@masterteam/gateway-auth 0.0.16 → 0.0.17

package/fesm2022/masterteam-gateway-auth.mjs

@@ -1,7 +1,7 @@
 import { HttpClient, HttpContextToken, HttpBackend } from '@angular/common/http';
 import * as i0 from '@angular/core';
 import { InjectionToken, inject, Injectable, computed, input, ChangeDetectionStrategy, Component, signal, effect } from '@angular/core';
-import { EMPTY, of, isObservable, from, firstValueFrom, map, tap as tap$1, shareReplay, finalize, switchMap, catchError as catchError$1, throwError } from 'rxjs';
+import { EMPTY, of, isObservable, from, firstValueFrom, map, tap as tap$1, shareReplay, finalize, catchError as catchError$1, throwError, switchMap } from 'rxjs';
 import { Action, Selector, State, Store, select } from '@ngxs/store';
 import { Router, ActivatedRoute } from '@angular/router';
 import { ModalService } from '@masterteam/components/modal';
@@ -28,9 +28,12 @@ const GATEWAY_AUTH_ENDPOINTS = {
     resendMfa: 'auth/2fa/resend',
     refresh: 'auth/refresh',
     logout: 'auth/logout',
+    meApplications: 'auth/me/applications',
+    applicationContext: 'public/application-context',
     ssoProviders: 'auth/sso/providers',
     ssoExchange: 'auth/sso/exchange',
     ssoTokenExchange: 'auth/sso/token-exchange',
+    applicationLaunch: (applicationCode) => `applications/${encodeURIComponent(applicationCode)}/launch`,
     nafathStart: (providerKey) => `auth/sso/nafath/${encodeURIComponent(providerKey)}/start`,
     nafathStatus: (providerKey) => `auth/sso/nafath/${encodeURIComponent(providerKey)}/status`,
     ssoStart: (providerKey) => `auth/sso/${encodeURIComponent(providerKey)}/start`,
@@ -58,6 +61,11 @@ function resolveAccessTokenRefreshSkewMs(skewMs) {
         ? skewMs
         : GATEWAY_AUTH_ACCESS_TOKEN_REFRESH_SKEW_MS;
 }
+function resolveApplicationCodeOption(applicationCode) {
+    const value = typeof applicationCode === 'function' ? applicationCode() : applicationCode;
+    const normalized = value?.trim();
+    return normalized ? normalized : null;
+}
 function resolveGatewayDeviceToken(deviceToken) {
     const configuredToken = typeof deviceToken === 'function' ? deviceToken() : deviceToken;
     const normalizedConfiguredToken = configuredToken?.trim();
@@ -310,6 +318,53 @@ class SetRateLimit {
 class ClearRateLimit {
     static type = '[Auth] Clear Rate Limit';
 }
+class LoadApplications {
+    static type = '[Auth] Load Applications';
+}
+class SetApplications {
+    applications;
+    static type = '[Auth] Set Applications';
+    constructor(applications) {
+        this.applications = applications;
+    }
+}
+class LaunchApplication {
+    applicationCode;
+    returnUrl;
+    navigate;
+    static type = '[Auth] Launch Application';
+    constructor(applicationCode, returnUrl, navigate = false) {
+        this.applicationCode = applicationCode;
+        this.returnUrl = returnUrl;
+        this.navigate = navigate;
+    }
+}
+class SetAppSession {
+    session;
+    static type = '[Auth] Set App Session';
+    constructor(session) {
+        this.session = session;
+    }
+}
+class UpdateAppTokens {
+    applicationCode;
+    tokens;
+    static type = '[Auth] Update App Tokens';
+    constructor(applicationCode, tokens) {
+        this.applicationCode = applicationCode;
+        this.tokens = tokens;
+    }
+}
+class ClearAppSession {
+    applicationCode;
+    static type = '[Auth] Clear App Session';
+    constructor(applicationCode) {
+        this.applicationCode = applicationCode;
+    }
+}
+class ClearAllAppSessions {
+    static type = '[Auth] Clear All App Sessions';
+}
 
 const GATEWAY_AUTH_OPTIONS = new InjectionToken('GATEWAY_AUTH_OPTIONS', {
     factory: () => ({
@@ -321,6 +376,7 @@ const GATEWAY_AUTH_OPTIONS = new InjectionToken('GATEWAY_AUTH_OPTIONS', {
         ssoCallbackPath: '/auth/sso/callback',
         defaultAuthenticatedRoute: '/',
         preserveSsoProvidersOnLogout: true,
+        autoLaunchApplicationOnLogin: false,
         loginPage: {
             imageBasePath: '/Settings/login-image/',
             translationPrefix: 'login',
