@codingfactory/socialkit-vue 0.1.0

package/src/utils/tokenStorage.ts

@@ -0,0 +1,394 @@
+/**
+ * Token storage utility for SocialKit-powered frontends.
+ *
+ * Tokens are cached in memory and persisted to a configurable browser storage
+ * backend. Use `createTokenStorage()` to get a configured instance.
+ */
+
+import axios from 'axios'
+
+/** Configuration for creating a token storage instance. */
+export interface TokenStorageConfig {
+  /** Storage key for the token (default: 'auth_token'). */
+  storageKey?: string
+  /** API base URL used by the refresh client (default: '/api'). */
+  apiBaseUrl?: string
+  /** Endpoints to call when refreshing a token (default: ['/v1/auth/refresh-token']). */
+  refreshEndpoints?: string[]
+  /** Endpoints where the Authorization header should NOT be sent. */
+  anonymousEndpoints?: string[]
+  /** When true, persist in localStorage and share across tabs; otherwise sessionStorage. */
+  shareSessions?: boolean
+}
+
+/** Public token storage interface. */
+export interface TokenStorage {
+  getToken(): string | null
+  setToken(token: string): void
+  removeToken(): void
+  hasToken(): boolean
+  shouldSkipAuth(url: string | undefined): boolean
+  isRefreshTokenEndpoint(url: string | undefined): boolean
+  tryRefreshToken(): Promise<string | null>
+  wasTokenRotatedSince(requestAuthHeaderOrHeaders: unknown): boolean
+}
+
+const DEFAULT_STORAGE_KEY = 'auth_token'
+const DEFAULT_REFRESH_ENDPOINTS = ['/v1/auth/refresh-token']
+const DEFAULT_ANONYMOUS_ENDPOINTS = [
+  '/sanctum/csrf-cookie',
+  '/v1/auth/login',
+  '/v1/auth/register',
+  '/v1/auth/forgot-password',
+  '/v1/auth/reset-password'
+]
+
+interface StoragePair {
+  primary: Storage | null
+  secondary: Storage | null
+}
+
+function normalizeStoredToken(stored: string | null): string | undefined {
+  if (typeof stored === 'string' && stored.length > 0) {
+    return stored
+  }
+
+  return undefined
+}
+
+function getBrowserStorage(kind: 'local' | 'session'): Storage | null {
+  if (typeof window === 'undefined') {
+    return null
+  }
+
+  try {
+    return kind === 'local' ? window.localStorage : window.sessionStorage
+  } catch {
+    return null
+  }
+}
+
+function resolveStoragePair(shareSessions: boolean): StoragePair {
+  if (shareSessions) {
+    return {
+      primary: getBrowserStorage('local'),
+      secondary: getBrowserStorage('session')
+    }
+  }
+
+  return {
+    primary: getBrowserStorage('session'),
+    secondary: getBrowserStorage('local')
+  }
+}
+
+function readStorageToken(storage: Storage | null, storageKey: string): string | undefined {
+  if (storage === null) {
+    return undefined
+  }
+
+  try {
+    const stored = storage.getItem(storageKey)
+    return normalizeStoredToken(stored)
+  } catch {
+    return undefined
+  }
+}
+
+function writeStorageToken(storage: Storage | null, storageKey: string, token: string): void {
+  if (storage === null) {
+    return
+  }
+
+  try {
+    storage.setItem(storageKey, token)
+  } catch {
+    // Storage full or unavailable — token still works for this session via memory.
+  }
+}
+
+function removeStorageToken(storage: Storage | null, storageKey: string): void {
+  if (storage === null) {
+    return
+  }
+
+  try {
+    storage.removeItem(storageKey)
+  } catch {
+    // Storage unavailable — ignore.
