npm - @douvery/auth - Versions diffs - 0.3.3 → 0.4.0 - Mend

@douvery/auth 0.3.3 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/session/index.js ADDED Viewed

@@ -0,0 +1,311 @@
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+// src/session/utils.ts
+var DEFAULT_FALLBACK_CACHE_TTL_MS = 3e4;
+var DEFAULT_FETCH_TIMEOUT_MS = 3e3;
+function computeHmac(message, secret) {
+  const { createHmac } = __require("crypto");
+  return createHmac("sha256", secret).update(message).digest("hex");
+}
+function parseJwtExp(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return void 0;
+    const payload = JSON.parse(
+      atob(parts[1].replace(/-/g, "+").replace(/_/g, "/"))
+    );
+    return typeof payload.exp === "number" ? payload.exp : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function computeCacheTTL(jwtExp, serverExpiresIn, fallbackTtlMs = DEFAULT_FALLBACK_CACHE_TTL_MS) {
+  if (serverExpiresIn && serverExpiresIn > 0) {
+    return Math.min(Math.max(serverExpiresIn * 0.9 * 1e3, 5e3), 3e5);
+  }
+  if (jwtExp) {
+    const remainingMs = jwtExp * 1e3 - Date.now();
+    if (remainingMs > 0) {
+      return Math.min(Math.max(remainingMs * 0.9, 5e3), 3e5);
+    }
+  }
+  return fallbackTtlMs;
+}
+async function fetchWithTimeout(url, options, timeoutMs = DEFAULT_FETCH_TIMEOUT_MS) {
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    return await fetch(url, { ...options, signal: controller.signal });
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+// src/session/resolver.ts
+var DEFAULTS = {
+  cookieMaxAge: 30 * 24 * 60 * 60,
+  // 30 days in seconds
+  secureCookies: true,
+  fetchTimeoutMs: 3e3,
+  refreshTimeoutMs: 8e3,
+  fallbackCacheTtlMs: 3e4,
+  debug: false
+};
+var NOOP_LOGGER = {
+  debug() {
+  },
+  warn() {
+  },
+  error() {
+  }
+};
+var CONSOLE_LOGGER = {
+  debug: (...args) => console.log("[Session]", ...args),
+  warn: (...args) => console.warn("[Session]", ...args),
+  error: (...args) => console.error("[Session]", ...args)
+};
+function createSessionResolver(config) {
+  const cfg = { ...DEFAULTS, ...config };
+  const log = cfg.logger ?? (cfg.debug ? CONSOLE_LOGGER : NOOP_LOGGER);
+  if (!cfg.sessionApiUrl) {
+    throw new Error(
+      "[Session] sessionApiUrl is required. Provide the auth server session API URL."
+    );
+  }
+  if (!cfg.cookieName) {
+    throw new Error(
+      "[Session] cookieName is required. Provide the cookie name for the session ID."
+    );
+  }
+  const tokenCache = /* @__PURE__ */ new WeakMap();
+  const pendingResolutions = /* @__PURE__ */ new WeakMap();
+  const pendingRefreshBySession = /* @__PURE__ */ new Map();
+  function getSessionId(cookies) {
+    return cookies.get(cfg.cookieName);
+  }
+  function hasSession(cookies) {
+    return !!getSessionId(cookies);
+  }
+  function setSessionCookie(sessionId, cookies) {
+    cookies.set(cfg.cookieName, sessionId, {
+      path: "/",
+      httpOnly: true,
+      secure: cfg.secureCookies,
+      sameSite: "lax",
+      maxAge: cfg.cookieMaxAge
+    });
+  }
+  function clearSessionCookie(cookies) {
+    cookies.set(cfg.cookieName, "", {
+      path: "/",
+      httpOnly: true,
+      secure: cfg.secureCookies,
+      sameSite: "lax",
+      maxAge: 0
+    });
+    tokenCache.delete(cookies);
+  }
+  function buildHeaders() {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (cfg.internalServiceName && cfg.internalServiceSecret) {
+      const timestamp = String(Date.now());
+      const message = `${timestamp}:${cfg.internalServiceName}`;
+      headers["X-Douvery-Internal-Service"] = cfg.internalServiceName;
+      headers["X-Douvery-Internal-Timestamp"] = timestamp;
+      headers["X-Douvery-Internal-Signature"] = computeHmac(
+        message,
+        cfg.internalServiceSecret
+      );
+    } else if (cfg.clientId && cfg.clientSecret) {
+      headers["X-Client-Id"] = cfg.clientId;
+      headers["X-Client-Secret"] = cfg.clientSecret;
+    }
+    return headers;
+  }
+  async function resolveSessionToken(sessionId, cookies) {
+    try {
+      const response = await fetchWithTimeout(
+        `${cfg.sessionApiUrl}/token`,
+        {
+          method: "POST",
+          headers: buildHeaders(),
+          body: JSON.stringify({ session_id: sessionId })
+        },
+        cfg.fetchTimeoutMs
+      );
+      if (!response.ok) {
+        if (response.status === 401 || response.status === 404) {
+          log.warn("Session expired or not found:", response.status);
+          clearSessionCookie(cookies);
+          return void 0;
+        }
+        const errorText = await response.text().catch(() => "");
+        log.error("Token resolution failed:", response.status, errorText);
+        return void 0;
+      }
+      const data = await response.json();
+      if (data.access_token) {
+        const jwtExp = parseJwtExp(data.access_token);
+        const ttl = computeCacheTTL(
+          jwtExp,
+          data.expires_in,
+          cfg.fallbackCacheTtlMs
+        );
+        tokenCache.set(cookies, {
+          token: data.access_token,
+          expiresAt: Date.now() + ttl,
+          jwtExp
+        });
+        return data.access_token;
+      }
+      return void 0;
+    } catch (error) {
+      if (error instanceof DOMException && error.name === "AbortError") {