@@ -378,6 +434,10 @@ const AUTH_STATE_DEFAULTS = {
     pendingMfa: null,
     ssoProviders: [],
     rateLimit: null,
+    applications: [],
+    applicationsLoading: false,
+    appSessions: {},
+    appLaunchLoading: {},
 };
 function pruneRateLimit(rateLimit) {
     if (!rateLimit) {
@@ -389,6 +449,22 @@ function pruneRateLimit(rateLimit) {
     }
     return rateLimit;
 }
+function pruneAppSessions(appSessions) {
+    if (!appSessions || typeof appSessions !== 'object') {
+        return {};
+    }
+    const pruned = {};
+    for (const [code, session] of Object.entries(appSessions)) {
+        if (!session || typeof session !== 'object') {
+            continue;
+        }
+        if (!session.accessToken || !session.refreshToken) {
+            continue;
+        }
+        pruned[code] = session;
+    }
+    return pruned;
+}
 function sanitizePersistedAuthState(obj) {
     return {
         ...AUTH_STATE_DEFAULTS,
@@ -402,6 +478,10 @@ function sanitizePersistedAuthState(obj) {
         pendingMfa: null,
         ssoProviders: [],
         rateLimit: pruneRateLimit(obj?.rateLimit ?? null),
+        applications: obj?.applications ?? [],
+        applicationsLoading: false,
+        appSessions: pruneAppSessions(obj?.appSessions ?? null),
+        appLaunchLoading: {},
     };
 }
 
@@ -465,6 +545,18 @@ let GatewayAuthState = class GatewayAuthState {
     static userDetails(state) {
         return state.user?.user || null;
     }
+    static applications(state) {
+        return state.applications;
+    }
+    static applicationsLoading(state) {
+        return state.applicationsLoading;
+    }
+    static appSessions(state) {
+        return state.appSessions;
+    }
+    static appLaunchLoading(state) {
+        return state.appLaunchLoading;
+    }
     login(ctx, action) {
         if (this.isRateLimitActive(ctx, 'login')) {
             return EMPTY;
@@ -475,10 +567,14 @@ let GatewayAuthState = class GatewayAuthState {
             pendingMfa: null,
             twoFactorRequired: false,
         });
+        const applicationCode = action.payload.applicationCode ??
+            resolveApplicationCodeOption(this.options.applicationCode) ??
+            undefined;
         return this.http
             .post(this.gatewayAuthMutationUrl(GATEWAY_AUTH_ENDPOINTS.login), {
             userName: action.payload.userName,
             password: action.payload.password,
+            applicationCode,
             isEncrypted: action.payload.isEncrypted ?? false,
             deviceToken: action.payload.deviceToken || this.deviceToken,
             recaptchaToken: action.payload.recaptchaToken,
@@ -637,6 +733,9 @@ let GatewayAuthState = class GatewayAuthState {
             refreshTokenExpiresAt: null,
             pendingMfa: null,
             twoFactorRequired: false,
+            applications: [],
+            appSessions: {},
+            appLaunchLoading: {},
         });
     }
     logout(ctx, action) {
@@ -710,6 +809,125 @@ let GatewayAuthState = class GatewayAuthState {
     clearRateLimit(ctx) {
         ctx.patchState({ rateLimit: null });
     }
+    loadApplications(ctx) {
+        ctx.patchState({ applicationsLoading: true });
+        return this.http
+            .get(this.gatewayUrl(GATEWAY_AUTH_ENDPOINTS.meApplications))
+            .pipe(tap((response) => {
+            ctx.patchState({
+                applications: response.data?.applications ?? [],
+                applicationsLoading: false,
+            });
+        }), catchError((error) => {
+            ctx.patchState({
+                applicationsLoading: false,
+                error: getGatewayErrorMessage(error, 'Failed to load applications'),
+            });
+            return of(null);
+        }));
+    }
+    setApplications(ctx, action) {
+        ctx.patchState({ applications: action.applications });
+    }
+    launchApplication(ctx, action) {
+        const code = action.applicationCode;
+        ctx.patchState({
+            appLaunchLoading: {
+                ...ctx.getState().appLaunchLoading,
