@karpeleslab/klbfw 0.2.26 → 0.2.28

package/README.md

@@ -167,6 +167,43 @@ The upload module provides methods to manage active uploads:
 - `upload.retryItem(uploadId)`: Retry a failed upload
 - `upload.deleteItem(uploadId)`: Remove an upload from the queue or failed list
 
+## Authentication
+
+Browser apps don't need to do anything — `rest()`, `restSSE()`, and `uploadFile()` send the FW session token as `Authorization: Session <token>` and rely on `credentials: 'include'` for the session cookie. This is the default `sessionAuth` provider.
+
+Node.js apps cannot use session cookies. They opt in to OAuth2 Bearer auth from the separate `auth-node` entry point, which is intentionally not part of the main bundle (so browser bundlers never pull in `fs`/`https`/`os`).
+
+```javascript
+const klbfw = require('@karpeleslab/klbfw');
+const { AuthInfo, bearerAuth } = require('@karpeleslab/klbfw/auth-node');
+
+const info = new AuthInfo();
+await info.init();
+try {
+  await info.load();
+} catch (_) {
+  await info.login();   // Prints a URL the user has to open
+  await info.save();
+}
+
+klbfw.setAuth(bearerAuth(info));
+
+// rest()/uploadFile()/restSSE() now send Bearer tokens.
+// Expired access_tokens are renewed transparently via the refresh_token,
+// the refreshed token is written back to disk, and the failed call is
+// retried once.
+```
+
+### setAuth(provider) / getAuth() / sessionAuth
+
+`setAuth(provider)` swaps the active auth provider for all subsequent `rest()`, `restSSE()`, and `uploadFile()` calls. Pass `null` to restore the default `sessionAuth`.
+
+A provider is an object with three methods:
+
+- `applyToRequest(headers, fetchOptions)` — set Authorization header, credentials mode, etc.
+- `refreshIfNeeded()` — return a Promise that resolves once the token is fresh.
+- `handleExpiredError(error)` — return `Promise<true>` if the provider successfully refreshed and the call should be retried once.
+
 ## Query Parameter Methods
 
 ### GET

package/auth-node.d.ts

@@ -0,0 +1,67 @@
+/**
+ * Node-only auth helpers for @karpeleslab/klbfw.
+ *
+ * Not exported from the main entry; require it directly from Node:
+ *
+ *     const { AuthInfo, bearerAuth } = require('@karpeleslab/klbfw/auth-node');
+ *     const klbfw = require('@karpeleslab/klbfw');
+ *
+ *     const info = new AuthInfo();
+ *     await info.init();
+ *     try { await info.load(); } catch (_) { await info.login(); await info.save(); }
+ *     klbfw.setAuth(bearerAuth(info));
+ */
+
+import { AuthProvider } from './index';
+
+/** Token payload returned by the OAuth2 token endpoint. */
+export interface AuthToken {
+  access_token: string;
+  refresh_token?: string;
+  token_type?: string;
+  expires_in?: number;
+  ClientID?: string;
+  [key: string]: any;
+}
+
+/** Constructor options for AuthInfo. */
+export interface AuthInfoOptions {
+  /** Profile name — used in the on-disk filename. Defaults to $SHELLS_PROFILE or 'default'. */
+  profile?: string;
+  /** OAuth2 client_id. */
+  clientId?: string;
+  /** API host (e.g. 'hub.atonline.com'). */
+  apiHost?: string;
+  /** API base path (e.g. '/_special/rest/'). */
+  apiBasePath?: string;
+}
+
+/**
+ * Holds an OAuth2 access/refresh token pair and persists it to
+ * ~/.config/atonline/auth-<profile>.json.
+ */
+export class AuthInfo {
+  constructor(options?: AuthInfoOptions);
+  token: AuthToken | null;
+  name: string;
+  clientId: string;
+  apiHost: string;
+  apiBasePath: string;
+  filepath: string | null;
+
+  /** Create the config dir and resolve the on-disk path. Call before load/save. */
+  init(): Promise<void>;
+  /** Load the persisted token. Throws if no token has been saved yet. */
+  load(): Promise<void>;
+  /** Persist the current token to disk (mode 0600). */
+  save(): Promise<void>;
+  /** Run the OAuth2 polltoken login flow. Prints a URL the user has to open. */
+  login(): Promise<void>;
+  /** Exchange the refresh_token for a fresh access_token. */
+  renewToken(): Promise<void>;
+}
+
+/**
+ * Build an auth provider from an AuthInfo instance. Pass the result to setAuth().
+ */
+export function bearerAuth(authInfo: AuthInfo): AuthProvider;

