@igxjs/node-components 1.0.15 → 1.0.17

package/components/assets/template.html

@@ -2,7 +2,7 @@
 <html lang="en">
   <head>
     <title>Sign in IBM Garage</title>
-    <meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no,viewport-fit=cover,minimum-scale=1,maximum-scale=1,user-scalable=no">
+    <meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no,viewport-fit=cover,minimum-scale=1,maximum-scale=2">
     <meta name="robots" content="noindex, nofollow" />
     <style>
       :root {
@@ -94,9 +94,14 @@
         localStorage.setItem('{{SESSION_EXPIRY_KEY}}', '{{SESSION_EXPIRY_VALUE}}');
       }
 
+      /**
+       * Note: You can also request full user informlation by using ajax request or loading server side page.
+       */
+
       // Fall back to simple navigation
       location.href = '{{SSO_SUCCESS_URL}}';
-    } catch (e) {
+    }
+    catch (e) {
       console.error('Redirect failed:', e);
       success = false;
     }

package/components/http-handlers.js

@@ -161,12 +161,13 @@ export const httpHelper = {
    * @returns {string} Formatted string
    */
   format (str, ...args) {
+    let result = str;
     const matched = str.match(/{\d}/ig);
     matched.forEach((element, index) => {
       if(args.length > index)
-        str = str.replace(element, args[index]);
+        result = result.replace(element, args[index]);
     });
-    return str;
+    return result;
   },
 
   /**
@@ -209,4 +210,4 @@ export const httpHelper = {
  */
 export const httpError = (code, message, error, data) => {
   return new CustomError(code, message, error, data);
-};
+};

package/components/jwt.js

@@ -9,31 +9,31 @@ import { jwtDecrypt, EncryptJWT } from 'jose';
 export class JwtManager {
   /** @type {string} JWE algorithm */
   algorithm;
-  
+
   /** @type {string} Encryption method */
   encryption;
-  
+
   /** @type {number} Token expiration time */
   expirationTime;
-  
+
   /** @type {number} Clock tolerance in seconds */
   clockTolerance;
-  
+
   /** @type {string} Hash algorithm for secret derivation */
   secretHashAlgorithm;
-  
+
   /** @type {string|null} Optional JWT issuer claim */
   issuer;
-  
+
   /** @type {string|null} Optional JWT audience claim */
   audience;
-  
+
   /** @type {string|null} Optional JWT subject claim */
   subject;
   /**
    * Create a new JwtManager instance with configurable defaults
    * Constructor options use UPPERCASE naming convention with JWT_ prefix (e.g., JWT_ALGORITHM).
-   * 
+   *
    * @typedef {Object} JwtManagerOptions JwtManager configuration options
    * @property {string} [JWT_ALGORITHM='dir'] JWE algorithm (default: 'dir')
    * @property {string} [JWT_ENCRYPTION='A256GCM'] Encryption method (default: 'A256GCM')
@@ -59,7 +59,7 @@ export class JwtManager {
 
   /**
    * Encrypt method options (camelCase naming convention, uses instance defaults when not provided)
-   * 
+   *
    * @typedef {Object} JwtEncryptOptions Encryption method options
    * @property {string} [algorithm='dir'] JWE algorithm (overrides instance JWT_ALGORITHM)
    * @property {string} [encryption='A256GCM'] Encryption method (overrides instance JWT_ENCRYPTION)
@@ -71,7 +71,7 @@ export class JwtManager {
    */
   /**
    * Generate JWT token for user session
-   * 
+   *
    * @param {import('jose').JWTPayload} data User data payload
    * @param {string} secret Secret key or password for encryption
    * @param {JwtEncryptOptions} [options] Per-call configuration overrides (camelCase naming convention)
@@ -113,7 +113,7 @@ export class JwtManager {
 
   /**
    * Decrypt method options (camelCase naming convention, uses instance defaults when not provided)
-   * 
+   *
    * @typedef {Object} JwtDecryptOptions Decryption method options
    * @property {number} [clockTolerance=30] Clock tolerance in seconds (overrides instance JWT_CLOCK_TOLERANCE)
    * @property {string} [secretHashAlgorithm='SHA-256'] Hash algorithm for secret derivation (overrides instance JWT_SECRET_HASH_ALGORITHM)
@@ -123,7 +123,7 @@ export class JwtManager {
    **/
   /**
    * Decrypt JWT
-   * 
+   *
    * @param {string} token JWT token to decrypt
    * @param {string} secret Secret key or password for decryption
    * @param {JwtDecryptOptions} [options] Per-call configuration overrides (camelCase naming convention)