+                [code]: true,
+            },
+        });
+        const params = {};
+        if (action.returnUrl) {
+            params['returnUrl'] = action.returnUrl;
+        }
+        const deviceToken = this.deviceToken;
+        if (deviceToken) {
+            params['deviceToken'] = deviceToken;
+        }
+        return this.http
+            .get(this.gatewayUrl(GATEWAY_AUTH_ENDPOINTS.applicationLaunch(code)), { params })
+            .pipe(tap((response) => {
+            const data = response.data;
+            if (!data || !hasGatewayTokens(data.tokens)) {
+                ctx.patchState({
+                    appLaunchLoading: this.removeLoadingFlag(ctx, code),
+                });
+                return;
+            }
+            const mapped = mapGatewayTokens(data.tokens);
+            const session = {
+                applicationCode: data.applicationCode,
+                applicationName: data.applicationName,
+                launchUrl: data.launchUrl,
+                accessToken: mapped.accessToken,
+                refreshToken: mapped.refreshToken,
+                accessTokenExpiresAt: mapped.accessTokenExpiresAt,
+                refreshTokenExpiresAt: mapped.refreshTokenExpiresAt,
+            };
+            ctx.patchState({
+                appSessions: {
+                    ...ctx.getState().appSessions,
+                    [data.applicationCode]: session,
+                },
+                appLaunchLoading: this.removeLoadingFlag(ctx, code),
+            });
+            if (action.navigate && session.launchUrl) {
+                try {
+                    window.location.assign(session.launchUrl);
+                }
+                catch {
+                    // ignore navigation errors in non-browser env
+                }
+            }
+        }), catchError((error) => {
+            ctx.patchState({
+                appLaunchLoading: this.removeLoadingFlag(ctx, code),
+                error: getGatewayErrorMessage(error, 'Failed to launch application'),
+            });
+            return of(null);
+        }));
+    }
+    setAppSession(ctx, action) {
+        ctx.patchState({
+            appSessions: {
+                ...ctx.getState().appSessions,
+                [action.session.applicationCode]: action.session,
+            },
+        });
+    }
+    updateAppTokens(ctx, action) {
+        const existing = ctx.getState().appSessions[action.applicationCode];
+        if (!existing) {
+            return;
+        }
+        const mapped = mapGatewayTokens(action.tokens);
+        ctx.patchState({
+            appSessions: {
+                ...ctx.getState().appSessions,
+                [action.applicationCode]: {
+                    ...existing,
+                    accessToken: mapped.accessToken,
+                    refreshToken: mapped.refreshToken,
+                    accessTokenExpiresAt: mapped.accessTokenExpiresAt,
+                    refreshTokenExpiresAt: mapped.refreshTokenExpiresAt,
+                },
+            },
+        });
+    }
+    clearAppSession(ctx, action) {
+        const sessions = { ...ctx.getState().appSessions };
+        delete sessions[action.applicationCode];
+        ctx.patchState({ appSessions: sessions });
+    }
+    clearAllAppSessions(ctx) {
+        ctx.patchState({ appSessions: {}, applications: [] });
+    }
+    removeLoadingFlag(ctx, code) {
+        const next = { ...ctx.getState().appLaunchLoading };
+        delete next[code];
+        return next;
+    }
     isRateLimitActive(ctx, scope) {
         const lock = ctx.getState().rateLimit;
         if (!lock || lock.scope !== scope) {
@@ -773,13 +991,25 @@ let GatewayAuthState = class GatewayAuthState {
             error: null,
             pendingMfa: null,
             twoFactorRequired: false,
+            appSessions: {},
+            appLaunchLoading: {},
         });
-        return this.toObservable(this.options.afterLogin?.(session, ctx)).pipe(tap(() => {
