@codingfactory/socialkit-vue 0.1.0

package/src/services/auth.ts

@@ -0,0 +1,874 @@
+/**
+ * Configurable auth services and Axios auth-client wiring for
+ * SocialKit-powered frontends.
+ */
+
+import axios, { type AxiosInstance, type AxiosRequestConfig } from 'axios'
+import type { TokenStorage } from '../utils/tokenStorage.js'
+import { extractTokenFromResponse } from '../utils/tokenStorage.js'
+import type { User } from '../types/user.js'
+
+/** Configuration for creating an auth service. */
+export interface AuthServiceConfig {
+  /** Base URL for API requests (e.g. '/api' or 'https://api.example.com/api'). */
+  baseURL: string
+  /** Token storage instance for persisting auth tokens. */
+  tokenStorage: TokenStorage
+  /** Request timeout in milliseconds (default: 30000). */
+  timeout?: number
+}
+
+export interface ExtendedAuthServiceConfig extends AuthServiceConfig {
+  /** Optional existing Axios client to use instead of creating a dedicated one. */
+  client?: AxiosInstance
+  /** Storage key for the client device identifier used by login/2FA endpoints. */
+  deviceIdStorageKey?: string
+  /** Header name used for the device identifier (default: 'X-Device-Id'). */
+  deviceIdHeaderName?: string
+  /** How forgot-password payloads should be derived from user input. */
+  forgotPasswordIdentifierStrategy?: 'email-only' | 'email-or-username'
+}
+
+/** Registration data shape. */
+export interface RegisterData {
+  handle: string
+  name: string
+  email: string
+  password: string
+  password_confirmation: string
+}
+
+/** Password reset data shape. */
+export interface ResetPasswordData {
+  token: string
+  email: string
+  password: string
+  password_confirmation: string
+}
+
+/** Login response shape (user + optional token). */
+export interface LoginResponse {
+  user: User
+  token?: string
+}
+
+export interface AuthenticatedLoginResponse extends LoginResponse {
+  requires_2fa?: false
+  challenge_id?: never
+}
+
+export interface TwoFactorChallengeResponse {
+  requires_2fa: true
+  challenge_id: string
+}
+
+export interface AuthenticatedRegisterResponse extends LoginResponse {
+  requires_verification: false
+}
+
+export interface VerificationRequiredRegisterResponse {
+  requires_verification: true
+}
+
+export type AuthLoginResult = AuthenticatedLoginResponse | TwoFactorChallengeResponse
+export type RegisterResponse = AuthenticatedRegisterResponse | VerificationRequiredRegisterResponse
+
+/** Public auth service interface. */
+export interface AuthServiceInstance {
+  login(loginCredential: string, password: string, remember?: boolean): Promise<LoginResponse>
+  register(data: RegisterData): Promise<LoginResponse>
+  logout(): Promise<void>
+  getUser(): Promise<User>
+  forgotPassword(email: string): Promise<unknown>
+  resetPassword(data: ResetPasswordData): Promise<unknown>
+  hasToken(): boolean
+  clearToken(): void
+}
+
+export interface ExtendedAuthServiceInstance {
+  login(loginCredential: string, password: string, remember?: boolean): Promise<AuthLoginResult>
+  register(data: RegisterData): Promise<RegisterResponse>
+  verify2faChallenge(
+    challengeId: string,
+    code?: string,
+    recoveryCode?: string,
+    rememberDevice?: boolean,
+    rememberSession?: boolean
+  ): Promise<AuthenticatedLoginResponse>
+  logout(): Promise<void>
+  getUser(): Promise<User>
+  forgotPassword(identifier: string): Promise<unknown>
+  resetPassword(data: ResetPasswordData): Promise<unknown>
+  hasToken(): boolean
+  clearToken(): void
+}
+
+interface RetriableRequestConfig extends AxiosRequestConfig {
+  _retry?: boolean
+  _policyRetry?: boolean
+}
+
+interface MissingPolicy {
+  policy_id: string
+  version: number
+}
+
+export interface TokenAuthClientConfig {
+  /** Existing Axios client to configure. Defaults to the shared axios export. */
+  client?: AxiosInstance
+  /** Base URL for API requests. */
+  baseURL: string
+  /** Token storage instance providing auth state and refresh behavior. */
+  tokenStorage: TokenStorage
+  /** Request timeout in milliseconds (default: 30000). */
+  timeout?: number
+  /** Delay before queued auth teardown/redirect executes (default: 1500). */
+  authFailureRedirectDelayMs?: number
