@jasperoosthoek/zustand-auth-registry 0.0.1 → 0.0.3

package/src/authStore.ts

@@ -2,43 +2,72 @@ import { create, StoreApi, UseBoundStore } from 'zustand';
 import { ValidatedAuthConfig, TokenData } from './authConfig';
 
 export type AuthState<U> = {
-  isAuthenticated: boolean;
+  isAuthenticated: boolean | null;  // null = not checked yet (cookie mode)
   user: U | null;
-  tokens: TokenData | null;
-  
-  // OAuth 2.0 methods
+  tokens: TokenData | null;  // null in cookie mode or when logged out
+
+  // Methods
   setTokens: (tokens: TokenData) => void;
+  setBearerToken: (token: string) => void;  // Convenience for simple Bearer token auth
+  setAuthenticated: (authenticated: boolean) => void;  // For cookie mode
   setUser: (user: U) => void;
   unsetUser: () => void;
   isTokenExpired: () => boolean;
-  
-  // Backward compatibility
-  token: string;
-  setToken: (token: string) => void;
 };
 
 export type AuthStore<U> = UseBoundStore<StoreApi<AuthState<U>>> & {
   config: ValidatedAuthConfig<U>;
 };
 
+// Methods that modify state (require CSRF protection)
+const CSRF_METHODS = ['post', 'put', 'patch', 'delete'];
+
+const setupCsrfInterceptor = <U>(config: ValidatedAuthConfig<U>): number | null => {
+  if (!config.cookieAuth?.csrf.enabled) {
+    return null;
+  }
+
+  const { headerName, getToken } = config.cookieAuth.csrf;
+
+  return config.axios.interceptors.request.use((requestConfig) => {
+    const method = requestConfig.method?.toLowerCase();
+    if (method && CSRF_METHODS.includes(method)) {
+      const csrfToken = getToken();
+      if (csrfToken) {
+        requestConfig.headers[headerName] = csrfToken;
+      }
+    }
+    return requestConfig;
+  });
+};
+
 export const createAuthStore = <U>(config: ValidatedAuthConfig<U>): AuthStore<U> => {
-  const { persistence } = config;
-  
+  const { persistence, cookieAuth } = config;
+
+  // Set up CSRF interceptor if enabled
+  setupCsrfInterceptor(config);
+
   const getStoredTokens = (): TokenData | null => {
+    // Cookie mode: No client-side tokens
+    if (cookieAuth?.enabled) {
+      return null;
+    }
+
+    // Token mode: Read from storage
     if (!persistence.enabled) return null;
     try {
       const accessToken = persistence.storage.getItem(persistence.tokenKey);
       if (!accessToken) return null;
-      
+
       const refreshToken = persistence.storage.getItem(persistence.refreshTokenKey);
       const expiryString = persistence.storage.getItem(persistence.expiryKey);
       const expiresAt = expiryString ? parseInt(expiryString, 10) : undefined;
-      
+
       return {
         accessToken,
         refreshToken: refreshToken || undefined,
         expiresAt: expiresAt && !isNaN(expiresAt) ? expiresAt : undefined,
-        tokenType: 'Bearer', // Default, will be updated on setTokens
+        tokenType: 'Bearer',
       };
     } catch {
       return null;
@@ -57,30 +86,37 @@ export const createAuthStore = <U>(config: ValidatedAuthConfig<U>): AuthStore<U>
 
   const initialTokens = getStoredTokens();
   const initialUser = getStoredUser();
-  const initialIsAuthenticated = !!initialTokens?.accessToken;
+
+  // Cookie mode: null (unknown until checkAuth)
+  // Token mode: true/false based on token presence
+  const initialIsAuthenticated = cookieAuth?.enabled
+    ? null
+    : !!initialTokens?.accessToken;
 
   const store = create<AuthState<U>>((set, get) => ({
     tokens: initialTokens,
     user: initialUser,
     isAuthenticated: initialIsAuthenticated,
 
-    // OAuth 2.0 methods
     setTokens: (tokens: TokenData) => {
-      const user = get().user;
-      const isAuthenticated = !!tokens.accessToken;
-      
-      set({ tokens, isAuthenticated, token: tokens.accessToken });
-      
+      set({ tokens, isAuthenticated: true });
+
+      // Cookie mode: No localStorage persistence for tokens
+      if (cookieAuth?.enabled) {
+        return;
+      }
+
+      // Token mode: Persist to storage
       if (persistence.enabled) {
         try {
           persistence.storage.setItem(persistence.tokenKey, tokens.accessToken);
-          
+
           if (tokens.refreshToken) {
             persistence.storage.setItem(persistence.refreshTokenKey, tokens.refreshToken);
           } else {
             persistence.storage.removeItem(persistence.refreshTokenKey);
           }
-          
+
           if (tokens.expiresAt) {
             persistence.storage.setItem(persistence.expiryKey, tokens.expiresAt.toString());
           } else {
@@ -92,12 +128,17 @@ export const createAuthStore = <U>(config: ValidatedAuthConfig<U>): AuthStore<U>
       }
     },
 