package/auth-node.js

@@ -0,0 +1,255 @@
+'use strict';
+/**
+ * @fileoverview Node-only OAuth2 auth provider for KLB Frontend Framework
+ *
+ * This module is intentionally NOT re-exported from index.js. It pulls in
+ * Node built-ins (`fs`, `os`, `path`) which would break browser bundlers if
+ * they followed the main entry. Node applications opt in explicitly:
+ *
+ *     const klbfw = require('@karpeleslab/klbfw');
+ *     const { AuthInfo, bearerAuth } = require('@karpeleslab/klbfw/auth-node');
+ *
+ *     const info = new AuthInfo();
+ *     await info.init();
+ *     try { await info.load(); } catch (_) { await info.login(); await info.save(); }
+ *     klbfw.setAuth(bearerAuth(info));
+ *
+ *     // Subsequent rest()/uploadFile() calls now use the Bearer token,
+ *     // refresh the token automatically when the API reports it expired,
+ *     // and persist the refreshed token to disk.
+ */
+
+const fs = require('fs').promises;
+const path = require('path');
+const os = require('os');
+
+const DEFAULT_CLIENT_ID = 'oaap-p6rktp-uzaf-adle-djqw-g27ghobe';
+const DEFAULT_API_HOST = 'hub.atonline.com';
+const DEFAULT_API_BASE_PATH = '/_special/rest/';
+
+const sleep = (ms) => new Promise(resolve => setTimeout(resolve, ms));
+
+/**
+ * Holds an OAuth2 access/refresh token pair, persists it to
+ * ~/.config/atonline/auth-<profile>.json, and knows how to re-acquire one
+ * via the polltoken login flow.
+ */
+class AuthInfo {
+    constructor(options) {
+        options = options || {};
+        this.token = null;
+        this.name = options.profile || process.env.SHELLS_PROFILE || 'default';
+        this.clientId = options.clientId || DEFAULT_CLIENT_ID;
+        this.apiHost = options.apiHost || DEFAULT_API_HOST;
+        this.apiBasePath = options.apiBasePath || DEFAULT_API_BASE_PATH;
+        this.filepath = null;
+    }
+
+    async init() {
+        const configDir = path.join(os.homedir(), '.config', 'atonline');
+        await fs.mkdir(configDir, { recursive: true, mode: 0o700 });
+        this.filepath = path.join(configDir, `auth-${this.name}.json`);
+    }
+
+    async load() {
+        if (!this.filepath) {
+            throw new Error('AuthInfo.init() must be called before load()');
+        }
+        try {
+            const data = await fs.readFile(this.filepath, 'utf8');
+            this.token = JSON.parse(data);
+            this.token.ClientID = this.clientId;
+        } catch (error) {
+            if (error.code === 'ENOENT') {
+                throw new Error('No login information found');
+            }
+            throw error;
+        }
+    }
+
+    async save() {
+        if (!this.filepath) {
+            throw new Error('AuthInfo.init() must be called before save()');
+        }
+        if (!this.token) {
+            throw new Error('No token to save');
+        }
+        await fs.writeFile(this.filepath, JSON.stringify(this.token, null, 2), { mode: 0o600 });
+    }
+
+    /**
+     * Run the OAuth2 polltoken login flow. Prints an authorization URL the
+     * user has to open, then polls until the user completes the flow.
+     */
+    async login() {
+        const tokenCreate = await this._unauthRequest('POST', `OAuth2/App/${this.clientId}:token_create`, {});
+        const polltoken = tokenCreate.polltoken;
+        if (!polltoken) {
+            throw new Error('Failed to fetch polltoken');
+        }
+
+        const tokuri = encodeURIComponent(`polltoken:${polltoken}`);
+        let fulluri = `https://${this.apiHost}/_rest/OAuth2:auth?response_type=code&client_id=${this.clientId}&redirect_uri=${tokuri}&scope=profile`;
+        if (tokenCreate.xox) {
+            fulluri = tokenCreate.xox;
+        }
+
+        console.log('Please open this URL in order to login:');
+        console.log(fulluri);
+
+        while (true) {
+            const pollResult = await this._unauthRequest('POST', `OAuth2/App/${this.clientId}:token_poll`, { polltoken });
+
+            if (!pollResult.response) {
+                await sleep(1000);
+                continue;
+            }
+
+            const code = pollResult.response.code;
+            if (!code) {
+                throw new Error('Invalid response from API, response not containing code');
+            }
+
+            const tokenResponse = await this._tokenExchange({
+                client_id: this.clientId,
+                grant_type: 'authorization_code',
+                code: code
+            });
+            this.token = tokenResponse;
+            this.token.ClientID = this.clientId;
+            return;
+        }
+    }
+
+    /**
+     * Exchange the refresh_token for a fresh access_token. Throws if the
+     * refresh fails — the caller should usually run login() again.