package/components/logger.js

@@ -2,20 +2,20 @@
  * Logger utility for node-components
  * Provides configurable logging with enable/disable functionality
  * Uses singleton pattern to manage logger instances per component
- * 
+ *
  * @example
  * import { Logger } from './logger.js';
- * 
+ *
  * // Recommended: Get logger instance (singleton pattern)
  * const logger = Logger.getInstance('ComponentName');
- * 
+ *
  * // With explicit enable/disable
  * const logger = Logger.getInstance('ComponentName', true);  // Always enabled
  * const logger = Logger.getInstance('ComponentName', false); // Always disabled
- * 
+ *
  * // Backward compatibility: Constructor still works
  * const logger = new Logger('ComponentName');
- * 
+ *
  * // Use logger
  * logger.info('Operation completed');
  * logger.error('Error occurred', error);
@@ -23,10 +23,10 @@
 export class Logger {
   /** @type {Map<string, Logger>} */
   static #instances = new Map();
-  
+
   /** @type {boolean} - Global flag to enable/disable colors */
   static #colorsEnabled = true;
-  
+
   /** ANSI color codes for different log levels */
   static #colors = {
     reset: '\x1b[0m',
@@ -35,7 +35,7 @@ export class Logger {
     yellow: '\x1b[33m',  // warn - yellow
     red: '\x1b[31m',     // error - red
   };
-  
+
   /** @type {boolean} */
   #enabled;
   /** @type {string} */
@@ -51,11 +51,11 @@ export class Logger {
    */
   static getInstance(componentName, enableLogging) {
     const key = `${componentName}:${enableLogging ?? 'default'}`;
-    
+
     if (!Logger.#instances.has(key)) {
       Logger.#instances.set(key, new Logger(componentName, enableLogging));
     }
-    
+
     return Logger.#instances.get(key);
   }
 
@@ -90,20 +90,20 @@ export class Logger {
     // Otherwise, default to enabled in development, disabled in production
     this.#enabled = enableLogging ?? (process.env.NODE_ENV !== 'production');
     this.#prefix = `[${componentName}]`;
-    
+
     // Determine if colors should be used:
     // - Colors are globally enabled
     // - Output is a terminal (TTY)
     // - NO_COLOR environment variable is not set
-    this.#useColors = Logger.#colorsEnabled && 
-                     process.stdout.isTTY && 
+    this.#useColors = Logger.#colorsEnabled &&
+                     process.stdout.isTTY &&
                      !process.env.NO_COLOR;
-    
+
     // Assign methods based on enabled flag to eliminate runtime checks
     // This improves performance by avoiding conditional checks on every log call
     if (this.#enabled) {
       const colors = Logger.#colors;
-      
+
       if (this.#useColors) {
         // Logging enabled with colors: colorize the prefix
         this.debug = (...args) => console.debug(colors.dim + this.#prefix + colors.reset, ...args);
@@ -128,4 +128,4 @@ export class Logger {
       this.log = () => {};
     }
   }
-}
+}

package/components/redis.js

@@ -100,4 +100,4 @@ export class RedisManager {
     await this.#client.quit();
     this.#logger.info('### REDIS DISCONNECTED ###');
   }
-}
+}

package/components/router.js

@@ -1,22 +1,22 @@
 /**
  * FlexRouter for expressjs
- * 
+ *
  * @example
  * import { Router } from 'express';
  * import { FlexRouter } from '../models/router.js';
  * import { authenticate } from '../middlewares/common.js';
- * 
+ *
  * export const publicRouter = Router();
  * export const privateRouter = Router();
- * 
+ *
  * publicRouter.get('/health', (req, res) => {
  *  res.send('OK');
  * });
- * 
+ *
  * privateRouter.get('/', (req, res) => {
  *  res.send('Hello World!');
  * });
- * 
+ *
  * export const routers = [
  *  new FlexRouter('/api/v1/protected', privateRouter, [authenticate]),
  *  new FlexRouter('/api/v1/public', healthRouter),

package/components/session.js

@@ -28,15 +28,15 @@ export const SessionMode = {
  * Session configuration options
  */
 export class SessionConfig {
-  /** 
+  /**
    * @type {string} Authentication mode for protected routes
    * - Supported values: SessionMode.SESSION | SessionMode.TOKEN
    * @default SessionMode.SESSION
    */
   SESSION_MODE;
-  /** 
+  /**
    * @type {string} Identity Provider microservice endpoint URL
-   * 
+   *
    * This is a fully customized, independent microservice that provides SSO authentication.
    * The endpoint serves multiple applications and provides the following APIs:
    * - GET /auth/providers - List supported identity providers
@@ -44,7 +44,7 @@ export class SessionConfig {
    * - POST /auth/verify - Verify JWT token validity
    * - GET /auth/callback/:idp - Validate authentication and return user data
    * - POST /auth/refresh - Refresh access tokens
-   * 
+   *
    * @example
    * SSO_ENDPOINT_URL: 'https://idp.example.com/open/api/v1'
    */
@@ -67,19 +67,19 @@ export class SessionConfig {
   SESSION_COOKIE_PATH;
   /** @type {string} Session secret */
   SESSION_SECRET;
-  /** 
-   * @type {string} 
+  /**
+   * @type {string}
    * @default 'ibmid:'
    */
   SESSION_PREFIX;
-  /** 
+  /**
    * @type {string} Session key
    * - In the `SessionMode.SESSION` mode, this is the key used to store the user in the session.
    * - In the `SessionMode.TOKEN` mode, this is the key of localStorage where the user is stored.
    * @default 'session_token'
    */
   SESSION_KEY;
-  /** 
+  /**
    * @type {string} Session expiry key
    * - In the `SessionMode.TOKEN` mode, this is the key of localStorage where the session expiry timestamp is stored.
    * @default 'session_expires_at'
@@ -141,26 +141,33 @@ export class SessionManager {
   #htmlTemplate = null;
 