+        return this.toObservable(this.options.afterLogin?.(session, ctx)).pipe(mergeMap(() => this.maybeAutoLaunchApplication(ctx)), tap(() => {
             this.router.navigateByUrl(this.resolveAuthenticatedRoute(), {
                 replaceUrl: true,
             });
         }));
     }
+    maybeAutoLaunchApplication(ctx) {
+        if (!this.options.autoLaunchApplicationOnLogin) {
+            return of(null);
+        }
+        const code = resolveApplicationCodeOption(this.options.applicationCode);
+        if (!code) {
+            return of(null);
+        }
+        return ctx.dispatch(new LaunchApplication(code));
+    }
     get deviceToken() {
         return resolveGatewayDeviceToken(this.options.deviceToken);
     }
@@ -874,6 +1104,27 @@ __decorate([
 __decorate([
     Action(ClearRateLimit)
 ], GatewayAuthState.prototype, "clearRateLimit", null);
+__decorate([
+    Action(LoadApplications)
+], GatewayAuthState.prototype, "loadApplications", null);
+__decorate([
+    Action(SetApplications)
+], GatewayAuthState.prototype, "setApplications", null);
+__decorate([
+    Action(LaunchApplication)
+], GatewayAuthState.prototype, "launchApplication", null);
+__decorate([
+    Action(SetAppSession)
+], GatewayAuthState.prototype, "setAppSession", null);
+__decorate([
+    Action(UpdateAppTokens)
+], GatewayAuthState.prototype, "updateAppTokens", null);
+__decorate([
+    Action(ClearAppSession)
+], GatewayAuthState.prototype, "clearAppSession", null);
+__decorate([
+    Action(ClearAllAppSessions)
+], GatewayAuthState.prototype, "clearAllAppSessions", null);
 __decorate([
     Selector()
 ], GatewayAuthState, "user", null);
@@ -922,6 +1173,18 @@ __decorate([
 __decorate([
     Selector()
 ], GatewayAuthState, "userDetails", null);
+__decorate([
+    Selector()
+], GatewayAuthState, "applications", null);
+__decorate([
+    Selector()
+], GatewayAuthState, "applicationsLoading", null);
+__decorate([
+    Selector()
+], GatewayAuthState, "appSessions", null);
+__decorate([
+    Selector()
+], GatewayAuthState, "appLaunchLoading", null);
 GatewayAuthState = __decorate([
     State({
         name: 'auth',
@@ -930,7 +1193,7 @@ GatewayAuthState = __decorate([
 ], GatewayAuthState);
 i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.8", ngImport: i0, type: GatewayAuthState, decorators: [{
             type: Injectable
-        }], propDecorators: { login: [], verifyMfa: [], resendMfa: [], loadSsoProviders: [], startSso: [], exchangeSsoCode: [], loginSuccess: [], loginFailure: [], logout: [], updateUserData: [], updateTokens: [], clearError: [], clearPendingMfa: [], setRateLimit: [], clearRateLimit: [] } });
+        }], propDecorators: { login: [], verifyMfa: [], resendMfa: [], loadSsoProviders: [], startSso: [], exchangeSsoCode: [], loginSuccess: [], loginFailure: [], logout: [], updateUserData: [], updateTokens: [], clearError: [], clearPendingMfa: [], setRateLimit: [], clearRateLimit: [], loadApplications: [], setApplications: [], launchApplication: [], setAppSession: [], updateAppTokens: [], clearAppSession: [], clearAllAppSessions: [] } });
 
 class GatewayAuthFacade {
     store = inject(Store);
@@ -950,6 +1213,10 @@ class GatewayAuthFacade {
     rateLimit = select(GatewayAuthState.rateLimit);
     isAdmin = select(GatewayAuthState.isAdmin);
     userDetails = select(GatewayAuthState.userDetails);
+    applications = select(GatewayAuthState.applications);
+    applicationsLoading = select(GatewayAuthState.applicationsLoading);
+    appSessions = select(GatewayAuthState.appSessions);
+    appLaunchLoading = select(GatewayAuthState.appLaunchLoading);
     hasError = computed(() => this.error() !== null, ...(ngDevMode ? [{ debugName: "hasError" }] : /* istanbul ignore next */ []));
     isReady = computed(() => !this.loading() && this.error() === null, ...(ngDevMode ? [{ debugName: "isReady" }] : /* istanbul ignore next */ []));
     userDisplayName = computed(() => this.user()?.user?.displayName || '', ...(ngDevMode ? [{ debugName: "userDisplayName" }] : /* istanbul ignore next */ []));
@@ -993,6 +1260,34 @@ class GatewayAuthFacade {
