npm - @bunbase-ae/js - Versions diffs - 2.5.1-next.164.09c2dd0 → 2.5.2-next.168.7184e15 - Mend

@bunbase-ae/js 2.5.1-next.164.09c2dd0 → 2.5.2-next.168.7184e15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/src/realtime.ts +123 -8

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bunbase-ae/js",
-  "version": "2.5.1-next.164.09c2dd0",
+  "version": "2.5.2-next.168.7184e15",
   "type": "module",
   "description": "TypeScript/JavaScript SDK for BunBase",
   "license": "UNLICENSED",

package/src/realtime.ts CHANGED Viewed

@@ -19,6 +19,21 @@ import type { BunBaseRecord, RealtimeCallback, RealtimeEvent, UnsubscribeFn } fr
 const INITIAL_RECONNECT_MS = 500;
 const MAX_RECONNECT_MS = 30_000;
+// Close codes emitted by the server for "no credentials / bad credentials"
+// classes of failure. The SDK treats repeated instances of either as a signal
+// that reconnecting is pointless until the caller sets an access token.
+const WS_CLOSE_AUTH_TIMEOUT = 4001;
+const WS_CLOSE_SUBSCRIBE_UNAUTHENTICATED = 4003;
+// Bail-out threshold: after this many 4001|4003 closes within the window
+// below — none of them followed by a successful subscribe ack — the SDK
+// enters the "unauthenticated" sleeping state and stops reconnecting until
+// the caller provides a token.
+const UNAUTH_BAIL_CLOSES = 5;
+const UNAUTH_BAIL_WINDOW_MS = 60_000;
+export type ConnectionState = "connecting" | "connected" | "disconnected" | "unauthenticated";
 // Internal message shapes from the server.
 interface ServerChangeMessage<T = BunBaseRecord> {
   type: "change";
@@ -82,6 +97,22 @@ export class RealtimeClient {
   private subscriptionsListeners = new Set<(channels: string[]) => void>();
   private presenceListeners = new Set<(channel: string, users: string[]) => void>();
+  // Unauthenticated-loop bailout: timestamps of recent 4001/4003 closes that
+  // were not followed by a successful subscribe ack. Trimmed to the last
+  // UNAUTH_BAIL_WINDOW_MS on each push. When >= UNAUTH_BAIL_CLOSES, the SDK
+  // enters the "unauthenticated" sleeping state.
+  private unauthCloseTimestamps: number[] = [];
+  // Set by the "ack" handler on any subscribe ack — proves the current
+  // connection is not stuck in the auth-reject loop. Cleared on reconnect.
+  private sawSuccessfulSubscribe = false;
+  // Public surface for consumers to inspect why reconnect stopped. Distinct
+  // from `connected` so applications can distinguish "offline, retrying"
+  // from "logged out, waiting for a token".
+  connectionState: ConnectionState = "disconnected";
+  // One-time warning flag: don't spam the error callback for every close in
+  // the bail-out loop. Reset when a token arrives via setTokens().
+  private warnedUnauth = false;
   // Called when the server pushes an auth event indicating session state change.
   // Receives null to indicate the session is no longer valid.
   onAuthChange?: (user: null) => void;
@@ -89,6 +120,11 @@ export class RealtimeClient {
   // Called when a presence response arrives: (channel, userIds[]).
   onPresence?: (channel: string, users: string[]) => void;
+  // Called with a human-readable message when the SDK stops trying to
+  // reconnect (e.g., repeated auth rejections without a token). The SDK emits
+  // this once per entry into the unauthenticated state.
+  onError?: (message: string) => void;
   constructor(
     private wsUrl: string,
     private readonly http: HttpClient,
@@ -97,9 +133,23 @@ export class RealtimeClient {
     // Covers: login while connected, silent token refresh, logout.
     // On logout (accessToken = null) no explicit unauth is needed — the
     // server rejects further subscription events for the revoked session.
+    // On new token after an unauthenticated-loop bailout, reset state and
+    // reconnect immediately so the caller doesn't wait for the next backoff
+    // cycle to come out of sleep.
     this.http.onTokenChange(({ accessToken }) => {
-      if (this.connected && accessToken) {
-        this.send({ type: "auth", token: accessToken });
+      if (accessToken) {
+        const wasUnauth = this.connectionState === "unauthenticated";
+        if (wasUnauth) {
+          this.unauthCloseTimestamps = [];
+          this.warnedUnauth = false;
+          this.connectionState = "disconnected";
+          this.reconnectDelay = INITIAL_RECONNECT_MS;
+          if (this.channels.size > 0) this.connect();
+          return;
+        }
+        if (this.connected) {
+          this.send({ type: "auth", token: accessToken });
+        }
       }
     });
   }
@@ -133,7 +183,10 @@ export class RealtimeClient {
     // Send subscribe message if already connected.
     if (this.connected) {
       this.sendSubscribe(channel, this.channels.get(channel)?.options ?? {});