   /**
-   * Create a new session manager
-   * @param {SessionConfig} config Session configuration
-   * @throws {TypeError} If config is not an object
-   * @throws {Error} If required configuration fields are missing
+   * Validate config is an object
+   * @param {SessionConfig} config
+   * @throws {TypeError}
    */
-  constructor(config) {
-    // Validate config is an object
+  #validateConfigType(config) {
     if (!config || typeof config !== 'object') {
       throw new TypeError('SessionManager configuration must be an object');
     }
+  }
 
-    // Validate required fields based on SESSION_MODE
-    const mode = config.SESSION_MODE || SessionMode.SESSION;
-    
-    // SESSION_SECRET is always required for both modes
+  /**
+   * Validate required configuration fields
+   * @param {SessionConfig} config
+   * @throws {Error}
+   */
+  #validateRequiredFields(config) {
     if (!config.SESSION_SECRET) {
       throw new Error('SESSION_SECRET is required for SessionManager');
     }
+  }
 
-    // Validate SSO configuration if SSO endpoints are used
+  /**
+   * Validate SSO configuration
+   * @param {SessionConfig} config
+   * @throws {Error}
+   */
+  #validateSsoConfig(config) {
     if (config.SSO_ENDPOINT_URL) {
       if (!config.SSO_CLIENT_ID) {
         throw new Error('SSO_CLIENT_ID is required when SSO_ENDPOINT_URL is provided');
@@ -169,9 +176,15 @@ export class SessionManager {
         throw new Error('SSO_CLIENT_SECRET is required when SSO_ENDPOINT_URL is provided');
       }
     }
+  }
 
-    // Validate TOKEN mode specific requirements
-    if (mode === SessionMode.TOKEN) {
+  /**
+   * Validate TOKEN mode requirements
+   * @param {SessionConfig} config
+   * @throws {Error}
+   */
+  #validateTokenMode(config) {
+    if (config.SESSION_MODE === SessionMode.TOKEN) {
       if (!config.SSO_SUCCESS_URL) {
         throw new Error('SSO_SUCCESS_URL is required for TOKEN authentication mode');
       }
@@ -179,11 +192,16 @@ export class SessionManager {
         throw new Error('SSO_FAILURE_URL is required for TOKEN authentication mode');
       }
     }
+  }
 
-    this.#config = {
-      // Session Mode
+  /**
+   * Build configuration object
+   * @param {SessionConfig} config
+   * @returns {object}
+   */
+  #buildConfig(config) {
+    return {
       SESSION_MODE: config.SESSION_MODE || SessionMode.SESSION,
-      // Session - SESSION_AGE is now in seconds (default: 64800 = 18 hours)
       SESSION_AGE: config.SESSION_AGE || 64800,
       SESSION_COOKIE_PATH: config.SESSION_COOKIE_PATH || '/',
       SESSION_SECRET: config.SESSION_SECRET,
@@ -191,18 +209,13 @@ export class SessionManager {
       SESSION_KEY: config.SESSION_KEY || 'session_token',
       SESSION_EXPIRY_KEY: config.SESSION_EXPIRY_KEY || 'session_expires_at',
       TOKEN_STORAGE_TEMPLATE_PATH: config.TOKEN_STORAGE_TEMPLATE_PATH,
-
-      // Identity Provider
       SSO_ENDPOINT_URL: config.SSO_ENDPOINT_URL,
       SSO_CLIENT_ID: config.SSO_CLIENT_ID,
       SSO_CLIENT_SECRET: config.SSO_CLIENT_SECRET,
       SSO_SUCCESS_URL: config.SSO_SUCCESS_URL,
       SSO_FAILURE_URL: config.SSO_FAILURE_URL,
-      // Redis
       REDIS_URL: config.REDIS_URL,
       REDIS_CERT_PATH: config.REDIS_CERT_PATH,
-
-      // JWT Manager
       JWT_ALGORITHM: config.JWT_ALGORITHM || 'dir',
       JWT_ENCRYPTION: config.JWT_ENCRYPTION || 'A256GCM',
       JWT_CLOCK_TOLERANCE: config.JWT_CLOCK_TOLERANCE ?? 30,
@@ -213,6 +226,20 @@ export class SessionManager {
     };
   }
 