+    setBearerToken: (token: string) => {
+      get().setTokens({ accessToken: token, tokenType: 'Bearer' });
+    },
+
+    setAuthenticated: (authenticated: boolean) => {
+      set({ isAuthenticated: authenticated });
+    },
+
     setUser: (user: U) => {
-      const tokens = get().tokens;
-      const isAuthenticated = !!tokens?.accessToken;
-      
-      set({ user, isAuthenticated });
-      
+      set({ user });
+
       if (persistence.enabled) {
         try {
           persistence.storage.setItem(persistence.userKey, JSON.stringify(user));
@@ -108,8 +149,8 @@ export const createAuthStore = <U>(config: ValidatedAuthConfig<U>): AuthStore<U>
     },
 
     unsetUser: () => {
-      set({ user: null, tokens: null, isAuthenticated: false, token: '' });
-      
+      set({ user: null, tokens: null, isAuthenticated: false });
+
       if (persistence.enabled) {
         try {
           persistence.storage.removeItem(persistence.tokenKey);
@@ -124,36 +165,9 @@ export const createAuthStore = <U>(config: ValidatedAuthConfig<U>): AuthStore<U>
 
     isTokenExpired: () => {
       const tokens = get().tokens;
-      if (!tokens?.expiresAt) return false; // No expiry info means no expiration
+      if (!tokens?.expiresAt) return false;
       return Date.now() >= tokens.expiresAt;
     },
-
-    // Backward compatibility - computed property
-    token: initialTokens?.accessToken || '',
-
-    setToken: (token: string) => {
-      const currentTokens = get().tokens;
-      const user = get().user;
-      const newTokens: TokenData = {
-        accessToken: token,
-        refreshToken: currentTokens?.refreshToken,
-        expiresAt: currentTokens?.expiresAt,
-        tokenType: currentTokens?.tokenType || 'Bearer', // Standard default
-        scope: currentTokens?.scope,
-      };
-      
-      const isAuthenticated = !!token;
-      set({ tokens: newTokens, token, isAuthenticated });
-      
-      // Handle persistence
-      if (persistence.enabled) {
-        try {
-          persistence.storage.setItem(persistence.tokenKey, token);
-        } catch (error) {
-          config.onError?.(error);
-        }
-      }
-    },
   }));
 
   return Object.assign(store, { config });

package/src/createAuthRegistry.ts

@@ -19,4 +19,4 @@ export function createAuthRegistry<AuthModels extends Record<string, any>>() {
   }
 
