(request, next);
+            }
+            // Just re-throw the parsed error.
+            return throwError(error);
+        }));
+    }
+    handle401Error(request, next) {
+        // If already refreshing wait for the refresh token to complete.
+        if (this.isRefreshing) {
+            return this.refreshingAccessToken$.pipe(filter(accessToken => accessToken !== null), take(1), switchMap(accessToken => next.handle(this.addAuthorizationHeader(request, accessToken))));
+        }
+        // Set the refreshing to true.
+        this.isRefreshing = true;
+        this.refreshingAccessToken$.next(null);
+        return this._auth.refresh().pipe(switchMap(newAccessToken => {
+            if (!newAccessToken) {
+                const error = new Error('No refresh token was available.');
+                return throwError(error);
+            }
+            this.refreshingAccessToken$.next(newAccessToken);
+            return next.handle(this.addAuthorizationHeader(request, newAccessToken));
+        }), catchError(() => this.logoutUser()), finalize(() => this.isRefreshing = false));
+    }
+    logoutUser() {
+        // Handle the refresh error.
+        this._auth.clearAndRedirect();
+        // Return null as data.
+        return of(null);
+    }
+}
+AuthInterceptor.ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: AuthInterceptor, deps: [{ token: Auth }, { token: AuthConfig, optional: true }], target: i0.ɵɵFactoryTarget.Injectable });
+AuthInterceptor.ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: AuthInterceptor });
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: AuthInterceptor, decorators: [{
+            type: Injectable
+        }], ctorParameters: function () { return [{ type: Auth }, { type: AuthConfig, decorators: [{
+                    type: Optional
+                }] }]; } });
+
+const DECLARATIONS_EXPORTS = [
+    BbAuthenticated,
+    BbRole,
+    BbPermission
+];
+class AuthModule {
+    static forRoot(config) {
+        return {
+            ngModule: AuthModule,
+            providers: [
+                Auth,
+                Permissions,
+                { provide: AuthConfig, useValue: config },
+                { provide: HTTP_INTERCEPTORS, useClass: AuthInterceptor, multi: true },
+                { useFactory: initializeAuth, provide: APP_INITIALIZER, deps: [Auth], multi: true }
+            ]
+        };
+    }
+}
+AuthModule.ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: AuthModule, deps: [], target: i0.ɵɵFactoryTarget.NgModule });
+AuthModule.ɵmod = i0.ɵɵngDeclareNgModule({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: AuthModule, declarations: [BbAuthenticated,
+        BbRole,
+        BbPermission], imports: [HttpClientModule], exports: [BbAuthenticated,
+        BbRole,
+        BbPermission] });
+AuthModule.ɵinj = i0.ɵɵngDeclareInjector({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: AuthModule, providers: [
+        { provide: AuthMapper, useClass: AuthMapper }
+    ], imports: [[HttpClientModule]] });
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "13.1.0", ngImport: i0, type: AuthModule, decorators: [{
+            type: NgModule,
+            args: [{
+                    imports: [HttpClientModule],
+                    declarations: [...DECLARATIONS_EXPORTS],
+                    exports: [...DECLARATIONS_EXPORTS],
+                    providers: [
+                        { provide: AuthMapper, useClass: AuthMapper }
+                    ]
+                }]
+        }] });
+function initializeAuth(auth) {
+    return auth.initialize();
+}
+
+/**
+ * Generated bundle index. Do not edit.
+ */
+
+export { Auth, AuthConfig, AuthEmailProvider, AuthMapper, AuthModule, AuthSession, AuthVerifyProvider, BbAnonymousGuard, BbAuthenticated, BbAuthenticatedGuard, BbPermission, BbRole, JwtHelper, Permissions, USE_AUTHORIZATION, initializeAuth };
+//# sourceMappingURL=bravobit-bb-foundation-auth.mjs.map