+  /**
+   * Create a new session manager
+   * @param {SessionConfig} config Session configuration
+   * @throws {TypeError} If config is not an object
+   * @throws {Error} If required configuration fields are missing
+   */
+  constructor(config) {
+    this.#validateConfigType(config);
+    this.#validateRequiredFields(config);
+    this.#validateSsoConfig(config);
+    this.#validateTokenMode(config);
+    this.#config = this.#buildConfig(config);
+  }
+
   /**
    * Check if the email has a session refresh lock
    * @param {string} email Email address
@@ -272,7 +299,7 @@ export class SessionManager {
    * @private
    */
   #getTokenRedisKey(email, tid) {
-    return `${this.#config.SESSION_KEY}:t:${email}:${tid}`;
+    return `${this.#config.SESSION_KEY}:${email}:${tid}`;
   }
 
   /**
@@ -282,7 +309,7 @@ export class SessionManager {
    * @private
    */
   #getTokenRedisPattern(email) {
-    return `${this.#config.SESSION_KEY}:t:${email}:*`;
+    return `${this.#config.SESSION_KEY}:${email}:*`;
   }
 
   /**
@@ -311,12 +338,12 @@ export class SessionManager {
     });
     app.set('trust proxy', 1);
     const isOK = await this.#redisManager.connect(this.#config.REDIS_URL, this.#config.REDIS_CERT_PATH);
-    if (this.#config.SESSION_MODE === SessionMode.SESSION) {
+    if (this.getSessionMode() === SessionMode.SESSION) {
       app.use(this.#sessionHandler(isOK));
     }
 
     // Cache HTML template for TOKEN mode
-    if (this.#config.SESSION_MODE === SessionMode.TOKEN) {
+    if (this.getSessionMode() === SessionMode.TOKEN) {
       const templatePath = this.#config.TOKEN_STORAGE_TEMPLATE_PATH ||
         path.resolve(__dirname, 'assets', 'template.html');
       this.#htmlTemplate = fs.readFileSync(templatePath, 'utf8');
@@ -324,27 +351,37 @@ export class SessionManager {
     }
   }
 
+  /**
+   * Generate lightweight JWT token
+   * @param {string} email User email
+   * @param {string} tokenId Token ID
+   * @param {number} expirationTime Expiration time in seconds
+   * @returns {Promise<string>} Returns the generated JWT token
+   * @private
+   */
+  async #getLightweightToken(email, tokenId, expirationTime) {
+    return await this.#jwtManager.encrypt({ email, tid: tokenId }, this.#config.SSO_CLIENT_SECRET, { expirationTime });
+  }
+
   /**
    * Generate and store JWT token in Redis
    * - JWT payload contains only { email, tid } for minimal size
    * - Full user data is stored in Redis as single source of truth
-   * @param {object} user User object with email and attributes
+   * @param {string} tid Token ID
+   * @param {Record<string, any> & { email: string, tid: string }} user User object with email and attributes
    * @returns {Promise<string>} Returns the generated JWT token
    * @throws {Error} If JWT encryption fails
    * @throws {Error} If Redis storage fails
    * @private
    * @example
-   * const token = await this.#generateAndStoreToken({
+   * const token = await this.#generateAndStoreToken('tid', {
    *   email: 'user@example.com',
    *   attributes: { /* user data * / }
    * });
    */
-  async #generateAndStoreToken(user) {
-    // Generate unique token ID for this device/session
-    const tid = crypto.randomUUID();
-    // Create JWT token with only email and tid (minimal payload)
-    const payload = { email: user.email, tid };
-    const token = await this.#jwtManager.encrypt(payload, this.#config.SESSION_SECRET, { expirationTime: this.#config.SESSION_AGE });
+  async #generateAndStoreToken(tid, user) {
+    // Create JWT token with only email, tid and idp (minimal payload)
+    const token = await this.#getLightweightToken(user.email, tid, this.#config.SESSION_AGE);
 