   return getAuthStore;
-}
+}

package/src/errors.ts

@@ -0,0 +1,104 @@
+/**
+ * Authentication error codes
+ */
+export enum AuthErrorCode {
+  INVALID_CREDENTIALS = 'INVALID_CREDENTIALS',
+  TOKEN_EXPIRED = 'TOKEN_EXPIRED',
+  TOKEN_INVALID = 'TOKEN_INVALID',
+  REFRESH_FAILED = 'REFRESH_FAILED',
+  NETWORK_ERROR = 'NETWORK_ERROR',
+  USER_NOT_FOUND = 'USER_NOT_FOUND',
+  UNAUTHORIZED = 'UNAUTHORIZED',
+  CSRF_TOKEN_MISSING = 'CSRF_TOKEN_MISSING',
+  FORBIDDEN = 'FORBIDDEN',
+  UNKNOWN = 'UNKNOWN',
+}
+
+/**
+ * Typed authentication error
+ */
+export class AuthError extends Error {
+  constructor(
+    public code: AuthErrorCode,
+    public originalError?: any,
+    message?: string
+  ) {
+    super(message || code);
+    this.name = 'AuthError';
+
+    // Maintain proper stack trace for where our error was thrown (only available on V8)
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, AuthError);
+    }
+  }
+
+  /**
+   * Convert error to JSON (excludes originalError in production)
+   */
+  toJSON() {
+    return {
+      code: this.code,
+      message: this.message,
+      name: this.name,
+    };
+  }
+
+  /**
+   * Check if error is an AuthError
+   */
+  static isAuthError(error: any): error is AuthError {
+    return error instanceof AuthError;
+  }
+}
+
+/**
+ * Create typed AuthError from any error
+ */
+export function createAuthError(error: any): AuthError {
+  if (AuthError.isAuthError(error)) {
+    return error;
+  }
+
+  // Axios error
+  if (error.response) {
+    const status = error.response.status;
+    const data = error.response.data;
+
+    switch (status) {
+      case 401:
+        // Check if it's an expired token
+        if (data?.detail?.toLowerCase().includes('expired') ||
+            data?.message?.toLowerCase().includes('expired')) {
+          return new AuthError(AuthErrorCode.TOKEN_EXPIRED, error, 'Token has expired');
+        }
+        if (data?.detail?.toLowerCase().includes('invalid') ||
+            data?.detail?.toLowerCase().includes('credentials')) {
+          return new AuthError(AuthErrorCode.INVALID_CREDENTIALS, error, 'Invalid credentials');
+        }
+        return new AuthError(AuthErrorCode.UNAUTHORIZED, error, 'Unauthorized');
+
+      case 403:
+        if (data?.detail?.toLowerCase().includes('csrf')) {
+          return new AuthError(AuthErrorCode.CSRF_TOKEN_MISSING, error, 'CSRF token missing or invalid');
+        }
+        return new AuthError(AuthErrorCode.FORBIDDEN, error, 'Access forbidden');
+
+      case 404:
+        if (data?.detail?.toLowerCase().includes('user')) {
+          return new AuthError(AuthErrorCode.USER_NOT_FOUND, error, 'User not found');
+        }
+        return new AuthError(AuthErrorCode.UNKNOWN, error, 'Resource not found');
+
+      default:
+        return new AuthError(AuthErrorCode.UNKNOWN, error, `HTTP ${status} error`);
+    }
+  }
+
+  // Network error (no response received)
+  if (error.request) {
+    return new AuthError(AuthErrorCode.NETWORK_ERROR, error, 'Network error - no response received');
+  }
+
+  // Other errors
+  return new AuthError(AuthErrorCode.UNKNOWN, error, error.message || 'Unknown error');
+}

package/src/index.ts

@@ -1,4 +1,5 @@
 export * from './authConfig';
 export * from './authStore';
 export * from './createAuthRegistry';
-export * from './useAuth';
+export * from './useAuth';
+export * from './errors';

package/src/useAuth.ts

@@ -1,151 +1,167 @@
 import { useEffect, useCallback } from 'react';
-import axios from 'axios';
 import { AuthStore } from './authStore';
-import { TokenData } from './authConfig';
+
+// Promise deduplication: prevents multiple concurrent checkAuth calls per store
+const pendingCheckAuth = new WeakMap<AuthStore<any>, Promise<boolean>>();
 
 export function useAuth<U>(store: AuthStore<U>) {
-  const { setTokens, setUser, unsetUser, tokens, user, isTokenExpired } = store();
+  const { setTokens, setAuthenticated, setUser, unsetUser, tokens, user, isAuthenticated, isTokenExpired } = store();
   const config = store.config;
 
-  // Backward compatibility
-  const { setToken, token } = store();
+  // Set axios Authorization header (token mode only)
+  // Note: CSRF is handled by interceptor in authStore.ts
+  const setAxiosAuth = useCallback((token?: string, tokenType?: string) => {
+    if (config.cookieAuth?.enabled) {
+      // Cookie mode: CSRF handled by interceptor, no Authorization header needed
+      return;
+    }
 
-  // OAuth 2.0 refresh token functionality
-  const refreshTokens = useCallback(async (): Promise<boolean> => {
-    if (!tokens?.refreshToken) {
-      return false;
+    // Token mode: Set Authorization header
+    if (token) {
+      config.axios.defaults.headers.common['Authorization'] = config.formatAuthHeader(token, tokenType);
+    } else {
+      delete config.axios.defaults.headers.common['Authorization'];
     }
+  }, [config]);
+
+  // Refresh tokens
+  const refresh = useCallback(async (): Promise<boolean> => {
+    if (!config.refreshUrl) return false;
 
     try {
-      const response = await config.axios.post(config.tokenUrl, {
-        grant_type: 'refresh_token',
+      // Cookie mode: Just call refresh endpoint, server handles cookie
+      if (config.cookieAuth?.enabled) {
+        const headers = getCsrfHeaders(config);
+        await config.axios.post(config.refreshUrl, {}, { headers });
+        return true;
+      }
+
+      // Token mode: Send refresh token, get new tokens
+      if (!tokens?.refreshToken) return false;
+
+      const response = await config.axios.post(config.refreshUrl, {
         refresh_token: tokens.refreshToken,
       });
 
       const newTokens = config.extractTokens(response.data);
       setTokens(newTokens);
       setAxiosAuth(newTokens.accessToken, newTokens.tokenType);
-      
-      config.onTokenRefresh?.(newTokens);
       return true;
     } catch (error) {
-      // Refresh failed, clear tokens
       unsetUser();
       setAxiosAuth();
       config.onError?.(error);
       return false;
     }
-  }, [tokens?.refreshToken, config, setTokens, unsetUser]);
+  }, [tokens, config, setTokens, unsetUser, setAxiosAuth]);
 