+        log.error("Token resolution timed out after", cfg.fetchTimeoutMs, "ms");
+        return void 0;
+      }
+      log.error("Network error resolving token:", error);
+      return void 0;
+    }
+  }
+  async function getAccessToken(cookies) {
+    const cached = tokenCache.get(cookies);
+    if (cached && cached.expiresAt > Date.now()) {
+      return cached.token;
+    }
+    const pending = pendingResolutions.get(cookies);
+    if (pending) {
+      return pending;
+    }
+    const sessionId = getSessionId(cookies);
+    if (!sessionId) {
+      return void 0;
+    }
+    const resolution = resolveSessionToken(sessionId, cookies);
+    pendingResolutions.set(cookies, resolution);
+    try {
+      const token = await resolution;
+      if (!token) {
+        return void 0;
+      }
+      if (cfg.debug) {
+        const exp = parseJwtExp(token);
+        if (exp && exp * 1e3 <= Date.now()) {
+          log.debug("Resolved JWT is expired \u2014 caller should handle refresh");
+        }
+      }
+      return token;
+    } finally {
+      pendingResolutions.delete(cookies);
+    }
+  }
+  function getAccessTokenSync(cookies) {
+    const cached = tokenCache.get(cookies);
+    if (cached && cached.expiresAt > Date.now()) {
+      return cached.token;
+    }
+    return void 0;
+  }
+  async function _doRefreshSession(cookies, sessionId) {
+    try {
+      const response = await fetchWithTimeout(
+        `${cfg.sessionApiUrl}/refresh`,
+        {
+          method: "POST",
+          headers: buildHeaders(),
+          body: JSON.stringify({ session_id: sessionId })
+        },
+        cfg.refreshTimeoutMs
+      );
+      if (!response.ok) {
+        if (response.status === 401 || response.status === 404) {
+          log.warn("Session expired during refresh:", response.status);
+          clearSessionCookie(cookies);
+          return "definitive_failure";
+        }
+        if (cfg.debug) {
+          const errorText = await response.text().catch(() => "");
+          log.warn("Refresh returned", response.status, errorText);
+        }
+        return "transient_failure";
+      }
+      tokenCache.delete(cookies);
+      log.debug("Tokens refreshed successfully via session");
+      return "success";
+    } catch (error) {
+      if (error instanceof DOMException && error.name === "AbortError") {
+        log.error(
+          "Refresh request timed out after",
+          cfg.refreshTimeoutMs,
+          "ms"
+        );
+        return "transient_failure";
+      }
+      log.error("Error refreshing session:", error);
+      return "transient_failure";
+    }
+  }
+  async function refreshSession(cookies) {
+    const sessionId = getSessionId(cookies);
+    if (!sessionId) {
+      return "definitive_failure";
+    }
+    const pendingRefresh = pendingRefreshBySession.get(sessionId);
+    if (pendingRefresh) {
+      log.debug("Refresh already in progress for session, joining...");
+      const result = await pendingRefresh;
+      if (result === "success") {
+        tokenCache.delete(cookies);
+      }
+      return result;
+    }
+    const refreshPromise = _doRefreshSession(cookies, sessionId);
+    pendingRefreshBySession.set(sessionId, refreshPromise);
+    try {
+      return await refreshPromise;
+    } finally {
+      pendingRefreshBySession.delete(sessionId);
+    }
+  }
+  async function destroySession(cookies) {
+    const sessionId = getSessionId(cookies);
+    if (sessionId) {
+      try {
+        await fetchWithTimeout(
+          `${cfg.sessionApiUrl}/destroy`,
+          {
+            method: "POST",
+            headers: buildHeaders(),
+            body: JSON.stringify({ session_id: sessionId })
+          },
+          cfg.fetchTimeoutMs
+        );
+        log.debug("Session destroyed on auth server");
+      } catch (error) {
+        log.error("Error destroying session:", error);
+      }
+    }
+    clearSessionCookie(cookies);
+  }
+  return {
+    getAccessToken,
+    getAccessTokenSync,
+    refreshSession,
+    destroySession,
+    setSessionCookie,
+    getSessionId,
+    hasSession,
+    clearSessionCookie
+  };
+}
+export { computeCacheTTL, createSessionResolver, fetchWithTimeout, parseJwtExp };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/session/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/session/utils.ts","../../src/session/resolver.ts"],"names":[],"mappings":";;;;;;;;AAMA,IAAM,6BAAA,GAAgC,GAAA;AAGtC,IAAM,wBAAA,GAA2B,GAAA;AAS1B,SAAS,WAAA,CAAY,SAAiB,MAAA,EAAwB;AAEnE,EAAA,MAAM,EAAE,UAAA,EAAW,GAAI,SAAA,CAAQ,QAAQ,CAAA;AACvC,EAAA,OAAO,UAAA,CAAW,UAAU,MAAM,CAAA,CAAE,OAAO,OAAO,CAAA,CAAE,OAAO,KAAK,CAAA;AAClE;AASO,SAAS,YAAY,KAAA,EAAmC;AAC7D,EAAA,IAAI;AACF,IAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,GAAG,CAAA;AAC7B,IAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG,OAAO,KAAA,CAAA;AAE/B,IAAA,MAAM,UAAU,IAAA,CAAK,KAAA;AAAA,MACnB,IAAA,CAAK,KAAA,CAAM,CAAC,CAAA,CAAE,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAC;AAAA,KACrD;AACA,IAAA,OAAO,OAAO,OAAA,CAAQ,GAAA,KAAQ,QAAA,GAAW,QAAQ,GAAA,GAAM,KAAA,CAAA;AAAA,EACzD,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,MAAA;AAAA,EACT;AACF;AAaO,SAAS,eAAA,CACd,MAAA,EACA,eAAA,EACA,aAAA,GAAwB,6BAAA,EAChB;AACR,EAAA,IAAI,eAAA,IAAmB,kBAAkB,CAAA,EAAG;AAE1C,IAAA,OAAO,IAAA,CAAK,IAAI,IAAA,CAAK,GAAA,CAAI,kBAAkB,GAAA,GAAM,GAAA,EAAM,GAAK,CAAA,EAAG,GAAO,CAAA;AAAA,EACxE;AAEA,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,MAAM,WAAA,GAAc,MAAA,GAAS,GAAA,GAAO,IAAA,CAAK,GAAA,EAAI;AAC7C,IAAA,IAAI,cAAc,CAAA,EAAG;AACnB,MAAA,OAAO,IAAA,CAAK,IAAI,IAAA,CAAK,GAAA,CAAI,cAAc,GAAA,EAAK,GAAK,GAAG,GAAO,CAAA;AAAA,IAC7D;AAAA,EACF;AAEA,EAAA,OAAO,aAAA;AACT;AAWA,eAAsB,gBAAA,CACpB,GAAA,EACA,OAAA,EACA,SAAA,GAAoB,wBAAA,EACD;AACnB,EAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,EAAA,MAAM,YAAY,UAAA,CAAW,MAAM,UAAA,CAAW,KAAA,IAAS,SAAS,CAAA;AAEhE,EAAA,IAAI;AACF,IAAA,OAAO,MAAM,MAAM,GAAA,EAAK,EAAE,GAAG,OAAA,EAAS,MAAA,EAAQ,UAAA,CAAW,MAAA,EAAQ,CAAA;AAAA,EACnE,CAAA,SAAE;AACA,IAAA,YAAA,CAAa,SAAS,CAAA;AAAA,EACxB;AACF;;;ACtDA,IAAM,QAAA,GAAW;AAAA,EACf,YAAA,EAAc,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,EAAA;AAAA;AAAA,EAC7B,aAAA,EAAe,IAAA;AAAA,EACf,cAAA,EAAgB,GAAA;AAAA,EAChB,gBAAA,EAAkB,GAAA;AAAA,EAClB,kBAAA,EAAoB,GAAA;AAAA,EACpB,KAAA,EAAO;AACT,CAAA;AAGA,IAAM,WAAA,GAA6B;AAAA,EACjC,KAAA,GAAQ;AAAA,EAAC,CAAA;AAAA,EACT,IAAA,GAAO;AAAA,EAAC,CAAA;AAAA,EACR,KAAA,GAAQ;AAAA,EAAC;AACX,CAAA;AAGA,IAAM,cAAA,GAAgC;AAAA,EACpC,OAAO,CAAA,GAAI,IAAA,KAAS,QAAQ,GAAA,CAAI,WAAA,EAAa,GAAG,IAAI,CAAA;AAAA,EACpD,MAAM,CAAA,GAAI,IAAA,KAAS,QAAQ,IAAA,CAAK,WAAA,EAAa,GAAG,IAAI,CAAA;AAAA,EACpD,OAAO,CAAA,GAAI,IAAA,KAAS,QAAQ,KAAA,CAAM,WAAA,EAAa,GAAG,IAAI;AACxD,CAAA;AA2CO,SAAS,sBACd,MAAA,EACiB;AAEjB,EAAA,MAAM,GAAA,GAAM,EAAE,GAAG,QAAA,EAAU,GAAG,MAAA,EAAO;AAGrC,EAAA,MAAM,GAAA,GACJ,GAAA,CAAI,MAAA,KAAW,GAAA,CAAI,QAAQ,cAAA,GAAiB,WAAA,CAAA;AAG9C,EAAA,IAAI,CAAC,IAAI,aAAA,EAAe;AACtB,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KAEF;AAAA,EACF;AAEA,EAAA,IAAI,CAAC,IAAI,UAAA,EAAY;AACnB,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KAEF;AAAA,EACF;AAWA,EAAA,MAAM,UAAA,uBAAiB,OAAA,EAAmC;AAM1D,EAAA,MAAM,kBAAA,uBAAyB,OAAA,EAG7B;AAaF,EAAA,MAAM,uBAAA,uBAA8B,GAAA,EAAoC;AAMxE,EAAA,SAAS,aAAa,OAAA,EAA4C;AAChE,IAAA,OAAO,OAAA,CAAQ,GAAA,CAAI,GAAA,CAAI,UAAU,CAAA;AAAA,EACnC;AAEA,EAAA,SAAS,WAAW,OAAA,EAAiC;AACnD,IAAA,OAAO,CAAC,CAAC,YAAA,CAAa,OAAO,CAAA;AAAA,EAC/B;AAEA,EAAA,SAAS,gBAAA,CAAiB,WAAmB,OAAA,EAA8B;AACzE,IAAA,OAAA,CAAQ,GAAA,CAAI,GAAA,CAAI,UAAA,EAAY,SAAA,EAAW;AAAA,MACrC,IAAA,EAAM,GAAA;AAAA,MACN,QAAA,EAAU,IAAA;AAAA,MACV,QAAQ,GAAA,CAAI,aAAA;AAAA,MACZ,QAAA,EAAU,KAAA;AAAA,MACV,QAAQ,GAAA,CAAI;AAAA,KACb,CAAA;AAAA,EACH;AAEA,EAAA,SAAS,mBAAmB,OAAA,EAA8B;AACxD,IAAA,OAAA,CAAQ,GAAA,CAAI,GAAA,CAAI,UAAA,EAAY,EAAA,EAAI;AAAA,MAC9B,IAAA,EAAM,GAAA;AAAA,MACN,QAAA,EAAU,IAAA;AAAA,MACV,QAAQ,GAAA,CAAI,aAAA;AAAA,MACZ,QAAA,EAAU,KAAA;AAAA,MACV,MAAA,EAAQ;AAAA,KACT,CAAA;AACD,IAAA,UAAA,CAAW,OAAO,OAAO,CAAA;AAAA,EAC3B;AAMA,EAAA,SAAS,YAAA,GAAuC;AAC9C,IAAA,MAAM,OAAA,GAAkC;AAAA,MACtC,cAAA,EAAgB;AAAA,KAClB;AAGA,IAAA,IAAI,GAAA,CAAI,mBAAA,IAAuB,GAAA,CAAI,qBAAA,EAAuB;AACxD,MAAA,MAAM,SAAA,GAAY,MAAA,CAAO,IAAA,CAAK,GAAA,EAAK,CAAA;AACnC,MAAA,MAAM,OAAA,GAAU,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,IAAI,mBAAmB,CAAA,CAAA;AACvD,MAAA,OAAA,CAAQ,4BAA4B,IAAI,GAAA,CAAI,mBAAA;AAC5C,MAAA,OAAA,CAAQ,8BAA8B,CAAA,GAAI,SAAA;AAC1C,MAAA,OAAA,CAAQ,8BAA8B,CAAA,GAAI,WAAA;AAAA,QACxC,OAAA;AAAA,QACA,GAAA,CAAI;AAAA,OACN;AAAA,IACF,CAAA,MAAA,IAES,GAAA,CAAI,QAAA,IAAY,GAAA,CAAI,YAAA,EAAc;AACzC,MAAA,OAAA,CAAQ,aAAa,IAAI,GAAA,CAAI,QAAA;AAC7B,MAAA,OAAA,CAAQ,iBAAiB,IAAI,GAAA,CAAI,YAAA;AAAA,IACnC;AAEA,IAAA,OAAO,OAAA;AAAA,EACT;AAMA,EAAA,eAAe,mBAAA,CACb,WACA,OAAA,EAC6B;AAC7B,IAAA,IAAI;AACF,MAAA,MAAM,WAAW,MAAM,gBAAA;AAAA,QACrB,CAAA,EAAG,IAAI,aAAa,CAAA,MAAA,CAAA;AAAA,QACpB;AAAA,UACE,MAAA,EAAQ,MAAA;AAAA,UACR,SAAS,YAAA,EAAa;AAAA,UACtB,MAAM,IAAA,CAAK,SAAA,CAAU,EAAE,UAAA,EAAY,WAAW;AAAA,SAChD;AAAA,QACA,GAAA,CAAI;AAAA,OACN;AAEA,MAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,QAAA,IAAI,QAAA,CAAS,MAAA,KAAW,GAAA,IAAO,QAAA,CAAS,WAAW,GAAA,EAAK;AACtD,UAAA,GAAA,CAAI,IAAA,CAAK,+BAAA,EAAiC,QAAA,CAAS,MAAM,CAAA;AACzD,UAAA,kBAAA,CAAmB,OAAO,CAAA;AAC1B,UAAA,OAAO,KAAA,CAAA;AAAA,QACT;AAEA,QAAA,MAAM,YAAY,MAAM,QAAA,CAAS,MAAK,CAAE,KAAA,CAAM,MAAM,EAAE,CAAA;AACtD,QAAA,GAAA,CAAI,KAAA,CAAM,0BAAA,EAA4B,QAAA,CAAS,MAAA,EAAQ,SAAS,CAAA;AAChE,QAAA,OAAO,KAAA,CAAA;AAAA,MACT;AAEA,MAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AAEjC,MAAA,IAAI,KAAK,YAAA,EAAc;AACrB,QAAA,MAAM,MAAA,GAAS,WAAA,CAAY,IAAA,CAAK,YAAY,CAAA;AAC5C,QAAA,MAAM,GAAA,GAAM,eAAA;AAAA,UACV,MAAA;AAAA,UACA,IAAA,CAAK,UAAA;AAAA,UACL,GAAA,CAAI;AAAA,SACN;AAEA,QAAA,UAAA,CAAW,IAAI,OAAA,EAAS;AAAA,UACtB,OAAO,IAAA,CAAK,YAAA;AAAA,UACZ,SAAA,EAAW,IAAA,CAAK,GAAA,EAAI,GAAI,GAAA;AAAA,UACxB;AAAA,SACD,CAAA;AAED,QAAA,OAAO,IAAA,CAAK,YAAA;AAAA,MACd;AAEA,MAAA,OAAO,KAAA,CAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,KAAA,YAAiB,YAAA,IAAgB,KAAA,CAAM,IAAA,KAAS,YAAA,EAAc;AAChE,QAAA,GAAA,CAAI,KAAA,CAAM,kCAAA,EAAoC,GAAA,CAAI,cAAA,EAAgB,IAAI,CAAA;AACtE,QAAA,OAAO,MAAA;AAAA,MACT;AACA,MAAA,GAAA,CAAI,KAAA,CAAM,kCAAkC,KAAK,CAAA;AACjD,MAAA,OAAO,MAAA;AAAA,IACT;AAAA,EACF;AAgBA,EAAA,eAAe,eACb,OAAA,EAC6B;AAE7B,IAAA,MAAM,MAAA,GAAS,UAAA,CAAW,GAAA,CAAI,OAAO,CAAA;AACrC,IAAA,IAAI,MAAA,IAAU,MAAA,CAAO,SAAA,GAAY,IAAA,CAAK,KAAI,EAAG;AAC3C,MAAA,OAAO,MAAA,CAAO,KAAA;AAAA,IAChB;AAGA,IAAA,MAAM,OAAA,GAAU,kBAAA,CAAmB,GAAA,CAAI,OAAO,CAAA;AAC9C,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,OAAO,OAAA;AAAA,IACT;AAGA,IAAA,MAAM,SAAA,GAAY,aAAa,OAAO,CAAA;AACtC,IAAA,IAAI,CAAC,SAAA,EAAW;AACd,MAAA,OAAO,MAAA;AAAA,IACT;AAGA,IAAA,MAAM,UAAA,GAAa,mBAAA,CAAoB,SAAA,EAAW,OAAO,CAAA;AACzD,IAAA,kBAAA,CAAmB,GAAA,CAAI,SAAS,UAAU,CAAA;AAE1C,IAAA,IAAI;AACF,MAAA,MAAM,QAAQ,MAAM,UAAA;AAEpB,MAAA,IAAI,CAAC,KAAA,EAAO;AACV,QAAA,OAAO,KAAA,CAAA;AAAA,MACT;AAGA,MAAA,IAAI,IAAI,KAAA,EAAO;AACb,QAAA,MAAM,GAAA,GAAM,YAAY,KAAK,CAAA;AAC7B,QAAA,IAAI,GAAA,IAAO,GAAA,GAAM,GAAA,IAAQ,IAAA,CAAK,KAAI,EAAG;AACnC,UAAA,GAAA,CAAI,MAAM,6DAAwD,CAAA;AAAA,QACpE;AAAA,MACF;AAEA,MAAA,OAAO,KAAA;AAAA,IACT,CAAA,SAAE;AACA,MAAA,kBAAA,CAAmB,OAAO,OAAO,CAAA;AAAA,IACnC;AAAA,EACF;AAMA,EAAA,SAAS,mBAAmB,OAAA,EAA4C;AACtE,IAAA,MAAM,MAAA,GAAS,UAAA,CAAW,GAAA,CAAI,OAAO,CAAA;AACrC,IAAA,IAAI,MAAA,IAAU,MAAA,CAAO,SAAA,GAAY,IAAA,CAAK,KAAI,EAAG;AAC3C,MAAA,OAAO,MAAA,CAAO,KAAA;AAAA,IAChB;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAOA,EAAA,eAAe,iBAAA,CACb,SACA,SAAA,EACwB;AACxB,IAAA,IAAI;AACF,MAAA,MAAM,WAAW,MAAM,gBAAA;AAAA,QACrB,CAAA,EAAG,IAAI,aAAa,CAAA,QAAA,CAAA;AAAA,QACpB;AAAA,UACE,MAAA,EAAQ,MAAA;AAAA,UACR,SAAS,YAAA,EAAa;AAAA,UACtB,MAAM,IAAA,CAAK,SAAA,CAAU,EAAE,UAAA,EAAY,WAAW;AAAA,SAChD;AAAA,QACA,GAAA,CAAI;AAAA,OACN;AAEA,MAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,QAAA,IAAI,QAAA,CAAS,MAAA,KAAW,GAAA,IAAO,QAAA,CAAS,WAAW,GAAA,EAAK;AACtD,UAAA,GAAA,CAAI,IAAA,CAAK,iCAAA,EAAmC,QAAA,CAAS,MAAM,CAAA;AAC3D,UAAA,kBAAA,CAAmB,OAAO,CAAA;AAC1B,UAAA,OAAO,oBAAA;AAAA,QACT;AAEA,QAAA,IAAI,IAAI,KAAA,EAAO;AACb,UAAA,MAAM,YAAY,MAAM,QAAA,CAAS,MAAK,CAAE,KAAA,CAAM,MAAM,EAAE,CAAA;AACtD,UAAA,GAAA,CAAI,IAAA,CAAK,kBAAA,EAAoB,QAAA,CAAS,MAAA,EAAQ,SAAS,CAAA;AAAA,QACzD;AACA,QAAA,OAAO,mBAAA;AAAA,MACT;AAGA,MAAA,UAAA,CAAW,OAAO,OAAO,CAAA;AACzB,MAAA,GAAA,CAAI,MAAM,2CAA2C,CAAA;AAErD,MAAA,OAAO,SAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,KAAA,YAAiB,YAAA,IAAgB,KAAA,CAAM,IAAA,KAAS,YAAA,EAAc;AAChE,QAAA,GAAA,CAAI,KAAA;AAAA,UACF,iCAAA;AAAA,UACA,GAAA,CAAI,gBAAA;AAAA,UACJ;AAAA,SACF;AACA,QAAA,OAAO,mBAAA;AAAA,MACT;AACA,MAAA,GAAA,CAAI,KAAA,CAAM,6BAA6B,KAAK,CAAA;AAC5C,MAAA,OAAO,mBAAA;AAAA,IACT;AAAA,EACF;AAYA,EAAA,eAAe,eACb,OAAA,EACwB;AACxB,IAAA,MAAM,SAAA,GAAY,aAAa,OAAO,CAAA;AACtC,IAAA,IAAI,CAAC,SAAA,EAAW;AACd,MAAA,OAAO,oBAAA;AAAA,IACT;AAGA,IAAA,MAAM,cAAA,GAAiB,uBAAA,CAAwB,GAAA,CAAI,SAAS,CAAA;AAC5D,IAAA,IAAI,cAAA,EAAgB;AAClB,MAAA,GAAA,CAAI,MAAM,qDAAqD,CAAA;AAC/D,MAAA,MAAM,SAAS,MAAM,cAAA;AAIrB,MAAA,IAAI,WAAW,SAAA,EAAW;AACxB,QAAA,UAAA,CAAW,OAAO,OAAO,CAAA;AAAA,MAC3B;AAEA,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,MAAM,cAAA,GAAiB,iBAAA,CAAkB,OAAA,EAAS,SAAS,CAAA;AAC3D,IAAA,uBAAA,CAAwB,GAAA,CAAI,WAAW,cAAc,CAAA;AAErD,IAAA,IAAI;AACF,MAAA,OAAO,MAAM,cAAA;AAAA,IACf,CAAA,SAAE;AACA,MAAA,uBAAA,CAAwB,OAAO,SAAS,CAAA;AAAA,IAC1C;AAAA,EACF;AAMA,EAAA,eAAe,eAAe,OAAA,EAAuC;AACnE,IAAA,MAAM,SAAA,GAAY,aAAa,OAAO,CAAA;AAEtC,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,IAAI;AACF,QAAA,MAAM,gBAAA;AAAA,UACJ,CAAA,EAAG,IAAI,aAAa,CAAA,QAAA,CAAA;AAAA,UACpB;AAAA,YACE,MAAA,EAAQ,MAAA;AAAA,YACR,SAAS,YAAA,EAAa;AAAA,YACtB,MAAM,IAAA,CAAK,SAAA,CAAU,EAAE,UAAA,EAAY,WAAW;AAAA,WAChD;AAAA,UACA,GAAA,CAAI;AAAA,SACN;AACA,QAAA,GAAA,CAAI,MAAM,kCAAkC,CAAA;AAAA,MAC9C,SAAS,KAAA,EAAO;AACd,QAAA,GAAA,CAAI,KAAA,CAAM,6BAA6B,KAAK,CAAA;AAAA,MAE9C;AAAA,IACF;AAEA,IAAA,kBAAA,CAAmB,OAAO,CAAA;AAAA,EAC5B;AAMA,EAAA,OAAO;AAAA,IACL,cAAA;AAAA,IACA,kBAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,gBAAA;AAAA,IACA,YAAA;AAAA,IACA,UAAA;AAAA,IACA;AAAA,GACF;AACF","file":"index.js","sourcesContent":["/**\n * @douvery/auth - Session Utilities\n * Pure functions for JWT parsing, cache TTL computation, and fetch timeout\n */\n\n/** Default fallback cache TTL: 30 seconds */\nconst DEFAULT_FALLBACK_CACHE_TTL_MS = 30_000;\n\n/** Default fetch timeout: 3 seconds */\nconst DEFAULT_FETCH_TIMEOUT_MS = 3_000;\n\n/**\n * Compute HMAC-SHA256 hex digest (synchronous, Node.js crypto).\n * Used for internal service authentication headers.\n *\n * Note: Uses dynamic require to avoid bundler issues. This function\n * is only called in SSR context where Node.js crypto is available.\n */\nexport function computeHmac(message: string, secret: string): string {\n // eslint-disable-next-line @typescript-eslint/no-var-requires\n const { createHmac } = require(\"crypto\");\n return createHmac(\"sha256\", secret).update(message).digest(\"hex\");\n}\n\n/**\n * Extract `exp` claim from a JWT without full verification.\n * Returns the exp as Unix seconds, or undefined if parsing fails.\n *\n * This is a lightweight alternative to full JWT decoding when you\n * only need the expiration timestamp.\n */\nexport function parseJwtExp(token: string): number | undefined {\n try {\n const parts = token.split(\".\");\n if (parts.length !== 3) return undefined;\n\n const payload = JSON.parse(\n atob(parts[1].replace(/-/g, \"+\").replace(/_/g, \"/\")),\n );\n return typeof payload.exp === \"number\" ? payload.exp : undefined;\n } catch {\n return undefined;\n }\n}\n\n/**\n * Calculate cache TTL based on the JWT's `exp` claim.\n *\n * Strategy:\n * 1. If auth server provides `expires_in`, use 90% of that\n * 2. If JWT has `exp`, use 90% of remaining lifetime\n * 3. Fall back to `fallbackTtlMs`\n *\n * Result is clamped between 5s and 5min to prevent both\n * excessive polling and stale caches.