     // Store user data in Redis with TTL
     const redisKey = this.#getTokenRedisKey(user.email, tid);
@@ -357,28 +394,28 @@ export class SessionManager {
   /**
    * Extract and validate user data from Authorization header (TOKEN mode only)
    * @param {string} authHeader Authorization header in format "Bearer {token}"
-   * @param {boolean} [fetchFromRedis=true] Whether to fetch full user data from Redis
-   *   - true: Returns { tid, user } with full user data from Redis (default)
+   * @param {boolean} [includeUserData=true] Whether to include full user data in response
+   *   - true: Returns { tid, user } with full user data (default)
    *   - false: Returns JWT payload only (lightweight validation)
-   * @returns {Promise<{ tid: string?, email: string?, user: object? } | object>}
-   *   - When fetchFromRedis=true: { tid: string, user: object }
-   *   - When fetchFromRedis=false: JWT payload object
+   * @returns {Promise<{ tid: string, user: { email: string, attributes: { expires_at: number, sub: string } } } & object>}
+   *   - When includeUserData=true: { tid: string, user: object }
+   *   - When includeUserData=false: JWT payload object
    * @throws {CustomError} UNAUTHORIZED (401) if:
    *   - Authorization header is missing or invalid format
    *   - Token decryption fails
    *   - Token payload is invalid (missing email/tid)
-   *   - Token not found in Redis (when fetchFromRedis=true)
+   *   - Token not found in Redis (when includeUserData=true)
    * @private
    */
-  async #getUserFromToken(authHeader, fetchFromRedis = true) {
+  async #getUserFromToken(authHeader, includeUserData = true) {
     if (!authHeader?.startsWith('Bearer ')) {
       throw new CustomError(httpCodes.UNAUTHORIZED, 'Missing or invalid authorization header');
     }
     const token = authHeader.substring(7); // Remove 'Bearer ' prefix
-    // Decrypt JWT token
-    const { payload } = await this.#jwtManager.decrypt(token, this.#config.SESSION_SECRET);
+    /** @type {{ payload: { email: string, tid: string } & import('jose').JWTPayload }} */
+    const { payload } = await this.#jwtManager.decrypt(token, this.#config.SSO_CLIENT_SECRET);
 
-    if (fetchFromRedis) {
+    if (includeUserData) {
       /** @type {{ email: string, tid: string }} Extract email and token ID */
       const { email, tid } = payload;
       if (!email || !tid) {
@@ -392,14 +429,15 @@ export class SessionManager {
       if (!userData) {
         throw new CustomError(httpCodes.UNAUTHORIZED, 'Token not found or expired');
       }
-      return { tid, user: JSON.parse(userData) };
+      return { tid, user: { ...JSON.parse(userData) } };
     }
-    return payload;
+    return { tid: payload.tid, user: { email: payload.email, attributes: { sub: payload.sub, expires_at: payload.exp ? payload.exp * 1000 : 0 } } };
   }
 
   /**
    * Get authenticated user data (works for both SESSION and TOKEN modes)
    * @param {import('@types/express').Request} req Express request object
+   * @param {boolean} [includeUserData=false] Whether to include full user data in response
    * @returns {Promise<object>} Full user data object
    * @throws {CustomError} If user is not authenticated
    * @public
@@ -415,9 +453,9 @@ export class SessionManager {
    *   }
    * });
    */
-  async getUser(req) {
-    if (this.#config.SESSION_MODE === SessionMode.TOKEN) {
-      const { user } = await this.#getUserFromToken(req.headers.authorization, true);
+  async getUser(req, includeUserData = false) {
+    if (this.getSessionMode() === SessionMode.TOKEN) {
+      const { user } = await this.#getUserFromToken(req.headers.authorization, includeUserData);
       return user;
     }
     // Session mode
@@ -451,7 +489,7 @@ export class SessionManager {
         return next(new CustomError(httpCodes.UNAUTHORIZED, 'Token expired'));
       }
 
-      return next(error instanceof CustomError ? error : 
+      return next(error instanceof CustomError ? error :
         new CustomError(httpCodes.UNAUTHORIZED, 'Token verification failed'));
     }
   }
@@ -484,17 +522,16 @@ export class SessionManager {
    * @param {import('@types/express').Request} req Request with Authorization header
    * @param {import('@types/express').Response} res Response object
    * @param {import('@types/express').NextFunction} next Next middleware function
-   * @param {(user: object) => object} initUser Function to initialize/transform user object
+   * @param {(user: object) => object & { email: string }} initUser Function to initialize/transform user object
    * @param {string} idpRefreshUrl Identity provider refresh endpoint URL
    * @throws {CustomError} If refresh lock is active or SSO refresh fails
    * @private
    * @example
    * // Response format:
-   * // { jwt: "new_jwt", user: {...}, expires_at: 64800, token_type: "Bearer" }
+   * // { jwt: "new_jwt", user: {...} }
    */
   async #refreshToken(req, res, next, initUser, idpRefreshUrl) {
     try {
-      /** @type {{ tid: string, user: { email: string, attributes: { idp: string, refresh_token: string }? } }} */
       const { tid, user } = await this.#getUserFromToken(req.headers.authorization, true);
 
       // Check refresh lock
@@ -505,12 +542,11 @@ export class SessionManager {
 
       // Call SSO refresh endpoint
       const response = await this.#idpRequest.post(idpRefreshUrl, {
-        user: {
-          email: user?.email,
-          attributes: {
-            idp: user?.attributes?.idp,
-            refresh_token: user?.attributes?.refresh_token
-          }
+        idp: user?.attributes?.idp,
+        refresh_token: user?.attributes?.refresh_token
+      }, {
+        headers: {
+          Authorization: req.headers.authorization
         }
       });
 
@@ -530,16 +566,12 @@ export class SessionManager {
       const newUser = initUser(newPayload.user);
 
