@djangocfg/api 2.1.333 → 2.1.334

package/dist/auth-server.mjs

@@ -113,6 +113,9 @@ var _apiKeyOverride = null;
 var _baseUrlOverride = null;
 var _withCredentials = true;
 var _onUnauthorized = null;
+var _refreshHandler = null;
+var _refreshInflight = null;
+var RETRY_MARKER = "X-Auth-Retry";
 var _client = null;
 function pushClientConfig() {
   if (!_client) return;
@@ -191,10 +194,53 @@ var auth = {
     pushClientConfig();
   },
   // ── 401 handler ───────────────────────────────────────────────────
+  /**
+   * Fired when the server returns 401 AND no refresh path recovers it
+   * (no refresh token, no refresh handler, refresh failed, or retry
+   * still 401). The app should clear local state and redirect to login.
+   *
+   * NOT fired for 401 that gets transparently recovered by the refresh
+   * handler — those are invisible to callers.
+   */
   onUnauthorized(cb) {
     _onUnauthorized = cb;
+  },
+  /**
+   * Register the refresh strategy. The handler receives the current
+   * refresh token and must call your refresh endpoint, returning
+   * `{ access, refresh? }` on success or `null` on failure.
+   *
+   * @example
+   *   auth.setRefreshHandler(async (refresh) => {
+   *     const { data } = await Auth.tokenRefreshCreate({ body: { refresh } });
+   *     return data ? { access: data.access, refresh: data.refresh } : null;
+   *   });
+   */
+  setRefreshHandler(fn) {
+    _refreshHandler = fn;
   }
 };
+async function tryRefresh() {
+  if (_refreshInflight) return _refreshInflight;
+  if (!_refreshHandler) return null;
+  const refresh = auth.getRefreshToken();
+  if (!refresh) return null;
+  _refreshInflight = (async () => {
+    try {
+      const result = await _refreshHandler(refresh);
+      if (!result?.access) return null;
+      auth.setToken(result.access);
+      if (result.refresh) auth.setRefreshToken(result.refresh);
+      return result.access;
+    } catch {
+      return null;
+    } finally {
+      _refreshInflight = null;
+    }
+  })();
+  return _refreshInflight;
+}
+__name(tryRefresh, "tryRefresh");
 function installAuthOnClient(client2) {
   if (_client) return;
   _client = client2;
@@ -211,14 +257,48 @@ function installAuthOnClient(client2) {
     if (apiKey) request.headers.set("X-API-Key", apiKey);
     return request;
   });
-  client2.interceptors.response.use((response) => {
-    if (response.status === 401 && _onUnauthorized) {
-      try {
-        _onUnauthorized(response);
-      } catch {
+  client2.interceptors.response.use(async (response, request) => {
+    if (response.status !== 401) return response;
+    if (request.headers.get(RETRY_MARKER)) {
+      if (_onUnauthorized) {
+        try {
+          _onUnauthorized(response);
+        } catch {
+        }
       }
+      return response;
+    }
+    const newToken = await tryRefresh();
+    if (!newToken) {
+      if (_onUnauthorized) {
+        try {
+          _onUnauthorized(response);
+        } catch {
+        }
+      }
+      return response;
+    }
+    const retry = request.clone();
+    retry.headers.set("Authorization", `Bearer ${newToken}`);
+    retry.headers.set(RETRY_MARKER, "1");
+    try {
+      const retried = await fetch(retry);
+      if (retried.status === 401 && _onUnauthorized) {
+        try {
+          _onUnauthorized(retried);
+        } catch {
+        }
+      }
+      return retried;
+    } catch {
+      if (_onUnauthorized) {
+        try {
+          _onUnauthorized(response);
+        } catch {
+        }
+      }
+      return response;
     }
-    return response;
   });
 }
 __name(installAuthOnClient, "installAuthOnClient");
@@ -369,6 +449,15 @@ var API = class {
   setApiKey(key) {
     auth.setApiKey(key);
   }
+  // ── 401 handling ────────────────────────────────────────────────────────
+  /** Fired only on terminal 401 (after refresh+retry path is exhausted). */
+  onUnauthorized(cb) {
+    auth.onUnauthorized(cb);
+  }
+  /** Provide a refresh strategy. See `auth.setRefreshHandler` for the contract. */
+  setRefreshHandler(fn) {
+    auth.setRefreshHandler(fn);
+  }
 };
 
 // src/_api/generated/_cfg_centrifugo/api.ts
@@ -423,6 +512,15 @@ var API2 = class {
   setApiKey(key) {
     auth.setApiKey(key);
   }
+  // ── 401 handling ────────────────────────────────────────────────────────
+  /** Fired only on terminal 401 (after refresh+retry path is exhausted). */
+  onUnauthorized(cb) {
+    auth.onUnauthorized(cb);
+  }
+  /** Provide a refresh strategy. See `auth.setRefreshHandler` for the contract. */
+  setRefreshHandler(fn) {
+    auth.setRefreshHandler(fn);
+  }
 };
 
 // src/_api/generated/_cfg_totp/api.ts
@@ -477,6 +575,15 @@ var API3 = class {
   setApiKey(key) {
     auth.setApiKey(key);
   }
+  // ── 401 handling ────────────────────────────────────────────────────────
+  /** Fired only on terminal 401 (after refresh+retry path is exhausted). */
+  onUnauthorized(cb) {
+    auth.onUnauthorized(cb);
+  }
+  /** Provide a refresh strategy. See `auth.setRefreshHandler` for the contract. */
+  setRefreshHandler(fn) {
+    auth.setRefreshHandler(fn);
+  }
 };
 
 // src/_api/generated/index.ts