+  /** Paths considered auth pages; queued redirects will not re-target them. */
+  authPagePaths?: string[]
+  /** Build the redirect target when auth teardown occurs. */
+  buildLoginRedirectUrl?: () => string
+  /** Called when auth teardown actually executes. */
+  onAuthInvalidated?: () => void
+  /** Called for response errors that should surface globally. */
+  onResponseError?: (error: unknown) => void
+  /** Suppress global error reporting for specific responses. */
+  shouldSuppressResponseError?: (error: unknown) => boolean
+}
+
+export interface ConfiguredTokenAuthClient {
+  client: AxiosInstance
+  setValidatingAuth(value: boolean): void
+}
+
+const DEFAULT_DEVICE_ID_STORAGE_KEY = 'socialkit_device_id'
+const DEFAULT_DEVICE_ID_HEADER_NAME = 'X-Device-Id'
+const DEFAULT_AUTH_FAILURE_REDIRECT_DELAY_MS = 1500
+const DEFAULT_AUTH_PAGE_PATHS = ['/login', '/register']
+const UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === 'object' && value !== null
+}
+
+function deriveRole(roles: string[]): 'admin' | 'moderator' | 'user' {
+  if (roles.includes('admin') || roles.includes('super-admin')) {
+    return 'admin'
+  }
+
+  if (roles.includes('moderator')) {
+    return 'moderator'
+  }
+
+  return 'user'
+}
+
+function normalizeUserPayload(raw: Record<string, unknown>): User {
+  const rawRoles = raw.roles
+  const roles = Array.isArray(rawRoles)
+    ? rawRoles.filter((value): value is string => typeof value === 'string')
+    : []
+
+  const id = typeof raw.id === 'string' ? raw.id : ''
+  const name = typeof raw.name === 'string' ? raw.name : ''
+  const email = typeof raw.email === 'string' ? raw.email : ''
+  const avatarValue = isRecord(raw.avatar) ? raw.avatar : null
+  const avatarUrl = typeof avatarValue?.url === 'string' ? avatarValue.url : null
+
+  return {
+    ...raw,
+    id,
+    name,
+    email,
+    role: deriveRole(roles),
+    avatar: avatarValue,
+    avatar_url: avatarUrl
+  }
+}
+
+function createConfiguredClient(baseURL: string, timeout: number, client?: AxiosInstance): AxiosInstance {
+  if (client) {
+    client.defaults.baseURL = baseURL
+    client.defaults.timeout = timeout
+    client.defaults.headers.common.Accept = 'application/json'
+    client.defaults.headers.common['Content-Type'] = 'application/json'
+    client.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest'
+    client.defaults.withCredentials = false
+    return client
+  }
+
+  return axios.create({
+    baseURL,
+    timeout,
+    headers: {
+      Accept: 'application/json',
+      'Content-Type': 'application/json',
+      'X-Requested-With': 'XMLHttpRequest'
+    },
+    withCredentials: false
+  })
+}
+
+function isUuid(value: string): boolean {
+  return UUID_PATTERN.test(value)
+}
+
+function generateDeviceIdWithCrypto(): string {
+  const bytes = new Uint8Array(16)
+  globalThis.crypto.getRandomValues(bytes)
+
+  const byteSix = bytes[6] ?? 0
+  const byteEight = bytes[8] ?? 0
+  bytes[6] = (byteSix & 0x0f) | 0x40
+  bytes[8] = (byteEight & 0x3f) | 0x80
+
+  const hex = [...bytes].map((byte) => byte.toString(16).padStart(2, '0')).join('')
+  return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`
+}
+
+function generateDeviceId(): string {
+  if (typeof globalThis.crypto?.randomUUID === 'function') {
+    return globalThis.crypto.randomUUID().toLowerCase()
+  }
+
+  if (typeof globalThis.crypto?.getRandomValues === 'function') {
+    return generateDeviceIdWithCrypto()
+  }
+
+  return `${Date.now().toString(16).padStart(12, '0')}-fallback-device-id`
+}
+
+function createDeviceIdentifierHeadersProvider(
+  storageKey = DEFAULT_DEVICE_ID_STORAGE_KEY,
+  headerName = DEFAULT_DEVICE_ID_HEADER_NAME
+): () => Record<string, string> {
+  let cachedDeviceId: string | null = null
+
+  function getStoredDeviceId(): string | null {
+    try {
+      const storedValue = localStorage.getItem(storageKey)
+      if (storedValue && isUuid(storedValue)) {
+        return storedValue.toLowerCase()
+      }
+    } catch {
+      return null
+    }
+
+    return null
+  }
+
+  function persistDeviceId(deviceId: string): void {
+    try {
+      localStorage.setItem(storageKey, deviceId)
+    } catch {
+      // Ignore storage failures; request-level usage still works for this session.