       // Generate new token
-      const newToken = await this.#generateAndStoreToken(newUser);
-
-      // Remove old token from Redis
-      const oldRedisKey = this.#getTokenRedisKey(user.email, tid);
-      await this.#redisManager.getClient().del(oldRedisKey);
+      const newToken = await this.#generateAndStoreToken(tid, newUser);
 
       this.#logger.debug('### TOKEN REFRESHED SUCCESSFULLY ###');
 
       // Return new token
-      return res.json({ jwt: newToken, user: newUser, expires_at: this.#config.SESSION_AGE, token_type: 'Bearer' });
+      return res.json({ jwt: newToken, user: newUser });
     } catch (error) {
       return next(httpHelper.handleAxiosError(error));
     }
@@ -557,23 +589,30 @@ export class SessionManager {
   async #refreshSession(req, res, next, initUser, idpRefreshUrl) {
     try {
       const { email, attributes } = req.user || { email: '', attributes: {} };
+      // Check refresh lock
       if (this.hasLock(email)) {
-        throw new CustomError(httpCodes.CONFLICT, 'User refresh is locked');
+        throw new CustomError(httpCodes.CONFLICT, 'Session refresh is locked');
       }
       this.lock(email);
+
+      /** @type {string} */
+      const token = await this.#getLightweightToken(email, req.sessionID, req.user.attributes.expires_at);
+
+      // Call SSO refresh endpoint
       const response = await this.#idpRequest.post(idpRefreshUrl, {
-        user: {
-          email,
-          attributes: {
-            idp: attributes?.idp,
-            refresh_token: attributes?.refresh_token
-          }
+        idp: attributes?.idp,
+        refresh_token: attributes?.refresh_token,
+      }, {
+        headers: {
+          Authorization: `Bearer ${token}`
         }
       });
       if (response.status === httpCodes.OK) {
+        /** @type {{ jwt: string }} */
         const { jwt } = response.data;
-        const payload = await this.#saveSession(req, jwt, initUser);
-        return res.json(payload);
+        const { payload } = await this.#jwtManager.decrypt(jwt, this.#config.SSO_CLIENT_SECRET);
+        const result = await this.#saveSession(req, payload, initUser);
+        return res.json(result);
       }
       throw new CustomError(response.status, response.statusText);
     } catch (error) {
@@ -610,7 +649,7 @@ export class SessionManager {
       if (isRedirect) {
         return res.redirect(this.#config.SSO_SUCCESS_URL);
       }
-      return res.json({ 
+      return res.json({
         message: 'All tokens logged out successfully',
         tokensRemoved: keys.length,
         redirect_url: this.#config.SSO_SUCCESS_URL
@@ -620,7 +659,7 @@ export class SessionManager {
       if (isRedirect) {
         return res.redirect(this.#config.SSO_FAILURE_URL);
       }
-      return res.status(httpCodes.SYSTEM_FAILURE).json({ 
+      return res.status(httpCodes.SYSTEM_FAILURE).json({
         error: 'Logout all failed',
         redirect_url: this.#config.SSO_FAILURE_URL
       });
@@ -643,8 +682,8 @@ export class SessionManager {
 
     try {
       // Extract Token ID and email from current token
-      const payload = await this.#getUserFromToken(req.headers.authorization, false);
-      const { email, tid } = payload;
+      const { tid, user } = await this.#getUserFromToken(req.headers.authorization, false);
+      const { email } = user;
 