\n */\nexport function computeCacheTTL(\n jwtExp: number | undefined,\n serverExpiresIn?: number,\n fallbackTtlMs: number = DEFAULT_FALLBACK_CACHE_TTL_MS,\n): number {\n if (serverExpiresIn && serverExpiresIn > 0) {\n // Auth server told us exactly how long the token lives (in seconds)\n return Math.min(Math.max(serverExpiresIn * 0.9 * 1000, 5_000), 300_000);\n }\n\n if (jwtExp) {\n const remainingMs = jwtExp * 1000 - Date.now();\n if (remainingMs > 0) {\n return Math.min(Math.max(remainingMs * 0.9, 5_000), 300_000);\n }\n }\n\n return fallbackTtlMs;\n}\n\n/**\n * Fetch wrapper with AbortController timeout.\n * Prevents SSR from hanging if the auth server is unresponsive.\n *\n * @param url - The URL to fetch\n * @param options - Standard fetch RequestInit options\n * @param timeoutMs - Timeout in milliseconds (default: 3000)\n * @throws DOMException with name 'AbortError' on timeout\n */\nexport async function fetchWithTimeout(\n url: string,\n options: RequestInit,\n timeoutMs: number = DEFAULT_FETCH_TIMEOUT_MS,\n): Promise<Response> {\n const controller = new AbortController();\n const timeoutId = setTimeout(() => controller.abort(), timeoutMs);\n\n try {\n return await fetch(url, { ...options, signal: controller.signal });\n } finally {\n clearTimeout(timeoutId);\n }\n}\n","/**\n * @douvery/auth - Session Resolver\n * Factory for creating framework-agnostic opaque session resolvers.\n *\n * Architecture:\n * ┌─────────┐ session_id cookie ┌──────────────┐ JWT ┌──────────────┐\n * │ Browser │ ──────────────────▶ │ SSR App │ ─────────▶ │ Resource │\n * │ │ │ │ │ Server │\n * └─────────┘ └──────┬───────┘ │ (GraphQL) │\n * │ └──────────────┘\n * │ POST /api/session/token\n * ▼\n * ┌──────────────┐\n * │ Auth Server │\n * │ (Redis) │\n * └──────────────┘\n *\n * Security:\n * - Browser only sees opaque session_id (256-bit random, base64url)\n * - JWT access_token lives only in Redis + server memory\n * - IdP UI auth: X-Douvery-Internal-Service + HMAC signature (internal trust)\n * - Consumer app auth: X-Client-Id + X-Client-Secret headers (OAuth per-client)\n * - Per-request WeakMap cache prevents duplicate network calls\n * - Cross-request Map<string> dedup prevents refresh token reuse detection\n */\n\nimport type {\n SessionResolverConfig,\n CookieAdapter,\n RefreshResult,\n SessionLogger,\n SessionResolver,\n} from \"./types\";\nimport {\n parseJwtExp,\n computeCacheTTL,\n fetchWithTimeout,\n computeHmac,\n} from \"./utils\";\n\n// ============================================================================\n// Defaults & internal helpers\n// ============================================================================\n\nconst DEFAULTS = {\n cookieMaxAge: 30 * 24 * 60 * 60, // 30 days in seconds\n secureCookies: true,\n fetchTimeoutMs: 3_000,\n refreshTimeoutMs: 8_000,\n fallbackCacheTtlMs: 30_000,\n debug: false,\n} as const;\n\n/** Noop logger for when debug is off */\nconst NOOP_LOGGER: SessionLogger = {\n debug() {},\n warn() {},\n error() {},\n};\n\n/** Console-based logger with [Session] prefix */\nconst CONSOLE_LOGGER: SessionLogger = {\n debug: (...args) => console.log(\"[Session]\", ...args),\n warn: (...args) => console.warn(\"[Session]\", ...args),\n error: (...args) => console.error(\"[Session]\", ...args),\n};\n\n/** Token cache entry */\ninterface CacheEntry {\n token: string;\n expiresAt: number;\n jwtExp?: number;\n}\n\n// ============================================================================\n// Factory\n// ============================================================================\n\n/**\n * Create a session resolver instance.\n *\n * Returns a {@link SessionResolver} with internal state (caches, dedup maps)\n * scoped to this resolver instance. Multiple resolvers can coexist\n * (e.g., for different auth servers or cookie names).\n *\n * @example\n * ```typescript\n * // IdP UI (like accounts.google.com — internal service, NOT an OAuth client)\n * const resolver = createSessionResolver({\n * sessionApiUrl: 'http://localhost:9924/api/session',\n * internalServiceName: 'auth-web',\n * internalServiceSecret: process.env.INTERNAL_SERVICE_SECRET,\n * cookieName: 'my-session',\n * debug: process.env.NODE_ENV === 'development',\n * });\n *\n * // Consumer app (OAuth client — douvery-web, center, mobile)\n * const resolver = createSessionResolver({\n * sessionApiUrl: 'http://localhost:9924/api/session',\n * clientId: process.env.OAUTH_CLIENT_ID,\n * clientSecret: process.env.OAUTH_CLIENT_SECRET,\n * cookieName: 'my-session',\n * });\n *\n * // In a request handler:\n * const token = await resolver.getAccessToken(cookieAdapter);\n * ```\n */\nexport function createSessionResolver(\n config: SessionResolverConfig,\n): SessionResolver {\n // Merge defaults\n const cfg = { ...DEFAULTS, ...config };\n\n // Configure logger\n const log: SessionLogger =\n cfg.logger ?? (cfg.debug ? CONSOLE_LOGGER : NOOP_LOGGER);\n\n // Validate required config\n if (!cfg.sessionApiUrl) {\n throw new Error(\n \"[Session] sessionApiUrl is required. \" +\n \"Provide the auth server session API URL.\",\n );\n }\n\n if (!cfg.cookieName) {\n throw new Error(\n \"[Session] cookieName is required. \" +\n \"Provide the cookie name for the session ID.\",\n );\n }\n\n // ============================================================================\n // Internal state (scoped to this resolver instance)\n // ============================================================================\n\n /**\n * Per-request token cache. WeakMap keyed by CookieAdapter object reference.