+     */
+    async renewToken() {
+        if (!this.token || !this.token.refresh_token) {
+            throw new Error('No refresh token is available and access token has expired');
+        }
+        const oldToken = this.token;
+        this.token = null;
+        try {
+            const response = await this._tokenExchange({
+                grant_type: 'refresh_token',
+                client_id: oldToken.ClientID || this.clientId,
+                refresh_token: oldToken.refresh_token
+            });
+            this.token = Object.assign({}, oldToken, response, {
+                ClientID: oldToken.ClientID || this.clientId
+            });
+            if (this.filepath) {
+                await this.save();
+            }
+        } catch (error) {
+            this.token = oldToken;
+            throw error;
+        }
+    }
+
+    // ---------------------------------------------------------------------
+    // Private helpers — these intentionally bypass the rest.js pipeline
+    // because they need to run *without* an active access_token.
+
+    _request(method, path, body, headers, isForm) {
+        const https = require('https');
+        return new Promise((resolve, reject) => {
+            const options = {
+                hostname: this.apiHost,
+                path: this.apiBasePath + path,
+                method: method,
+                headers: Object.assign({}, headers || {})
+            };
+
+            let payload = '';
+            if (body !== undefined && body !== null) {
+                payload = isForm ? body : JSON.stringify(body);
+                options.headers['Content-Length'] = Buffer.byteLength(payload);
+                if (!options.headers['Content-Type']) {
+                    options.headers['Content-Type'] = isForm
+                        ? 'application/x-www-form-urlencoded'
+                        : 'application/json';
+                }
+            }
+
+            const req = https.request(options, (res) => {
+                let data = '';
+                res.on('data', (chunk) => { data += chunk; });
+                res.on('end', () => {
+                    if (res.statusCode !== 200) {
+                        reject(new Error(`Invalid status code from server: ${res.statusCode}`));
+                        return;
+                    }
+                    try {
+                        resolve(JSON.parse(data));
+                    } catch (err) {
+                        reject(new Error(`Failed to parse response: ${err.message}`));
+                    }
+                });
+            });
+            req.on('error', reject);
+            if (payload) req.write(payload);
+            req.end();
+        });
+    }
+
+    async _unauthRequest(method, path, body) {
+        const response = await this._request(method, path, body, { 'Sec-Rest-Http': 'false' }, false);
+        if (response.result === 'error') {
+            throw new Error(response.error || 'API error');
+        }
+        return response.data || response;
+    }
+
+    async _tokenExchange(params) {
+        const { URLSearchParams } = require('url');
+        const form = new URLSearchParams(params).toString();
+        return this._request('POST', 'OAuth2:token', form, {
+            'Content-Type': 'application/x-www-form-urlencoded'
+        }, true);
+    }
+}
+
+/**
+ * Returns an auth provider that authenticates via the OAuth2 access_token
+ * carried by an AuthInfo instance. Plug it into klbfw via setAuth().
+ */
+const bearerAuth = (authInfo) => ({
+    name: 'bearer',
+    authInfo: authInfo,
+
+    applyToRequest(headers, _fetchOptions) {
+        if (authInfo.token && authInfo.token.access_token) {
+            headers['Authorization'] = 'Bearer ' + authInfo.token.access_token;
+        }
+        // Intentionally do NOT set credentials: 'include' — Node has no cookie jar.
+    },
+
+    refreshIfNeeded() {
+        // No proactive refresh — the API tells us when the token is gone.
+        return Promise.resolve();
+    },
+
+    async handleExpiredError(error) {
+        if (!isExpiredTokenError(error)) return false;
+        if (!authInfo.token || !authInfo.token.refresh_token) return false;
+        try {
+            await authInfo.renewToken();
+            return true;
+        } catch (_) {
+            return false;
+        }
+    }
+});
+
+const isExpiredTokenError = (error) => {
+    if (!error) return false;
+    if (error.token === 'error_login_required') return true;
+    if (error.token === 'invalid_request_token' && error.extra === 'token_expired') return true;
+    return false;
+};
+
+module.exports.AuthInfo = AuthInfo;
+module.exports.bearerAuth = bearerAuth;