       if (!email || !tid) {
         throw new CustomError(httpCodes.BAD_REQUEST, 'Invalid token payload');
@@ -659,7 +698,7 @@ export class SessionManager {
       if (isRedirect) {
         return res.redirect(this.#config.SSO_SUCCESS_URL);
       }
-      return res.json({ 
+      return res.json({
         message: 'Logout successful',
         redirect_url: this.#config.SSO_SUCCESS_URL
       });
@@ -669,7 +708,7 @@ export class SessionManager {
       if (isRedirect) {
         return res.redirect(this.#config.SSO_FAILURE_URL);
       }
-      return res.status(httpCodes.SYSTEM_FAILURE).json({ 
+      return res.status(httpCodes.SYSTEM_FAILURE).json({
         error: 'Logout failed',
         redirect_url: this.#config.SSO_FAILURE_URL
       });
@@ -749,9 +788,9 @@ export class SessionManager {
    * @returns {import('@types/express').RequestHandler} Returns express Request Handler
    */
   requireUser = () => {
-    return async (req, res, next) => {
+    return async (req, _res, next) => {
       try {
-        req.user = await this.getUser(req);
+        req.user = await this.getUser(req, true);
         return next();
       }
       catch (error) {
@@ -764,9 +803,9 @@ export class SessionManager {
    * Resource protection based on configured SESSION_MODE
    * - SESSION mode: Verifies user exists in session store and is authorized (checks req.session data)
    * - TOKEN mode: Validates JWT token from Authorization header (lightweight validation)
-   * 
+   *
    * Note: This method verifies authentication only. Use requireUser() after this to populate req.user.
-   * 
+   *
    * @param {string} [errorRedirectUrl=''] Redirect URL on authentication failure
    * @returns {import('@types/express').RequestHandler} Returns express Request Handler
    * @example
@@ -774,9 +813,9 @@ export class SessionManager {
    * app.get('/api/check', session.authenticate(), (req, res) => {
    *   res.json({ authenticated: true });
    * });
-   * 
+   *
    * // Option 2: Verify authentication AND load user data into req.user
-   * app.get('/api/profile', 
+   * app.get('/api/profile',
    *   session.authenticate(),   // Verifies session/token
    *   session.requireUser(),     // Loads user data into req.user
    *   (req, res) => {
@@ -786,7 +825,7 @@ export class SessionManager {
    */
   authenticate(errorRedirectUrl = '') {
     return async (req, res, next) => {
-      const mode = this.#config.SESSION_MODE || SessionMode.SESSION;
+      const mode = this.getSessionMode() || SessionMode.SESSION;
       if (mode === SessionMode.TOKEN) {
         return this.#verifyToken(req, res, next, errorRedirectUrl);
       }
@@ -819,13 +858,11 @@ export class SessionManager {
   /**
    * Save session
    * @param {import('@types/express').Request} request Request object
-   * @param {string} jwt JWT
+   * @param {import('jose').JWTPayload} payload JWT
    * @param {(user: object) => object} initUser Redirect URL
    * @returns {Promise<{ user: import('../models/types/user').UserModel, redirect_url: string }>} Promise
    */
-  #saveSession = async (request, jwt, initUser) => {
-    /** @type {{ payload: { user: import('../models/types/user').UserModel, redirect_url: string } }} */
-    const { payload } = await this.#jwtManager.decrypt(jwt, this.#config.SSO_CLIENT_SECRET);
+  #saveSession = async (request, payload, initUser) => {
     if (payload?.user) {
       this.#logger.debug('### CALLBACK USER ###');
       request.session[this.#getSessionKey()] = initUser(payload.user);
@@ -842,7 +879,7 @@ export class SessionManager {
     }
     throw new CustomError(httpCodes.BAD_REQUEST, 'Invalid JWT payload');
     };
-  
+
     /**
      * Render HTML template for token storage
      * @param {string} token JWT token
@@ -860,7 +897,7 @@ export class SessionManager {
         .replaceAll('{{SSO_SUCCESS_URL}}', sucessRedirectUrl)
         .replaceAll('{{SSO_FAILURE_URL}}', this.#config.SSO_FAILURE_URL);
     }
-  
+
     /**
      * SSO callback for successful login
      * @param {(user: object) => object} initUser Initialize user object function
@@ -872,30 +909,32 @@ export class SessionManager {
         if (!jwt) {
           return next(new CustomError(httpCodes.BAD_REQUEST, 'Missing `jwt` in query parameters'));
         }
-  
+
         try {
           // Decrypt JWT from Identity Adapter
           const { payload } = await this.#jwtManager.decrypt(jwt, this.#config.SSO_CLIENT_SECRET);
-          
+
           if (!payload?.user) {
             throw new CustomError(httpCodes.BAD_REQUEST, 'Invalid JWT payload');
           }
-  
-          /** @type {import('../index.js').SessionUser} */
-          const user = initUser(payload.user);
+
           /** @type {string} */
           const callbackRedirectUrl = payload.redirect_url || this.#config.SSO_SUCCESS_URL;
-  
+
           // Token mode: Generate token and return HTML page
-          if (this.#config.SESSION_MODE === SessionMode.TOKEN) {
-            const token = await this.#generateAndStoreToken(user);
+          if (this.getSessionMode() === SessionMode.TOKEN) {
+            /** @type {import('../index.js').SessionUser} */
+            const user = initUser(payload.user);
+            // Generate unique token ID for this device/session
+            const tid = crypto.randomUUID();
+            const token = await this.#generateAndStoreToken(tid, user);
             this.#logger.debug('### CALLBACK TOKEN GENERATED ###');
             const html = this.#renderTokenStorageHtml(token, user.attributes.expires_at, callbackRedirectUrl);
             return res.send(html);
           }
 