+    }
+  }
+
+  function getOrCreateDeviceId(): string {
+    if (cachedDeviceId && isUuid(cachedDeviceId)) {
+      return cachedDeviceId
+    }
+
+    const storedDeviceId = getStoredDeviceId()
+    if (storedDeviceId) {
+      cachedDeviceId = storedDeviceId
+      return storedDeviceId
+    }
+
+    const generatedDeviceId = generateDeviceId()
+    if (!isUuid(generatedDeviceId)) {
+      return ''
+    }
+
+    const normalizedDeviceId = generatedDeviceId.toLowerCase()
+    cachedDeviceId = normalizedDeviceId
+    persistDeviceId(normalizedDeviceId)
+    return normalizedDeviceId
+  }
+
+  return (): Record<string, string> => {
+    const deviceId = getOrCreateDeviceId()
+    if (deviceId === '') {
+      return {}
+    }
+
+    return {
+      [headerName]: deviceId
+    }
+  }
+}
+
+function buildForgotPasswordPayload(
+  identifier: string,
+  strategy: 'email-only' | 'email-or-username'
+): Record<string, string> {
+  if (strategy === 'email-only') {
+    return { email: identifier.trim() }
+  }
+
+  const trimmedIdentifier = identifier.trim()
+  const emailPattern = /^[^\s@]+@[^\s@]+\.[^\s@]+$/
+
+  if (emailPattern.test(trimmedIdentifier)) {
+    return { email: trimmedIdentifier }
+  }
+
+  return { username: trimmedIdentifier.replace(/^@+/, '') }
+}
+
+function withAuthorizationHeader(config: RetriableRequestConfig, token: string): RetriableRequestConfig {
+  return {
+    ...config,
+    headers: {
+      ...(config.headers as Record<string, string> | undefined),
+      Authorization: `Bearer ${token}`
+    }
+  }
+}
+
+function parseMissingPolicies(payload: unknown): MissingPolicy[] {
+  if (!isRecord(payload)) {
+    return []
+  }
+
+  const errors = payload.errors
+  if (!isRecord(errors)) {
+    return []
+  }
+
+  const missing = errors.missing
+  if (!Array.isArray(missing)) {
+    return []
+  }
+
+  const parsed: MissingPolicy[] = []
+
+  for (const item of missing) {
+    if (!isRecord(item)) {
+      continue
+    }
+
+    const policyId = item.policy_id
+    const version = item.version
+    if (typeof policyId !== 'string') {
+      continue
+    }
+
+    const parsedVersion = typeof version === 'number'
+      ? version
+      : typeof version === 'string'
+        ? Number.parseInt(version, 10)
+        : Number.NaN
+
+    if (!Number.isInteger(parsedVersion)) {
+      continue
+    }
+
+    parsed.push({
+      policy_id: policyId,
+      version: parsedVersion
+    })
+  }
+
+  return parsed
+}
+
+function dedupeMissingPolicies(policies: MissingPolicy[]): MissingPolicy[] {
+  const deduped = new Map<string, MissingPolicy>()
+
+  for (const policy of policies) {
+    const existing = deduped.get(policy.policy_id)
+    if (!existing || policy.version > existing.version) {
+      deduped.set(policy.policy_id, policy)
+    }
+  }
+
+  return [...deduped.values()]
+}
+
+function isPoliciesPendingErrorPayload(payload: unknown): boolean {
+  return isRecord(payload) && payload.code === 'POLICIES_PENDING'
+}
+
+function isPolicyAcceptRequest(url: unknown): boolean {
+  return typeof url === 'string' && url.includes('/v1/policy/accept')
+}
+
+/**
+ * Create a configured auth service instance.
+ *
+ * This is the conservative base service used by shared auth-store code.