package/auth.js

@@ -0,0 +1,113 @@
+'use strict';
+/**
+ * @fileoverview Pluggable auth provider for KLB Frontend Framework
+ *
+ * The default `sessionAuth` provider preserves browser behavior: the FW
+ * session token is sent as an `Authorization: Session <token>` header and
+ * fetch requests use `credentials: 'include'` so the session cookie travels
+ * with each call.
+ *
+ * Node.js applications cannot use session cookies. They should require
+ * `@karpeleslab/klbfw/auth-node` and call `setAuth(bearerAuth(authInfo))`
+ * once at startup. All `rest()`, `restGet()`, `restSSE()` and `uploadFile()`
+ * calls then send a Bearer token instead.
+ *
+ * An auth provider implements:
+ *   - applyToRequest(headers, fetchOptions): mutate headers / fetch options
+ *   - refreshIfNeeded(): Promise resolving once the token is fresh
+ *   - handleExpiredError(error): Promise<boolean> — true to retry
+ */
+
+const fwWrapper = require('./fw-wrapper');
+
+const FIVE_MINUTES = 5 * 60 * 1000;
+
+/**
+ * Default auth provider — browser session cookie + FW.token.
+ * Behavior matches the pre-auth-abstraction inline logic.
+ */
+const sessionAuth = {
+    name: 'session',
+
+    applyToRequest(headers, fetchOptions) {
+        const token = fwWrapper.getToken();
+        if (token !== '') {
+            headers['Authorization'] = 'Session ' + token;
+        }
+        fetchOptions.credentials = 'include';
+    },
+
+    refreshIfNeeded() {
+        const tokenExp = fwWrapper.getTokenExp();
+
+        if (tokenExp === undefined) {
+            return Promise.resolve();
+        }
+
+        if (tokenExp - Date.now() > FIVE_MINUTES) {
+            return Promise.resolve();
+        }
+
+        // Lazy require to break circular load with internal.js
+        const internal = require('./internal');
+        const callUrl = internal.buildRestUrl('_special/token.json', true);
+
+        const headers = {};
+        const token = fwWrapper.getToken();
+        if (token !== '') {
+            headers['Authorization'] = 'Session ' + token;
+        }
+
+        return fetch(callUrl, {
+            method: 'GET',
+            credentials: 'include',
+            headers: headers
+        })
+        .then(response => {
+            if (!response.ok) {
+                fwWrapper.setToken(fwWrapper.getToken(), undefined);
+                return;
+            }
+
+            const contentType = response.headers.get('content-type');
+            if (!contentType || contentType.indexOf('application/json') === -1) {
+                fwWrapper.setToken(fwWrapper.getToken(), undefined);
+                return;
+            }
+
+            return response.json();
+        })
+        .then(json => {
+            if (json && json.token && json.token_exp) {
+                fwWrapper.setToken(json.token, json.token_exp);
+            } else {
+                fwWrapper.setToken(fwWrapper.getToken(), undefined);
+            }
+        })
+        .catch(() => {
+            fwWrapper.setToken(fwWrapper.getToken(), undefined);
+        });
+    },
+
+    handleExpiredError(_error) {
+        // Browser sessions can't silently re-authenticate.
+        return Promise.resolve(false);
+    }
+};
+
+let currentAuth = sessionAuth;
+
+/**
+ * Replaces the active auth provider for all subsequent rest()/upload calls.
+ * Pass null/undefined to restore the default sessionAuth.
+ */
+const setAuth = (auth) => {
+    currentAuth = auth || sessionAuth;
+};
+
+/** Returns the current active auth provider. */
+const getAuth = () => currentAuth;
+
+module.exports.sessionAuth = sessionAuth;
+module.exports.setAuth = setAuth;
+module.exports.getAuth = getAuth;

package/index.d.ts

@@ -61,6 +61,25 @@ interface RestResponse<T = any> {
   [key: string]: any;
 }
 
+/**
+ * Context object for REST API calls.
+ * Keys are single characters representing different context dimensions.
+ */
+interface Context {
+  /** Branch identifier */
+  b?: string;
+  /** Currency code (e.g., 'USD', 'EUR') */
+  c?: string;
+  /** Group identifier */
+  g?: string;
+  /** Language/locale code (e.g., 'en-US', 'ja-JP') */
+  l?: string;
+  /** Timezone identifier (e.g., 'Asia/Tokyo', 'America/New_York') */
+  t?: string;
+  /** User identifier */
+  u?: string;
+}
+
 /** REST API error object (thrown on promise rejection) */
 interface RestError {
   /** Always 'error' for error responses */
@@ -172,7 +191,7 @@ interface Price extends PriceValue {
   tax_rate?: number;
 }
 