\n * Each SSR request should reuse the SAME adapter instance for all calls,\n * ensuring per-request caching without cross-request pollution.\n */\n const tokenCache = new WeakMap<CookieAdapter, CacheEntry>();\n\n /**\n * Pending resolution dedup. Prevents duplicate POST /token calls when\n * multiple routeLoaders in the same SSR request call getAccessToken().\n */\n const pendingResolutions = new WeakMap<\n CookieAdapter,\n Promise<string | undefined>\n >();\n\n /**\n * Cross-request refresh dedup keyed by session_id string.\n *\n * CRITICAL: Must be keyed by sessionId, NOT by CookieAdapter.\n * Concurrent SSR requests (e.g., SPA hover prefetch) get DIFFERENT\n * adapter objects even though they share the same session_id. Without\n * string-based dedup, concurrent refreshes would trigger refresh token\n * reuse detection and destroy the session.\n *\n * Cleanup: entries are deleted in the finally block of refreshSession().\n */\n const pendingRefreshBySession = new Map<string, Promise<RefreshResult>>();\n\n // ============================================================================\n // Cookie helpers\n // ============================================================================\n\n function getSessionId(cookies: CookieAdapter): string | undefined {\n return cookies.get(cfg.cookieName);\n }\n\n function hasSession(cookies: CookieAdapter): boolean {\n return !!getSessionId(cookies);\n }\n\n function setSessionCookie(sessionId: string, cookies: CookieAdapter): void {\n cookies.set(cfg.cookieName, sessionId, {\n path: \"/\",\n httpOnly: true,\n secure: cfg.secureCookies,\n sameSite: \"lax\",\n maxAge: cfg.cookieMaxAge,\n });\n }\n\n function clearSessionCookie(cookies: CookieAdapter): void {\n cookies.set(cfg.cookieName, \"\", {\n path: \"/\",\n httpOnly: true,\n secure: cfg.secureCookies,\n sameSite: \"lax\",\n maxAge: 0,\n });\n tokenCache.delete(cookies);\n }\n\n // ============================================================================\n // Internal: build headers for auth server requests\n // ============================================================================\n\n function buildHeaders(): Record<string, string> {\n const headers: Record<string, string> = {\n \"Content-Type\": \"application/json\",\n };\n\n // Method 1: Internal service HMAC (IdP UI)\n if (cfg.internalServiceName && cfg.internalServiceSecret) {\n const timestamp = String(Date.now());\n const message = `${timestamp}:${cfg.internalServiceName}`;\n headers[\"X-Douvery-Internal-Service\"] = cfg.internalServiceName;\n headers[\"X-Douvery-Internal-Timestamp\"] = timestamp;\n headers[\"X-Douvery-Internal-Signature\"] = computeHmac(\n message,\n cfg.internalServiceSecret,\n );\n }\n // Method 2: Per-client OAuth credentials (consumer apps)\n else if (cfg.clientId && cfg.clientSecret) {\n headers[\"X-Client-Id\"] = cfg.clientId;\n headers[\"X-Client-Secret\"] = cfg.clientSecret;\n }\n\n return headers;\n }\n\n // ============================================================================\n // Internal: network resolution (session_id -> JWT)\n // ============================================================================\n\n async function resolveSessionToken(\n sessionId: string,\n cookies: CookieAdapter,\n ): Promise<string | undefined> {\n try {\n const response = await fetchWithTimeout(\n `${cfg.sessionApiUrl}/token`,\n {\n method: \"POST\",\n headers: buildHeaders(),\n body: JSON.stringify({ session_id: sessionId }),\n },\n cfg.fetchTimeoutMs,\n );\n\n if (!response.ok) {\n if (response.status === 401 || response.status === 404) {\n log.warn(\"Session expired or not found:\", response.status);\n clearSessionCookie(cookies);\n return undefined;\n }\n\n const errorText = await response.text().catch(() => \"\");\n log.error(\"Token resolution failed:\", response.status, errorText);\n return undefined;\n }\n\n const data = await response.json();\n\n if (data.access_token) {\n const jwtExp = parseJwtExp(data.access_token);\n const ttl = computeCacheTTL(\n jwtExp,\n data.expires_in,\n cfg.fallbackCacheTtlMs,\n );\n\n tokenCache.set(cookies, {\n token: data.access_token,\n expiresAt: Date.now() + ttl,\n jwtExp,\n });\n\n return data.access_token;\n }\n\n return undefined;\n } catch (error) {\n if (error instanceof DOMException && error.name === \"AbortError\") {\n log.error(\"Token resolution timed out after\", cfg.fetchTimeoutMs, \"ms\");\n return undefined;\n }\n log.error(\"Network error resolving token:\", error);\n return undefined;\n }\n }\n\n // ============================================================================\n // Token resolution (public)\n // ============================================================================\n\n /**\n * Resolve opaque session to JWT access_token (ASYNC).\n *\n * Uses per-request caching via WeakMap to avoid duplicate network calls.\n *\n * IMPORTANT: Returns the resolved JWT even if it's expired. The caller\n * (e.g., validateAndRefreshTokens) is responsible for checking expiry\n * and triggering refreshSession(). This avoids a race condition where\n * both this function and the caller would attempt concurrent refreshes.