           // Session mode: Save to session and redirect
-          await this.#saveSession(req, jwt, initUser);
+          await this.#saveSession(req, payload, initUser);
           return res.redirect(callbackRedirectUrl);
         }
         catch (error) {
@@ -939,11 +978,12 @@ export class SessionManager {
   refresh(initUser) {
     const idpRefreshUrl = '/auth/refresh'.concat('?client_id=').concat(this.#config.SSO_CLIENT_ID);
     return async (req, res, next) => {
-      const mode = this.#config.SESSION_MODE || SessionMode.SESSION;
+      const mode = this.getSessionMode() || SessionMode.SESSION;
 
       if (mode === SessionMode.TOKEN) {
         return this.#refreshToken(req, res, next, initUser, idpRefreshUrl);
-      } else {
+      }
+      else {
         return this.#refreshSession(req, res, next, initUser, idpRefreshUrl);
       }
     };
@@ -958,8 +998,8 @@ export class SessionManager {
       const { redirect = false, all = false } = req.query;
       const isRedirect = (redirect === 'true' || redirect === true);
       const logoutAll = (all === 'true' || all === true);
-      const mode = this.#config.SESSION_MODE || SessionMode.SESSION;
-      
+      const mode = this.getSessionMode() || SessionMode.SESSION;
+
       if (mode === SessionMode.TOKEN) {
         return this.#logoutToken(req, res, isRedirect, logoutAll);
       }
@@ -973,8 +1013,8 @@ export class SessionManager {
           if (isRedirect) {
             return res.redirect(this.#config.SSO_FAILURE_URL);
           }
-          return res.status(httpCodes.AUTHORIZATION_FAILED).send({ 
-            redirect_url: this.#config.SSO_FAILURE_URL 
+          return res.status(httpCodes.AUTHORIZATION_FAILED).send({
+            redirect_url: this.#config.SSO_FAILURE_URL
           });
         }
         if (isRedirect) {
@@ -985,4 +1025,11 @@ export class SessionManager {
     };
   }
 
+  /**
+   * Get session mode
+   * @returns {string} Session mode
+   */
+  getSessionMode() {
+    return this.#config.SESSION_MODE;
+  }
 }

package/index.d.ts

@@ -316,6 +316,7 @@ export class SessionManager {
   /**
    * Get authenticated user data (works for both SESSION and TOKEN modes)
    * @param req Express request object
+   * @param includeUserData Include user data in the response (default: false)
    * @returns Promise resolving to full user data object
    * @throws CustomError If user is not authenticated
    * @example
@@ -323,7 +324,7 @@ export class SessionManager {
    * // Use in custom middleware
    * app.use(async (req, res, next) => {
    *   try {
-   *     const user = await sessionManager.getUser(req);
+   *     const user = await sessionManager.getUser(req, true);
    *     req.customUser = user;
    *     next();
    *   } catch (error) {
@@ -332,7 +333,7 @@ export class SessionManager {
    * });
    * ```
    */
-  getUser(req: Request): Promise<SessionUser>;
+  getUser(req: Request, includeUserData: boolean?): Promise<SessionUser>;
 
   /**
    * Initialize the session configurations and middleware
@@ -439,6 +440,12 @@ export class SessionManager {
    * @returns Returns express Request Handler
    */
   logout(): RequestHandler;
+
+  /**
+   * Get the current session mode
+   * @returns Returns 'session' or 'token' based on configuration
+   */
+  getSessionMode(): string;
 }
 
 // Custom Error class

package/index.js

@@ -3,4 +3,4 @@ export { httpCodes, httpMessages, httpErrorHandler, httpNotFoundHandler, CustomE
 export { RedisManager } from './components/redis.js';
 export { FlexRouter } from './components/router.js';
 export { JwtManager } from './components/jwt.js';
-export { Logger } from './components/logger.js';
+export { Logger } from './components/logger.js';

package/package.json

@@ -1,32 +1,20 @@
 {
   "name": "@igxjs/node-components",
-  "version": "1.0.15",
+  "version": "1.0.17",
   "description": "Node components for igxjs",
   "main": "index.js",
   "type": "module",
   "scripts": {
-    "test": "mocha tests/**/*.test.js --timeout 5000"
+    "test": "mocha tests/**/*.test.js --timeout 5000",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix"
   },
   "repository": {
     "type": "git",
     "url": "git+https://github.com/igxjs/node-components.git"
   },
   "keywords": [
-    "igxjs",
-    "express",
-    "session-management",
-    "jwt",
-    "jwe",
-    "redis",
-    "authentication",
-    "sso",
-    "oauth",
-    "middleware",
-    "node-components",
-    "session",
-    "token-auth",
-    "bearer-token",
-    "express-middleware"
+    "igxjs"
   ],
   "author": "Michael",
   "license": "Apache-2.0",
@@ -43,11 +31,14 @@
     "axios": "^1.13.6",
     "connect-redis": "^9.0.0",
     "express-session": "^1.19.0",
-    "jose": "^6.2.1",
+    "jose": "^6.2.2",
     "memorystore": "^1.6.7"
   },
   "devDependencies": {
+    "@eslint/js": "^10.0.1",
     "chai": "^6.2.2",
+    "eslint": "^10.1.0",
+    "globals": "^17.4.0",
     "mocha": "^12.0.0-beta-10",
     "sinon": "^21.0.3",
     "supertest": "^7.0.0"
@@ -68,7 +59,8 @@
     "README.md"
   ],
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "registry": "https://npm.pkg.github.com"
   },
   "types": "./index.d.ts"
 }