-declare function rest<T = any>(name: string, verb: string, params?: Record<string, any>, context?: Record<string, any>): Promise<RestResponse<T>>;
+declare function rest<T = any>(name: string, verb: string, params?: Record<string, any>, context?: Context): Promise<RestResponse<T>>;
 declare function rest_get<T = any>(name: string, params?: Record<string, any>): Promise<RestResponse<T>>; // Backward compatibility
 declare function restGet<T = any>(name: string, params?: Record<string, any>): Promise<RestResponse<T>>;
 
@@ -218,7 +237,7 @@ interface SSESource {
   close(): void;
 }
 
-declare function restSSE(name: string, method?: string, params?: Record<string, any>, context?: Record<string, any>): SSESource;
+declare function restSSE(name: string, method?: string, params?: Record<string, any>, context?: Context): SSESource;
 
 // Upload module types
 
@@ -266,7 +285,7 @@ interface UploadLegacyOptions {
 /** @deprecated Use uploadFile() instead */
 declare const upload: {
   init(path: string, params?: Record<string, any>, notify?: (status: any) => void): Promise<any> | ((files: any) => Promise<any>);
-  append(path: string, file: File | object, params?: Record<string, any>, context?: Record<string, any>): Promise<any>;
+  append(path: string, file: File | object, params?: Record<string, any>, context?: Context): Promise<any>;
   run(): void;
   getStatus(): { queue: any[]; running: any[]; failed: any[] };
   resume(): void;
@@ -284,7 +303,7 @@ declare function uploadFile(
   buffer: UploadFileInput,
   method?: string,
   params?: Record<string, any>,
-  context?: Record<string, any>,
+  context?: Context,
   options?: UploadFileOptions
 ): Promise<any>;
 
@@ -294,10 +313,45 @@ declare function uploadManyFiles(
   files: UploadFileInput[],
   method?: string,
   params?: Record<string, any>,
-  context?: Record<string, any>,
+  context?: Context,
   options?: UploadManyFilesOptions
 ): Promise<any[]>;
 
+// Auth provider types
+
+/**
+ * Pluggable auth provider interface used by rest(), restSSE(), and uploadFile().
+ *
+ * The default `sessionAuth` uses browser session cookies + FW.token. Node
+ * applications should require '@karpeleslab/klbfw/auth-node' and call
+ * `setAuth(bearerAuth(authInfo))` once at startup to switch to OAuth2 Bearer.
+ */
+interface AuthProvider {
+  /** Optional human-readable name (e.g. 'session', 'bearer'). */
+  name?: string;
+  /**
+   * Mutate `headers` and `fetchOptions` to carry credentials. The default
+   * provider sets `Authorization: Session <token>` and credentials: 'include';
+   * a Bearer provider sets `Authorization: Bearer <access_token>` only.
+   */
+  applyToRequest(headers: Record<string, string>, fetchOptions: Record<string, any>): void;
+  /** Resolves once the credential is fresh enough to use. */
+  refreshIfNeeded(): Promise<void>;
+  /**
+   * Called when a request rejects with an API error. Return true if the
+   * provider successfully refreshed the credential and the caller should
+   * retry the request once.
+   */
+  handleExpiredError(error: any): Promise<boolean> | boolean;
+}
+
+/** Replace the active auth provider. Pass null/undefined to restore the default. */
+declare function setAuth(provider: AuthProvider | null | undefined): void;
+/** Get the active auth provider. */
+declare function getAuth(): AuthProvider;
+/** Default auth provider — browser session cookie + FW.token. */
+declare const sessionAuth: AuthProvider;
+
 // Utility types
 declare function getI18N(key: string, args?: Record<string, any>): string;
 declare function trimPrefix(path: string): string;
@@ -332,8 +386,13 @@ export {
   upload,
   uploadFile,
   uploadManyFiles,
+  setAuth,
+  getAuth,
+  sessionAuth,
+  AuthProvider,
   getI18N,
   trimPrefix,
+  Context,
   RestPaging,
   RestResponse,
   RestError,

package/index.js

@@ -13,6 +13,7 @@ const uploadMany = require('./upload-many');
 const uploadLegacy = require('./upload-legacy');
 const util = require('./util');
 const cookies = require('./cookies');
+const auth = require('./auth');
 