+  }
+}
+
+function isObjectRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === 'object' && value !== null
+}
+
+function extractAuthorizationHeaderValue(requestAuthHeaderOrHeaders: unknown): string | null {
+  if (typeof requestAuthHeaderOrHeaders === 'string') {
+    return requestAuthHeaderOrHeaders
+  }
+
+  if (!isObjectRecord(requestAuthHeaderOrHeaders)) {
+    return null
+  }
+
+  const maybeGet = requestAuthHeaderOrHeaders.get
+  if (typeof maybeGet === 'function') {
+    const uppercaseValue = maybeGet.call(requestAuthHeaderOrHeaders, 'Authorization')
+    if (typeof uppercaseValue === 'string' && uppercaseValue.length > 0) {
+      return uppercaseValue
+    }
+
+    const lowercaseValue = maybeGet.call(requestAuthHeaderOrHeaders, 'authorization')
+    if (typeof lowercaseValue === 'string' && lowercaseValue.length > 0) {
+      return lowercaseValue
+    }
+  }
+
+  const directUppercase = requestAuthHeaderOrHeaders.Authorization
+  if (typeof directUppercase === 'string' && directUppercase.length > 0) {
+    return directUppercase
+  }
+
+  const directLowercase = requestAuthHeaderOrHeaders.authorization
+  if (typeof directLowercase === 'string' && directLowercase.length > 0) {
+    return directLowercase
+  }
+
+  for (const [key, value] of Object.entries(requestAuthHeaderOrHeaders)) {
+    if (key.toLowerCase() !== 'authorization') {
+      continue
+    }
+
+    if (typeof value === 'string' && value.length > 0) {
+      return value
+    }
+  }
+
+  return null
+}
+
+/**
+ * Extract a token string from various API response shapes.
+ *
+ * Handles:
+ * - `{ token: string }`
+ * - `{ data: { token: string } }`
+ */
+export function extractTokenFromResponse(payload: unknown): string | undefined {
+  if (!payload || typeof payload !== 'object') {
+    return undefined
+  }
+
+  if ('token' in payload) {
+    const token = (payload as { token?: unknown }).token
+    if (typeof token === 'string' && token.length > 0) {
+      return token
+    }
+  }
+
+  if ('data' in payload) {
+    return extractTokenFromResponse((payload as { data?: unknown }).data)
+  }
+
+  return undefined
+}
+
+/** Create a configured token storage instance. */
+export function createTokenStorage(config: TokenStorageConfig = {}): TokenStorage {
+  const storageKey = config.storageKey ?? DEFAULT_STORAGE_KEY
+  const refreshEndpoints = config.refreshEndpoints ?? DEFAULT_REFRESH_ENDPOINTS
+  const anonymousEndpoints = config.anonymousEndpoints ?? DEFAULT_ANONYMOUS_ENDPOINTS
+  const apiBaseUrl = config.apiBaseUrl ?? '/api'
+  const shareSessions = config.shareSessions ?? false
+  const storagePair = resolveStoragePair(shareSessions)
+
+  let inMemoryToken: string | undefined
+  let refreshPromise: Promise<string | null> | null = null
+
+  function readPersistedToken(): string | undefined {
+    const primaryToken = readStorageToken(storagePair.primary, storageKey)
+    const secondaryToken = readStorageToken(storagePair.secondary, storageKey)
+
+    if (secondaryToken !== undefined) {
+      if (primaryToken === undefined) {
+        writeStorageToken(storagePair.primary, storageKey, secondaryToken)
+      }
+
+      removeStorageToken(storagePair.secondary, storageKey)
+    }
+
+    return primaryToken ?? secondaryToken
+  }
+
+  function persistToken(token: string): void {
+    writeStorageToken(storagePair.primary, storageKey, token)
+    removeStorageToken(storagePair.secondary, storageKey)
+  }
+
+  function clearPersistedTokens(): void {
+    removeStorageToken(getBrowserStorage('local'), storageKey)
+    removeStorageToken(getBrowserStorage('session'), storageKey)
+  }
+
+  function syncInMemoryTokenFromStorage(): void {
+    inMemoryToken = readPersistedToken()
+  }
+
+  inMemoryToken = readPersistedToken()