-  // Auto-refresh and authentication setup
-  useEffect(() => {
-    // Handle current tokens
-    if (tokens?.accessToken) {
-      // Set axios headers immediately
-      setAxiosAuth(tokens.accessToken, tokens.tokenType);
+  // Check authentication (cookie mode) - with promise deduplication
+  const checkAuth = useCallback(async (): Promise<boolean> => {
+    const authCheckUrl = config.authCheckUrl;
+    if (!config.cookieAuth?.enabled || !authCheckUrl) {
+      return false;
+    }
 
-      // Check if token is expired or about to expire
-      if (isTokenExpired()) {
-        // Token is already expired, try to refresh
-        if (tokens.refreshToken && config.autoRefresh) {
-          refreshTokens();
-        } else {
-          unsetUser();
-        }
-        return;
-      }
+    // Return existing promise if check is already in progress
+    const pending = pendingCheckAuth.get(store);
+    if (pending) {
+      return pending;
+    }
 
-      // Set up auto-refresh timer if we have expiry info
-      if (tokens.expiresAt && tokens.refreshToken && config.autoRefresh) {
-        const timeUntilExpiry = tokens.expiresAt - Date.now();
-        const refreshTime = Math.max(timeUntilExpiry - config.refreshThreshold, 0);
+    const doCheck = async (): Promise<boolean> => {
+      try {
+        const headers = getCsrfHeaders(config);
+        const response = await config.axios.get(authCheckUrl, { headers });
 
-        const timer = setTimeout(() => {
-          refreshTokens();
-        }, refreshTime);
+        if (response.data.authenticated) {
+          setAuthenticated(true);
 
-        return () => clearTimeout(timer);
-      }
+          const extractedUser = config.extractUser?.(response.data);
+          if (extractedUser) {
+            setUser(extractedUser);
+          } else if (config.getUserUrl) {
+            await getCurrentUser();
+          }
 
-      // Try to get user info if missing
-      try {
-        if (!user && (config.userInfoUrl || config.getUserUrl)) {
-          getCurrentUser();
+          return true;
         }
+
+        setAuthenticated(false);
+        return false;
       } catch (error) {
-        if (axios.isAxiosError(error) && error.response?.status === 403) {
-          unsetUser();
-          setAxiosAuth();
-        }
+        setAuthenticated(false);
         config.onError?.(error);
+        return false;
+      } finally {
+        pendingCheckAuth.delete(store);
       }
-    }
-  }, [tokens, user, config.autoRefresh, config.refreshThreshold, config.userInfoUrl, config.getUserUrl, isTokenExpired, refreshTokens, unsetUser]);
+    };
 
-  const setAxiosAuth = (token?: string, tokenType?: string) => {
-    if (typeof token !== 'undefined' && token) {
-      config.axios.defaults.headers.common['Authorization'] = config.formatAuthHeader(token, tokenType);
-    } else {
-      delete config.axios.defaults.headers.common['Authorization'];
-    }
-  };
+    const promise = doCheck();
+    pendingCheckAuth.set(store, promise);
+    return promise;
+  }, [store, config, setAuthenticated, setUser]);
+
+  // Get current user
+  const getCurrentUser = useCallback(async () => {
+    if (!config.getUserUrl) return;
 
-  const login = async (
-    credentials: Record<string, string>,
-    callback?: () => void
-  ) => {
     try {
-      const res = await config.axios.post(config.tokenUrl, credentials);
-      const tokens = config.extractTokens(res.data);
-      setTokens(tokens);
-      setAxiosAuth(tokens.accessToken, tokens.tokenType);
-      
-      if (config.userInfoUrl || config.getUserUrl) {
-        await getCurrentUser();
-      }
-      
-      if (user) {
-        config.onLogin?.(user);
-      }
-      callback?.();
-    } catch (err) {
+      const res = await config.axios.get<U>(config.getUserUrl);
+      setUser(res.data);
+    } catch (error) {
       unsetUser();
       setAxiosAuth();
-      config.onError?.(err);
+      config.onError?.(error);
+      throw error;
     }
-  };
+  }, [config, setUser, unsetUser, setAxiosAuth]);
 