 // Framework wrapper exports
 module.exports.GET = internalFW.GET; // Use the function directly
@@ -52,6 +53,11 @@ module.exports.upload = uploadLegacy.upload;
 module.exports.uploadFile = upload.uploadFile;
 module.exports.uploadManyFiles = uploadMany.uploadManyFiles;
 
+// Auth provider exports — see auth-node.js for the Node-only Bearer provider.
+module.exports.setAuth = auth.setAuth;
+module.exports.getAuth = auth.getAuth;
+module.exports.sessionAuth = auth.sessionAuth;
+
 // Utility exports
 module.exports.getI18N = util.getI18N;
 module.exports.trimPrefix = util.trimPrefix;

package/internal.js

@@ -7,6 +7,7 @@
  */
 
 const fwWrapper = require('./fw-wrapper');
+const auth = require('./auth');
 
 /**
  * Pads a number with leading zeros
@@ -122,68 +123,12 @@ const checkSupport = () => {
 };
 
 /**
- * Checks if token needs refresh and refreshes if necessary
+ * Checks if token needs refresh and refreshes if necessary.
+ * Delegates to the active auth provider's `refreshIfNeeded` so Node-side
+ * Bearer flows can plug in their own renewal logic.
  * @returns {Promise<void>} Resolves when check/refresh is complete
  */
-const checkAndRefreshToken = () => {
-    const tokenExp = fwWrapper.getTokenExp();
-
-    // If token_exp is not defined, no refresh needed
-    if (tokenExp === undefined) {
-        return Promise.resolve();
-    }
-
-    const now = Date.now();
-    const fiveMinutes = 5 * 60 * 1000; // 5 minutes in milliseconds
-
-    // Check if token expires within 5 minutes
-    if (tokenExp - now <= fiveMinutes) {
-        // Need to refresh token
-        const callUrl = buildRestUrl('_special/token.json', true);
-        const headers = {};
-
-        if (fwWrapper.getToken() !== '') {
-            headers['Authorization'] = 'Session ' + fwWrapper.getToken();
-        }
-
-        return fetch(callUrl, {
-            method: 'GET',
-            credentials: 'include',
-            headers: headers
-        })
-        .then(response => {
-            if (!response.ok) {
-                // API returned an error, give up by setting token_exp to undefined
-                fwWrapper.setToken(fwWrapper.getToken(), undefined);
-                return;
-            }
-
-            const contentType = response.headers.get('content-type');
-            if (!contentType || contentType.indexOf('application/json') === -1) {
-                // Not JSON response, give up
-                fwWrapper.setToken(fwWrapper.getToken(), undefined);
-                return;
-            }
-
-            return response.json();
-        })
-        .then(json => {
-            if (json && json.token && json.token_exp) {
-                // Update token and token_exp
-                fwWrapper.setToken(json.token, json.token_exp);
-            } else {
-                // Invalid response, give up
-                fwWrapper.setToken(fwWrapper.getToken(), undefined);
-            }
-        })
-        .catch(() => {
-            // Error occurred, give up by setting token_exp to undefined
-            fwWrapper.setToken(fwWrapper.getToken(), undefined);
-        });
-    }
-
-    return Promise.resolve();
-};
+const checkAndRefreshToken = () => auth.getAuth().refreshIfNeeded();
 
 /**
  * Makes an internal REST API call
@@ -206,56 +151,30 @@ const internalRest = (name, verb, params, context) => {
     return checkAndRefreshToken().then(() => {
         const callUrl = buildRestUrl(name, true, context);
         const headers = {};
+        const fetchOptions = { method: verb, headers: headers };
 
-        if (fwWrapper.getToken() !== '') {
-            headers['Authorization'] = 'Session ' + fwWrapper.getToken();
-        }
+        // Active auth provider sets Authorization header and credentials mode.
+        auth.getAuth().applyToRequest(headers, fetchOptions);
 