+ */
+export function createAuthService(config: AuthServiceConfig): AuthServiceInstance {
+  const {
+    baseURL,
+    tokenStorage,
+    timeout = 30000
+  } = config
+
+  const client = createConfiguredClient(baseURL, timeout)
+
+  client.interceptors.request.use((reqConfig) => {
+    const url = reqConfig.url ?? ''
+
+    if (tokenStorage.shouldSkipAuth(url)) {
+      return reqConfig
+    }
+
+    const token = tokenStorage.getToken()
+    if (token) {
+      reqConfig.headers.Authorization = `Bearer ${token}`
+    }
+
+    return reqConfig
+  })
+
+  return {
+    async login(loginCredential: string, password: string, remember = false): Promise<LoginResponse> {
+      const response = await client.post('/v1/auth/login', {
+        login: loginCredential,
+        password,
+        remember
+      })
+
+      const responseData = response.data
+      const token = extractTokenFromResponse(responseData)
+
+      if (token) {
+        tokenStorage.setToken(token)
+      }
+
+      return responseData.data ?? responseData
+    },
+
+    async register(data: RegisterData): Promise<LoginResponse> {
+      const response = await client.post('/v1/auth/register', data)
+
+      const responseData = response.data
+      const token = extractTokenFromResponse(responseData)
+
+      if (token) {
+        tokenStorage.setToken(token)
+      }
+
+      return responseData.data ?? responseData
+    },
+
+    async logout(): Promise<void> {
+      try {
+        await client.post('/v1/auth/logout')
+      } catch {
+        // Even if the API call fails, we clear local state.
+      } finally {
+        tokenStorage.removeToken()
+      }
+    },
+
+    async getUser(): Promise<User> {
+      const response = await client.get('/v1/me', {
+        params: { _t: Date.now() },
+        headers: { 'Cache-Control': 'no-cache', Pragma: 'no-cache' }
+      })
+
+      const rawPayload = isRecord(response.data?.data)
+        ? response.data.data
+        : isRecord(response.data)
+          ? response.data
+          : {}
+
+      return normalizeUserPayload(rawPayload)
+    },
+
+    async forgotPassword(email: string): Promise<unknown> {
+      const response = await client.post('/v1/auth/forgot-password', { email })
+      return response.data
+    },
+
+    async resetPassword(data: ResetPasswordData): Promise<unknown> {
+      const response = await client.post('/v1/auth/reset-password', data)
+
+      const token = extractTokenFromResponse(response.data)
+      if (token) {
+        tokenStorage.setToken(token)
+      }
+
+      return response.data
+    },
+
+    hasToken(): boolean {
+      return tokenStorage.hasToken()
+    },
+
+    clearToken(): void {
+      tokenStorage.removeToken()
+    }
+  }
+}
+
+/**
+ * Create a richer auth workflow service for apps that use 2FA and device-id
+ * headers during login/verification flows.
+ */
+export function createExtendedAuthService(config: ExtendedAuthServiceConfig): ExtendedAuthServiceInstance {
+  const {
+    baseURL,
+    tokenStorage,
+    timeout = 30000,
+    client,
+    deviceIdStorageKey = DEFAULT_DEVICE_ID_STORAGE_KEY,
+    deviceIdHeaderName = DEFAULT_DEVICE_ID_HEADER_NAME,
+    forgotPasswordIdentifierStrategy = 'email-or-username'
+  } = config
+
+  const authClient = createConfiguredClient(baseURL, timeout, client)
+  const getDeviceIdentifierHeaders = createDeviceIdentifierHeadersProvider(
+    deviceIdStorageKey,
+    deviceIdHeaderName
+  )
+
+  return {
+    async login(loginCredential: string, password: string, remember = false): Promise<AuthLoginResult> {
+      const response = await authClient.post('/v1/auth/login', {
+        login: loginCredential,
+        password,
+        remember
+      }, {
+        headers: getDeviceIdentifierHeaders()
+      })
+
+      const responseData = response.data
+      const inner = responseData.data ?? responseData
+
+      if (inner.requires_2fa === true && typeof inner.challenge_id === 'string') {
+        return {
+          requires_2fa: true,
+          challenge_id: inner.challenge_id
+        }
+      }
+
+      const token = extractTokenFromResponse(responseData)
+      if (token) {
+        tokenStorage.setToken(token)
+      }
+
+      return inner as AuthenticatedLoginResponse
+    },
+
+    async register(data: RegisterData): Promise<RegisterResponse> {
+      const response = await authClient.post('/v1/auth/register', data)
+      const responseData = response.data
+      const token = extractTokenFromResponse(responseData)
+
+      if (token) {
+        tokenStorage.setToken(token)
+      }
+
+      const result = responseData.data ?? responseData
+
+      if (!token) {
+        return {
+          requires_verification: true
+        }
+      }
+
+      return {
+        ...result,
+        requires_verification: false
+      } as AuthenticatedRegisterResponse
+    },
+
+    async verify2faChallenge(
+      challengeId: string,
+      code?: string,
+      recoveryCode?: string,
+      rememberDevice = false,
+      rememberSession = false
+    ): Promise<AuthenticatedLoginResponse> {
+      const payload: Record<string, unknown> = {
+        challenge_id: challengeId,
+        remember_session: rememberSession
+      }
+
+      if (code) {
+        payload.code = code
+      }
+
+      if (recoveryCode) {
+        payload.recovery_code = recoveryCode
+      }
+
+      if (rememberDevice) {
+        payload.remember_device = true
+      }
+
+      const response = await authClient.post('/v1/auth/2fa/verify', payload, {
+        headers: getDeviceIdentifierHeaders()
+      })
+      const responseData = response.data
+      const token = extractTokenFromResponse(responseData)
+
+      if (token) {
+        tokenStorage.setToken(token)
+      }
+
+      return (responseData.data ?? responseData) as AuthenticatedLoginResponse
+    },
+
+    async logout(): Promise<void> {
+      try {
+        await authClient.post('/v1/auth/logout')
+      } catch {
+        // Even if the API call fails, we clear local state.