     updateTokens(tokens) {
         this.store.dispatch(new UpdateTokens(tokens));
     }
+    loadApplications() {
+        this.store.dispatch(new LoadApplications());
+    }
+    setApplications(applications) {
+        this.store.dispatch(new SetApplications(applications));
+    }
+    launchApplication(applicationCode, returnUrl, navigate = false) {
+        this.store.dispatch(new LaunchApplication(applicationCode, returnUrl, navigate));
+    }
+    setAppSession(session) {
+        this.store.dispatch(new SetAppSession(session));
+    }
+    updateAppTokens(applicationCode, tokens) {
+        this.store.dispatch(new UpdateAppTokens(applicationCode, tokens));
+    }
+    clearAppSession(applicationCode) {
+        this.store.dispatch(new ClearAppSession(applicationCode));
+    }
+    clearAllAppSessions() {
+        this.store.dispatch(new ClearAllAppSessions());
+    }
+    getAppSession(applicationCode) {
+        return this.appSessions()?.[applicationCode] ?? null;
+    }
+    getAppToken(applicationCode) {
+        const session = this.getAppSession(applicationCode);
+        return session?.accessToken ?? null;
+    }
     clearError() {
         this.store.dispatch(new ClearError());
     }
@@ -1064,7 +1359,6 @@ function isGatewayAuthRequestUrl(url, gatewayApiBaseUrl) {
     return (GATEWAY_AUTH_ENDPOINT_PATHS.has(path) ||
         GATEWAY_AUTH_ENDPOINT_PREFIXES.some((prefix) => path.startsWith(prefix)));
 }
-let inflightRefresh$ = null;
 const getBrowserRefreshLock = () => {
     if (typeof navigator === 'undefined') {
         return null;
@@ -1072,12 +1366,12 @@ const getBrowserRefreshLock = () => {
     const locks = navigator.locks;
     return typeof locks?.request === 'function' ? locks : null;
 };
-const runWithRefreshLock = (operation) => {
+const runWithRefreshLock = (scopeKey, operation) => {
     const locks = getBrowserRefreshLock();
-    return locks
-        ? locks.request('masterteam-gateway-auth-refresh', operation)
-        : operation();
+    return locks ? locks.request(scopeKey, operation) : operation();
 };
+const GATEWAY_REFRESH_SCOPE = 'gateway';
+const inflightRefreshByScope = new Map();
 const getCurrentAuthTokens = (auth) => {
     const accessToken = auth.token();
     const refreshToken = auth.refreshToken();
@@ -1099,7 +1393,7 @@ const tokenHasUsableAccessToken = (tokens, refreshSkewMs) => !!tokens.accessToke
     !isExpired(resolveApiDateValue(tokens.accessTokenExpiresAt), refreshSkewMs);
 const tokenHasUsableRefreshToken = (tokens) => !!tokens.refreshToken &&
     !isExpired(resolveApiDateValue(tokens.refreshTokenExpiresAt));
-const getSynchronizedTokens = (auth, staleRefreshToken, refreshSkewMs) => {
+const getSynchronizedGatewayTokens = (auth, staleRefreshToken, refreshSkewMs) => {
     const candidates = [
         getCurrentAuthTokens(auth),
         readPersistedGatewayAuthTokens(),
@@ -1108,7 +1402,7 @@ const getSynchronizedTokens = (auth, staleRefreshToken, refreshSkewMs) => {
         tokens.refreshToken !== staleRefreshToken &&
         tokenHasUsableAccessToken(tokens, refreshSkewMs)) ?? null);
 };
-const getLatestRefreshToken = (auth, fallbackRefreshToken) => {
+const getLatestGatewayRefreshToken = (auth, fallbackRefreshToken) => {
     const candidates = [
         getCurrentAuthTokens(auth),
         readPersistedGatewayAuthTokens(),
@@ -1118,33 +1412,95 @@ const getLatestRefreshToken = (auth, fallbackRefreshToken) => {
         tokenHasUsableRefreshToken(tokens));
     return latestTokens?.refreshToken ?? fallbackRefreshToken;
 };
-const executeRefresh = (http, gatewayApiBaseUrl, refreshToken, auth, deviceToken, refreshSkewMs) => runWithRefreshLock(async () => {
-    const synchronizedTokens = getSynchronizedTokens(auth, refreshToken, refreshSkewMs);
-    if (synchronizedTokens) {
-        auth.updateTokens(synchronizedTokens);
-        return synchronizedTokens;
-    }
-    const latestRefreshToken = getLatestRefreshToken(auth, refreshToken);
-    const url = buildGatewayUrl(gatewayApiBaseUrl, GATEWAY_AUTH_ENDPOINTS.refresh);
-    return firstValueFrom(http