\n */\n async function getAccessToken(\n cookies: CookieAdapter,\n ): Promise<string | undefined> {\n // 1. Check resolved cache\n const cached = tokenCache.get(cookies);\n if (cached && cached.expiresAt > Date.now()) {\n return cached.token;\n }\n\n // 2. Dedup concurrent calls for the same request\n const pending = pendingResolutions.get(cookies);\n if (pending) {\n return pending;\n }\n\n // 3. Check for session cookie\n const sessionId = getSessionId(cookies);\n if (!sessionId) {\n return undefined;\n }\n\n // 4. Start async resolution\n const resolution = resolveSessionToken(sessionId, cookies);\n pendingResolutions.set(cookies, resolution);\n\n try {\n const token = await resolution;\n\n if (!token) {\n return undefined;\n }\n\n // Return even if expired — caller handles refresh\n if (cfg.debug) {\n const exp = parseJwtExp(token);\n if (exp && exp * 1000 <= Date.now()) {\n log.debug(\"Resolved JWT is expired — caller should handle refresh\");\n }\n }\n\n return token;\n } finally {\n pendingResolutions.delete(cookies);\n }\n }\n\n /**\n * Synchronous access to cached token (for sync header builders).\n * Returns cached value only — NO network call.\n */\n function getAccessTokenSync(cookies: CookieAdapter): string | undefined {\n const cached = tokenCache.get(cookies);\n if (cached && cached.expiresAt > Date.now()) {\n return cached.token;\n }\n return undefined;\n }\n\n // ============================================================================\n // Session lifecycle\n // ============================================================================\n\n /** Internal: actual refresh logic, called only once per session via dedup. */\n async function _doRefreshSession(\n cookies: CookieAdapter,\n sessionId: string,\n ): Promise<RefreshResult> {\n try {\n const response = await fetchWithTimeout(\n `${cfg.sessionApiUrl}/refresh`,\n {\n method: \"POST\",\n headers: buildHeaders(),\n body: JSON.stringify({ session_id: sessionId }),\n },\n cfg.refreshTimeoutMs,\n );\n\n if (!response.ok) {\n if (response.status === 401 || response.status === 404) {\n log.warn(\"Session expired during refresh:\", response.status);\n clearSessionCookie(cookies);\n return \"definitive_failure\";\n }\n\n if (cfg.debug) {\n const errorText = await response.text().catch(() => \"\");\n log.warn(\"Refresh returned\", response.status, errorText);\n }\n return \"transient_failure\";\n }\n\n // Invalidate token cache so next getAccessToken() fetches fresh JWT\n tokenCache.delete(cookies);\n log.debug(\"Tokens refreshed successfully via session\");\n\n return \"success\";\n } catch (error) {\n if (error instanceof DOMException && error.name === \"AbortError\") {\n log.error(\n \"Refresh request timed out after\",\n cfg.refreshTimeoutMs,\n \"ms\",\n );\n return \"transient_failure\";\n }\n log.error(\"Error refreshing session:\", error);\n return \"transient_failure\";\n }\n }\n\n /**\n * Refresh session tokens via auth server.\n * Triggers full token rotation (new access + new refresh token in Redis).\n *\n * Deduplicates concurrent refresh calls across ALL requests for the same\n * session. Multiple concurrent SSR requests (SPA hover/prefetch) share\n * the same session_id but have different CookieAdapter objects. Only one\n * actual POST /refresh fires per session — subsequent requests join the\n * same promise.\n */\n async function refreshSession(\n cookies: CookieAdapter,\n ): Promise<RefreshResult> {\n const sessionId = getSessionId(cookies);\n if (!sessionId) {\n return \"definitive_failure\";\n }\n\n // Dedup concurrent refresh calls across ALL requests for the same session\n const pendingRefresh = pendingRefreshBySession.get(sessionId);\n if (pendingRefresh) {\n log.debug(\"Refresh already in progress for session, joining...\");\n const result = await pendingRefresh;\n\n // Invalidate THIS request's token cache\n // (joining request may have stale cache from before the refresh)\n if (result === \"success\") {\n tokenCache.delete(cookies);\n }\n\n return result;\n }\n\n const refreshPromise = _doRefreshSession(cookies, sessionId);\n pendingRefreshBySession.set(sessionId, refreshPromise);\n\n try {\n return await refreshPromise;\n } finally {\n pendingRefreshBySession.delete(sessionId);\n }\n }\n\n /**\n * Destroy session on auth server and clear local cookie.\n * Used during logout.\n */\n async function destroySession(cookies: CookieAdapter): Promise<void> {\n const sessionId = getSessionId(cookies);\n\n if (sessionId) {\n try {\n await fetchWithTimeout(\n `${cfg.sessionApiUrl}/destroy`,\n {\n method: \"POST\",\n headers: buildHeaders(),\n body: JSON.stringify({ session_id: sessionId }),\n },\n cfg.fetchTimeoutMs,\n );\n log.debug(\"Session destroyed on auth server\");\n } catch (error) {\n log.error(\"Error destroying session:\", error);\n // Continue with local cleanup even if server call fails\n }\n }\n\n clearSessionCookie(cookies);\n }\n\n // ============================================================================\n // Public API\n // ============================================================================\n\n return {\n getAccessToken,\n getAccessTokenSync,\n refreshSession,\n destroySession,\n setSessionCookie,\n getSessionId,\n hasSession,\n clearSessionCookie,\n };\n}\n"]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@douvery/auth",