+      } finally {
+        tokenStorage.removeToken()
+      }
+    },
+
+    async getUser(): Promise<User> {
+      const response = await authClient.get('/v1/me', {
+        params: { _t: Date.now() },
+        headers: { 'Cache-Control': 'no-cache', Pragma: 'no-cache' }
+      })
+
+      const rawPayload = isRecord(response.data?.data)
+        ? response.data.data
+        : isRecord(response.data)
+          ? response.data
+          : {}
+
+      return normalizeUserPayload(rawPayload)
+    },
+
+    async forgotPassword(identifier: string): Promise<unknown> {
+      const response = await authClient.post(
+        '/v1/auth/forgot-password',
+        buildForgotPasswordPayload(identifier, forgotPasswordIdentifierStrategy)
+      )
+
+      return response.data
+    },
+
+    async resetPassword(data: ResetPasswordData): Promise<unknown> {
+      const response = await authClient.post('/v1/auth/reset-password', data)
+
+      const token = extractTokenFromResponse(response.data)
+      if (token) {
+        tokenStorage.setToken(token)
+      }
+
+      return response.data
+    },
+
+    hasToken(): boolean {
+      return tokenStorage.hasToken()
+    },
+
+    clearToken(): void {
+      tokenStorage.removeToken()
+    }
+  }
+}
+
+/**
+ * Configure a shared Axios client with generic token-auth request/response
+ * interceptors while preserving the raw Axios surface for host apps.
+ */
+export function configureTokenAuthClient(config: TokenAuthClientConfig): ConfiguredTokenAuthClient {
+  const {
+    client = axios,
+    baseURL,
+    tokenStorage,
+    timeout = 30000,
+    authFailureRedirectDelayMs = DEFAULT_AUTH_FAILURE_REDIRECT_DELAY_MS,
+    authPagePaths = DEFAULT_AUTH_PAGE_PATHS,
+    buildLoginRedirectUrl,
+    onAuthInvalidated,
+    onResponseError,
+    shouldSuppressResponseError
+  } = config
+
+  client.defaults.baseURL = baseURL
+  client.defaults.timeout = timeout
+  client.defaults.headers.common.Accept = 'application/json'
+  client.defaults.headers.common['Content-Type'] = 'application/json'
+  client.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest'
+  client.defaults.withCredentials = false
+
+  let isValidatingAuth = false
+  let authFailureRedirectTimeoutId: number | null = null
+  let authFailureQueuedToken: string | null = null
+  let policyAcceptancePromise: Promise<boolean> | null = null
+
+  function cancelQueuedAuthFailureRedirect(): void {
+    if (authFailureRedirectTimeoutId === null) {
+      return
+    }
+
+    window.clearTimeout(authFailureRedirectTimeoutId)
+    authFailureRedirectTimeoutId = null
+    authFailureQueuedToken = null
+  }
+
+  function queueAuthFailureRedirect(): void {
+    if (authFailureRedirectTimeoutId !== null) {
+      return
+    }
+
+    authFailureQueuedToken = tokenStorage.getToken()
+
+    authFailureRedirectTimeoutId = window.setTimeout(() => {
+      authFailureRedirectTimeoutId = null
+      const queuedToken = authFailureQueuedToken
+      authFailureQueuedToken = null
+      const currentToken = tokenStorage.getToken()
+
+      if (
+        queuedToken !== null &&
+        currentToken !== null &&
+        currentToken !== queuedToken
+      ) {
+        return
+      }
+
+      onAuthInvalidated?.()
+      tokenStorage.removeToken()
+
+      const currentPath = window.location.pathname
+      if (authPagePaths.includes(currentPath)) {
+        return
+      }
+
+      const redirectUrl = buildLoginRedirectUrl?.() ?? '/login'
+      window.location.assign(redirectUrl)
+    }, authFailureRedirectDelayMs)
+  }
+
+  async function acceptMissingPolicies(missingPolicies: MissingPolicy[]): Promise<boolean> {