-  const getCurrentUser = async () => {
-    const userUrl = config.userInfoUrl || config.getUserUrl;
-    if (!userUrl) return;
+  // Login
+  const login = async (credentials: Record<string, string>, callback?: () => void) => {
     try {
-      const res = await config.axios.get<U>(userUrl);
-      setUser(res.data);
-    } catch (err) {
+      const headers = config.cookieAuth?.enabled ? getCsrfHeaders(config) : {};
+      const res = await config.axios.post(config.loginUrl, credentials, { headers });
+
+      if (config.cookieAuth?.enabled) {
+        // Cookie mode: Server sets httpOnly cookie, just mark as authenticated
+        setAuthenticated(true);
+      } else {
+        // Token mode: Extract and store tokens
+        const newTokens = config.extractTokens(res.data);
+        setTokens(newTokens);
+        setAxiosAuth(newTokens.accessToken, newTokens.tokenType);
+      }
+
+      // Extract user from response
+      const extractedUser = config.extractUser?.(res.data);
+      if (extractedUser) {
+        setUser(extractedUser);
+        config.onLogin?.(extractedUser);
+      } else if (config.getUserUrl) {
+        await getCurrentUser();
+        const currentUser = store.getState().user;
+        if (currentUser) config.onLogin?.(currentUser);
+      }
+
+      callback?.();
+    } catch (error) {
       unsetUser();
       setAxiosAuth();
-      config.onError?.(err);
+      config.onError?.(error);
+      throw error;
     }
   };
 
+  // Logout
   const logout = async () => {
     try {
-      // If we have a revoke/logout URL, call it
-      const logoutUrl = config.revokeUrl || config.logoutUrl;
-      if (logoutUrl) {
-        if (config.revokeUrl && tokens?.refreshToken) {
-          // OAuth revoke
-          await config.axios.post(logoutUrl, {
-            token: tokens.refreshToken,
-            token_type_hint: 'refresh_token'
-          });
-        } else {
-          // Simple logout
-          await config.axios.post(logoutUrl);
-        }
+      if (config.logoutUrl) {
+        const headers = config.cookieAuth?.enabled ? getCsrfHeaders(config) : {};
+        await config.axios.post(config.logoutUrl, {}, { headers });
       }
-    } catch (err) {
-      config.onError?.(err);
+    } catch (error) {
+      config.onError?.(error);
     } finally {
       unsetUser();
       setAxiosAuth();
@@ -153,5 +169,57 @@ export function useAuth<U>(store: AuthStore<U>) {
     }
   };
 
-  return { login, getCurrentUser, logout, refreshTokens };
-}
+  // Auto-setup on mount
+  useEffect(() => {
+    // Cookie mode: Check authentication if not yet determined
+    if (config.cookieAuth?.enabled) {
+      if (isAuthenticated === null) {
+        checkAuth();
+      }
+      return;
+    }
+
+    // Token mode: Setup headers and auto-refresh
+    if (tokens?.accessToken) {
+      setAxiosAuth(tokens.accessToken, tokens.tokenType);
+
+      // Check if expired
+      if (isTokenExpired()) {
+        if (tokens.refreshToken && config.autoRefresh) {
+          refresh();
+        } else {
+          unsetUser();
+        }
+        return;
+      }
+
+      // Setup auto-refresh timer
+      if (tokens.expiresAt && tokens.refreshToken && config.autoRefresh) {
+        const timeUntilExpiry = tokens.expiresAt - Date.now();
+        const refreshTime = Math.max(timeUntilExpiry - config.refreshThreshold, 0);
+
+        const timer = setTimeout(refresh, refreshTime);
+        return () => clearTimeout(timer);
+      }
+
+      // Fetch user if missing
+      if (!user && config.getUserUrl) {
+        getCurrentUser().catch(() => {});
+      }
+    }
+  }, [tokens, user, isAuthenticated, config, isTokenExpired, refresh, checkAuth, getCurrentUser, setAxiosAuth, unsetUser]);
+
+  return { login, logout, refresh, checkAuth, getCurrentUser };
+}
+
+// Helper: Get CSRF headers if enabled (uses getToken from config)
+function getCsrfHeaders(config: any): Record<string, string> {
+  const headers: Record<string, string> = {};
+  if (config.cookieAuth?.csrf?.enabled) {
+    const csrfToken = config.cookieAuth.csrf.getToken();
+    if (csrfToken) {
+      headers[config.cookieAuth.csrf.headerName] = csrfToken;
+    }
+  }
+  return headers;
+}

package/dist/setupTests.d.ts

@@ -1 +0,0 @@
-import '@testing-library/react';