-  "version": "0.3.3",
+  "version": "0.4.0",
   "description": "OAuth 2.0/OIDC client for Douvery authentication",
   "type": "module",
   "main": "./dist/index.js",
@@ -11,6 +11,10 @@
       "import": "./dist/index.js",
       "types": "./dist/index.d.ts"
     },
+    "./session": {
+      "import": "./dist/session/index.js",
+      "types": "./dist/session/index.d.ts"
+    },
     "./react": {
       "import": "./dist/react/index.js",
       "types": "./dist/react/index.d.ts"
@@ -25,9 +29,10 @@
     "src/qwik"
   ],
   "scripts": {
-    "build": "npm run clean && tsup",
-    "dev": "tsup --watch",
-    "clean": "rm -rf dist"
+    "build": "npm run clean && node ./node_modules/tsup/dist/cli-default.js",
+    "dev": "node ./node_modules/tsup/dist/cli-default.js --watch",
+    "clean": "rm -rf dist",
+    "deploy:npm": "npm run build && npm publish --access public --tag latest"
   },
   "keywords": [
     "douvery",
@@ -42,11 +47,11 @@
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/douvery/douvery-auth.git"
+    "url": "git+https://github.com/douvery/douvery-auth.git"
   },
   "peerDependencies": {
-    "react": ">=18.0.0",
-    "@builder.io/qwik": ">=1.0.0"
+    "@builder.io/qwik": ">=1.0.0",
+    "react": ">=18.0.0"
   },
   "peerDependenciesMeta": {
     "react": {
@@ -57,10 +62,11 @@
     }
   },
   "devDependencies": {
-    "tsup": "^8.0.0",
-    "typescript": "^5.4.0",
-    "react": "^18.2.0",
+    "@builder.io/qwik": "^1.9.0",
+    "@types/node": "^25.2.3",
     "@types/react": "^18.2.0",
-    "@builder.io/qwik": "^1.9.0"
+    "react": "^18.2.0",
+    "tsup": "^8.0.0",
+    "typescript": "^5.4.0"
   }
 }

package/src/qwik/index.tsx CHANGED Viewed

@@ -121,7 +121,22 @@ export const DouveryAuthProvider = component$<DouveryAuthProviderProps>(
     // The QRL is invoked here, returning the full config (with customStorage).
     // noSerialize() wraps the client so Qwik doesn't try to serialize it.
     useVisibleTask$(async () => {
-      const config = await config$();
+      let config: DouveryAuthConfig | undefined;
+      try {
+        config = await config$();
+      } catch (err) {
+        error.value = err instanceof Error ? err : new Error(String(err));
+        return;
+      }
+      if (!config) {
+        error.value = new Error(
+          "[DouveryAuthProvider] config$() returned undefined. " +
+            "Check that the QRL correctly returns a DouveryAuthConfig object.",
+        );
+        return;
+      }
       const client = createDouveryAuth(config);
       clientRef.value = noSerialize(client);
@@ -436,4 +451,9 @@ export type {
   AddAccountOptions,
   RevokeTokenOptions,
   AuthUrl,
+  CookieAdapter,
+  CookieSetOptions,
 } from "@douvery/auth";
+// Session adapter for Qwik City
+export { createQwikSessionAdapter } from "./session";

package/src/qwik/session.ts ADDED Viewed

@@ -0,0 +1,72 @@
+/**
+ * @douvery/auth/qwik - Session Adapter
+ *
+ * Adapts Qwik City's Cookie interface to the generic CookieAdapter
+ * used by createSessionResolver().
+ *
+ * Memoized: returns the same adapter instance for the same Cookie object,
+ * ensuring the resolver's per-request WeakMap cache works correctly when
+ * multiple routeLoaders call getAccessToken() in the same SSR request.
+ */
+import type { CookieAdapter, CookieSetOptions } from "@douvery/auth";
+/**
+ * Qwik City Cookie-like interface.
+ * Duck-typed to avoid hard dependency on @builder.io/qwik-city.
+ */
+interface QwikCookieLike {
+  get(name: string): { value: string } | null;
+  set(
+    name: string,
+    value: string | number | Record<string, unknown>,
+    options?: Record<string, unknown>,
+  ): void;
+}
+/**
+ * Adapter cache ensures the SAME CookieAdapter instance is returned
+ * for the same Qwik Cookie object. This is critical because:
+ *
+ * 1. The resolver uses WeakMap<CookieAdapter> for per-request caching
+ * 2. Multiple routeLoaders in the same SSR request share the same Cookie
+ * 3. Each routeLoader calls createQwikSessionAdapter(cookie)
+ * 4. Without memoization, each call would create a different object
+ *    → WeakMap would fail to deduplicate → duplicate network calls
+ */
+const adapterCache = new WeakMap<object, CookieAdapter>();
+/**
+ * Create a CookieAdapter from a Qwik City Cookie object.
+ *
+ * @example
+ * ```typescript
+ * import { createQwikSessionAdapter } from '@douvery/auth/qwik';
+ * import { createSessionResolver } from '@douvery/auth/session';
+ *
+ * const resolver = createSessionResolver({ ... });
+ *
+ * export const useMyLoader = routeLoader$(async ({ cookie }) => {
+ *   const adapter = createQwikSessionAdapter(cookie);
+ *   const token = await resolver.getAccessToken(adapter);
+ * });
+ * ```
+ */
+export function createQwikSessionAdapter(
+  cookie: QwikCookieLike,
+): CookieAdapter {
+  let adapter = adapterCache.get(cookie);
+  if (adapter) return adapter;
+  adapter = {
+    get(name: string): string | undefined {
+      return cookie.get(name)?.value ?? undefined;
+    },
+    set(name: string, value: string, options: CookieSetOptions): void {
+      cookie.set(name, value, options as Record<string, unknown>);
+    },
+  };
+  adapterCache.set(cookie, adapter);
+  return adapter;
+}