+    const policiesToAccept = dedupeMissingPolicies(missingPolicies)
+    if (policiesToAccept.length === 0) {
+      return false
+    }
+
+    if (policyAcceptancePromise) {
+      return policyAcceptancePromise
+    }
+
+    policyAcceptancePromise = (async () => {
+      try {
+        for (const policy of policiesToAccept) {
+          await client.post('/v1/policy/accept', {
+            policy_id: policy.policy_id,
+            version: policy.version
+          })
+        }
+
+        return true
+      } catch {
+        return false
+      } finally {
+        policyAcceptancePromise = null
+      }
+    })()
+
+    return policyAcceptancePromise
+  }
+
+  client.interceptors.request.use((reqConfig) => {
+    const url = reqConfig.url ?? ''
+
+    if (tokenStorage.shouldSkipAuth(url)) {
+      return reqConfig
+    }
+
+    const token = tokenStorage.getToken()
+    if (token) {
+      reqConfig.headers.Authorization = `Bearer ${token}`
+    }
+
+    if (typeof FormData !== 'undefined' && reqConfig.data instanceof FormData) {
+      delete reqConfig.headers['Content-Type']
+      delete reqConfig.headers['content-type']
+    }
+
+    return reqConfig
+  })
+
+  client.interceptors.response.use(
+    (response) => {
+      cancelQueuedAuthFailureRedirect()
+      return response
+    },
+    async (error) => {
+      if (error.response?.status === 428) {
+        const originalRequest = error.config as RetriableRequestConfig | undefined
+        const requestUrl = originalRequest?.url
+        const responsePayload = error.response?.data
+        const missingPolicies = parseMissingPolicies(responsePayload)
+        const canAttemptPolicyAcceptance = Boolean(
+          originalRequest &&
+          !originalRequest._policyRetry &&
+          !isPolicyAcceptRequest(requestUrl) &&
+          isPoliciesPendingErrorPayload(responsePayload) &&
+          missingPolicies.length > 0
+        )
+
+        if (canAttemptPolicyAcceptance && originalRequest) {
+          originalRequest._policyRetry = true
+          const accepted = await acceptMissingPolicies(missingPolicies)
+
+          if (accepted) {
+            return client(originalRequest)
+          }
+        }
+      }
+
+      if (error.response?.status === 401) {
+        const originalRequest = error.config as RetriableRequestConfig | undefined
+        const requestUrl = originalRequest?.url
+        const canAttemptRefresh = Boolean(
+          originalRequest &&
+          !originalRequest._retry &&
+          !tokenStorage.shouldSkipAuth(requestUrl) &&
+          !tokenStorage.isRefreshTokenEndpoint(requestUrl)
+        )
+
+        if (canAttemptRefresh && originalRequest) {
+          originalRequest._retry = true
+          const refreshedToken = await tokenStorage.tryRefreshToken()
+
+          if (refreshedToken) {
+            cancelQueuedAuthFailureRedirect()
+            const retryConfig = withAuthorizationHeader(originalRequest, refreshedToken)
+            return client(retryConfig)
+          }
+        }
+
+        if (tokenStorage.wasTokenRotatedSince(originalRequest?.headers)) {
+          if (!shouldSuppressResponseError?.(error)) {
+            onResponseError?.(error)
+          }
+
+          return Promise.reject(error)
+        }
+
+        if (!isValidatingAuth) {
+          queueAuthFailureRedirect()
+        }
+      }
+
+      if (!shouldSuppressResponseError?.(error)) {
+        onResponseError?.(error)
+      }
+
+      return Promise.reject(error)
+    }
+  )
+
+  return {
+    client,
+    setValidatingAuth(value: boolean): void {
+      isValidatingAuth = value
+    }
+  }
+}