+
+  if (typeof window !== 'undefined') {
+    window.addEventListener('storage', (event: StorageEvent) => {
+      const localStorageRef = getBrowserStorage('local')
+      const sessionStorageRef = getBrowserStorage('session')
+
+      if (
+        event.storageArea &&
+        event.storageArea !== localStorageRef &&
+        event.storageArea !== sessionStorageRef
+      ) {
+        return
+      }
+
+      if (event.key === storageKey) {
+        inMemoryToken = normalizeStoredToken(event.newValue)
+
+        if (inMemoryToken === undefined) {
+          clearPersistedTokens()
+        }
+
+        return
+      }
+
+      if (event.key !== null) {
+        return
+      }
+
+      syncInMemoryTokenFromStorage()
+    })
+  }
+
+  const refreshClient = axios.create({
+    baseURL: apiBaseUrl,
+    timeout: 30000,
+    headers: {
+      'Content-Type': 'application/json',
+      Accept: 'application/json'
+    },
+    withCredentials: false
+  })
+
+  function getToken(): string | null {
+    if (inMemoryToken !== undefined) {
+      return inMemoryToken
+    }
+
+    const persistedToken = readPersistedToken()
+    if (persistedToken !== undefined) {
+      inMemoryToken = persistedToken
+      return persistedToken
+    }
+
+    return null
+  }
+
+  function setToken(token: string): void {
+    inMemoryToken = token
+    persistToken(token)
+  }
+
+  function removeToken(): void {
+    inMemoryToken = undefined
+    clearPersistedTokens()
+  }
+
+  function hasToken(): boolean {
+    return getToken() !== null
+  }
+
+  function shouldSkipAuth(url: string | undefined): boolean {
+    if (!url) {
+      return false
+    }
+
+    return anonymousEndpoints.some((endpoint) => url.includes(endpoint))
+  }
+
+  function isRefreshTokenEndpoint(url: string | undefined): boolean {
+    if (!url) {
+      return false
+    }
+
+    return refreshEndpoints.some((endpoint) => url.includes(endpoint))
+  }
+
+  async function requestTokenRefresh(): Promise<string | null> {
+    const existingToken = getToken()
+    if (!existingToken) {
+      return null
+    }
+
+    for (const endpoint of refreshEndpoints) {
+      try {
+        const response = await refreshClient.post(endpoint, {}, {
+          headers: {
+            Authorization: `Bearer ${existingToken}`
+          }
+        })
+
+        const refreshedToken = extractTokenFromResponse(response.data)
+        if (refreshedToken) {
+          setToken(refreshedToken)
+          return refreshedToken
+        }
+      } catch {
+        // Try the next known refresh endpoint.
+      }
+    }
+
+    const latestPersistedToken = readPersistedToken()
+    if (latestPersistedToken && latestPersistedToken !== existingToken) {
+      inMemoryToken = latestPersistedToken
+      return latestPersistedToken
+    }
+
+    return null
+  }
+
+  async function tryRefreshToken(): Promise<string | null> {
+    if (refreshPromise) {
+      return refreshPromise
+    }
+
+    refreshPromise = requestTokenRefresh()
+
+    try {
+      return await refreshPromise
+    } finally {
+      refreshPromise = null
+    }
+  }
+
+  function wasTokenRotatedSince(requestAuthHeaderOrHeaders: unknown): boolean {
+    const requestAuthHeader = extractAuthorizationHeaderValue(requestAuthHeaderOrHeaders)
+    if (requestAuthHeader === null || !requestAuthHeader.startsWith('Bearer ')) {
+      return false
+    }
+
+    const requestToken = requestAuthHeader.slice(7)
+    const currentToken = getToken()
+
+    return requestToken.length > 0 && currentToken !== null && currentToken !== requestToken
+  }
+
+  return {
+    getToken,
+    setToken,
+    removeToken,
+    hasToken,
+    shouldSkipAuth,
+    isRefreshTokenEndpoint,
+    tryRefreshToken,
+    wasTokenRotatedSince
+  }
+}