-    } else {
+    } else if (this.connectionState !== "unauthenticated") {
+      // Don't thrash when we've already decided reconnecting is pointless;
+      // stay in sleep until setTokens() wakes us up. The channel is still
+      // tracked and will be re-sent on the next successful connect.
       this.connect();
     }
@@ -227,6 +280,7 @@ export class RealtimeClient {
     this.ws?.close();
     this.ws = null;
     this.connected = false;
+    this.connectionState = "disconnected";
   }
   // ─── Internal ──────────────────────────────────────────────────────────────
@@ -261,19 +315,28 @@ export class RealtimeClient {
     }
     this.intentionalClose = false;
+    this.connectionState = "connecting";
+    this.sawSuccessfulSubscribe = false;
     this.ws = new WebSocket(`${this.wsUrl}/realtime`);
     this.ws.onopen = () => {
       this.connected = true;
+      this.connectionState = "connected";
       this.reconnectDelay = INITIAL_RECONNECT_MS;
       // Notify connection listeners and clear them (one-shot per connect).
       for (const cb of this.connectListeners) cb();
       this.connectListeners.clear();
-      // Authenticate if token available.
+      // Authenticate if token available; otherwise send an explicit anonymous
+      // auth so the server clears its auth-timeout timer instead of closing
+      // this socket with 4001 after 10 s. Layer 2 of the #309 fix.
       const token = this.http.getAccessToken();
-      if (token) this.send({ type: "auth", token });
+      if (token) {
+        this.send({ type: "auth", token });
+      } else {
+        this.send({ type: "auth", anonymous: true });
+      }
       // Re-subscribe all active channels (handles reconnect case).
       for (const [channel, state] of this.channels) {
@@ -295,6 +358,15 @@ export class RealtimeClient {
         return;
       }
+      // A subscribe ack proves we can actually hold a subscription on this
+      // connection — reset the unauth-bailout state. (Auth-event acks flow
+      // through the "auth" branch below and carry no `channel` field.)
+      if (msg.type === "ack" && (msg as { channel?: string }).channel) {
+        this.sawSuccessfulSubscribe = true;
+        this.unauthCloseTimestamps = [];
+        return;
+      }
       if (msg.type === "subscriptions") {
         const { channels } = msg as ServerSubscriptionsMessage;
         for (const cb of this.subscriptionsListeners) cb(channels);
@@ -345,12 +417,55 @@ export class RealtimeClient {
       for (const cb of state.callbacks) cb(realtimeEvent);
     };
-    this.ws.onclose = () => {
+    this.ws.onclose = (ev: CloseEvent) => {
       this.connected = false;
       this.ws = null;
-      if (!this.intentionalClose && this.channels.size > 0) {
-        this.scheduleReconnect();
+      if (this.intentionalClose || this.channels.size === 0) {
+        this.connectionState = "disconnected";
+        return;
       }
+      // Unauthenticated-loop bailout: count 4001|4003 closes against the
+      // rolling window only when the connection never got a subscribe ack.
+      // An older server that still emits 4001 (before Layer 1 shipped) or
+      // something exotic (proxy stripping the auth frame) counts the same as
+      // 4003 — both mean "this socket never held a valid subscription."
+      const isAuthFail =
+        ev.code === WS_CLOSE_AUTH_TIMEOUT || ev.code === WS_CLOSE_SUBSCRIBE_UNAUTHENTICATED;
+      if (isAuthFail && !this.sawSuccessfulSubscribe) {
+        const now = Date.now();
+        this.unauthCloseTimestamps = this.unauthCloseTimestamps.filter(
+          (t) => now - t < UNAUTH_BAIL_WINDOW_MS,
+        );
+        this.unauthCloseTimestamps.push(now);
+        if (
+          this.unauthCloseTimestamps.length >= UNAUTH_BAIL_CLOSES &&
+          this.http.getAccessToken() === null
+        ) {
+          this.connectionState = "unauthenticated";
+          if (!this.warnedUnauth) {
+            this.warnedUnauth = true;
+            this.onError?.(
+              "Realtime reconnect paused: server is rejecting anonymous subscriptions. " +
+                "Call setTokens() to resume.",
+            );
+          }
+          if (this.reconnectTimer !== null) {
+            clearTimeout(this.reconnectTimer);
+            this.reconnectTimer = null;
+          }
+          return;
+        }
+      } else if (!isAuthFail) {
+        // A non-auth close means whatever the socket was doing, it wasn't
+        // stuck in the auth-reject loop — clear the counter so a later
+        // genuine outage doesn't trip the bailout.
+        this.unauthCloseTimestamps = [];
+      }
+      this.connectionState = "disconnected";
+      this.scheduleReconnect();
     };
     this.ws.onerror = () => {