         // Handle GET requests
         if (verb === "GET") {
             if (params) {
-                // Check if params is a JSON string, or if it needs encoding
-                if (typeof params === "string") {
-                    return fetch(callUrl + "&_=" + encodeURIComponent(params), {
-                        method: verb,
-                        credentials: 'include',
-                        headers: headers
-                    });
-                } else {
-                    return fetch(callUrl + "&_=" + encodeURIComponent(JSON.stringify(params)), {
-                        method: verb,
-                        credentials: 'include',
-                        headers: headers
-                    });
-                }
+                const encoded = typeof params === "string" ? params : JSON.stringify(params);
+                return fetch(callUrl + "&_=" + encodeURIComponent(encoded), fetchOptions);
             }
-
-            return fetch(callUrl, {
-                method: verb,
-                credentials: 'include',
-                headers: headers
-            });
+            return fetch(callUrl, fetchOptions);
         }
 
         // Handle FormData
         if (typeof FormData !== "undefined" && (params instanceof FormData)) {
-            return fetch(callUrl, {
-                method: verb,
-                credentials: 'include',
-                body: params,
-                headers: headers
-            });
+            fetchOptions.body = params;
+            return fetch(callUrl, fetchOptions);
         }
 
         // Handle JSON requests
         headers['Content-Type'] = 'application/json; charset=utf-8';
-
-        return fetch(callUrl, {
-            method: verb,
-            credentials: 'include',
-            body: JSON.stringify(params),
-            headers: headers
-        });
+        fetchOptions.body = JSON.stringify(params);
+        return fetch(callUrl, fetchOptions);
     });
 };
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@karpeleslab/klbfw",
-  "version": "0.2.26",
+  "version": "0.2.28",
   "description": "Frontend Framework",
   "main": "index.js",
   "types": "index.d.ts",
@@ -30,14 +30,14 @@
     "js-sha256": "^0.11.0"
   },
   "optionalDependencies": {
-    "node-fetch": "^2.7.0",
-    "@xmldom/xmldom": "~0.8.4"
+    "@xmldom/xmldom": "~0.8.4",
+    "node-fetch": "^2.7.0"
   },
   "devDependencies": {
-    "jest": "^29.7.0",
-    "jest-environment-jsdom": "^29.7.0",
-    "node-fetch": "^2.7.0",
-    "@xmldom/xmldom": "~0.8.4"
+    "@xmldom/xmldom": "~0.8.4",
+    "jest": "^30.3.0",
+    "jest-environment-jsdom": "^30.3.0",
+    "node-fetch": "^2.7.0"
   },
   "jest": {
     "testEnvironment": "jsdom",

package/rest.js

@@ -7,6 +7,7 @@
 
 const internal = require('./internal');
 const fwWrapper = require('./fw-wrapper');
+const auth = require('./auth');
 
 /**
  * Handles platform-specific API calls
@@ -80,15 +81,15 @@ const rest = (name, verb, params, context) => {
         return Promise.reject(new Error('Environment not supported'));
     }
 
-    return new Promise((resolve, reject) => {
+    const tryOnce = () => new Promise((resolve, reject) => {
         const handleSuccess = data => {
             internal.responseParse(data, resolve, reject);
         };
-        
+
         const handleError = data => {
             reject(data);
         };
-        
+
         const handleException = error => {
             console.error(error);
             // TODO: Add proper error logging
@@ -98,6 +99,13 @@ const rest = (name, verb, params, context) => {
             .then(handleSuccess, handleError)
             .catch(handleException);
     });
+
+    return tryOnce().catch(err =>
+        Promise.resolve(auth.getAuth().handleExpiredError(err)).then(retry => {
+            if (retry) return tryOnce();
+            throw err;
+        })
+    );
 };
 
 /**
@@ -300,19 +308,16 @@ const restSSE = (name, method, params, context) => {
         'Accept': 'text/event-stream, application/json'
     };
 
-    const token = fwWrapper.getToken();
-    if (token && token !== '') {
-        headers['Authorization'] = 'Session ' + token;
-    }
-
     // Build fetch options based on method
     const fetchOptions = {
         method: method,
-        credentials: 'include',
         headers: headers,
         signal: abortController.signal
     };
 
+    // Active auth provider sets Authorization header and credentials mode.
+    auth.getAuth().applyToRequest(headers, fetchOptions);
+
     if (method === 'GET') {
         // For GET requests, add params to URL
         if (params && Object.keys(params).length > 0) {