-        .post(url, {
-        refreshToken: latestRefreshToken,
-        deviceToken,
-    })
-        .pipe(map((response) => response.data), map((tokens) => {
-        if (!tokens?.accessToken || !tokens.refreshToken) {
-            throw new Error('Invalid refresh response');
-        }
-        return tokens;
-    }), tap$1((tokens) => auth.updateTokens(tokens))));
+const sessionAsTokens = (session) => ({
+    accessToken: session.accessToken,
+    accessTokenExpiresAt: { actualValue: session.accessTokenExpiresAt ?? '' },
+    refreshToken: session.refreshToken,
+    refreshTokenExpiresAt: { actualValue: session.refreshTokenExpiresAt ?? '' },
 });
-const refreshTokens$ = (http, gatewayApiBaseUrl, refreshToken, auth, deviceToken, refreshSkewMs) => {
-    if (!inflightRefresh$) {
-        inflightRefresh$ = from(executeRefresh(http, gatewayApiBaseUrl, refreshToken, auth, deviceToken, refreshSkewMs)).pipe(shareReplay({ bufferSize: 1, refCount: true }), finalize(() => {
-            inflightRefresh$ = null;
-        }));
+const getSynchronizedAppTokens = (auth, applicationCode, staleRefreshToken, refreshSkewMs) => {
+    const session = auth.getAppSession(applicationCode);
+    if (!session) {
+        return null;
     }
-    return inflightRefresh$;
+    const tokens = sessionAsTokens(session);
+    if (tokens.refreshToken !== staleRefreshToken &&
+        tokenHasUsableAccessToken(tokens, refreshSkewMs)) {
+        return tokens;
+    }
+    return null;
+};
+const getLatestAppRefreshToken = (auth, applicationCode, fallbackRefreshToken) => {
+    const session = auth.getAppSession(applicationCode);
+    if (!session) {
+        return fallbackRefreshToken;
+    }
+    if (session.refreshToken &&
+        session.refreshToken !== fallbackRefreshToken &&
+        !isExpired(session.refreshTokenExpiresAt)) {
+        return session.refreshToken;
+    }
+    return fallbackRefreshToken;
+};
+const executeRefresh = (context, refreshToken) => {
+    const { http, gatewayApiBaseUrl, auth, deviceToken, refreshSkewMs, scope, applicationCode, } = context;
+    const lockKey = scope === 'gateway'
+        ? 'masterteam-gateway-auth-refresh:gateway'
+        : `masterteam-gateway-auth-refresh:app:${applicationCode ?? ''}`;
+    return runWithRefreshLock(lockKey, async () => {
+        if (scope === 'gateway') {
+            const synchronizedTokens = getSynchronizedGatewayTokens(auth, refreshToken, refreshSkewMs);
+            if (synchronizedTokens) {
+                auth.updateTokens(synchronizedTokens);
+                return synchronizedTokens;
+            }
+        }
+        else if (applicationCode) {
+            const synchronizedTokens = getSynchronizedAppTokens(auth, applicationCode, refreshToken, refreshSkewMs);
+            if (synchronizedTokens) {
+                auth.updateAppTokens(applicationCode, synchronizedTokens);
+                return synchronizedTokens;
+            }
+        }
+        const latestRefreshToken = scope === 'gateway'
+            ? getLatestGatewayRefreshToken(auth, refreshToken)
+            : applicationCode
+                ? getLatestAppRefreshToken(auth, applicationCode, refreshToken)
+                : refreshToken;
+        const url = buildGatewayUrl(gatewayApiBaseUrl, GATEWAY_AUTH_ENDPOINTS.refresh);
+        return firstValueFrom(http
+            .post(url, {
+            refreshToken: latestRefreshToken,
+            deviceToken,
+        })
+            .pipe(map((response) => response.data), map((tokens) => {
+            if (!tokens?.accessToken || !tokens.refreshToken) {
+                throw new Error('Invalid refresh response');
+            }
+            return tokens;
+        }), tap$1((tokens) => {
+            if (scope === 'gateway') {
+                auth.updateTokens(tokens);
+            }
+            else if (applicationCode) {
+                auth.updateAppTokens(applicationCode, tokens);
+            }
+        })));
+    });
+};
+const refreshTokens$ = (context, refreshToken) => {
+    const scopeKey = context.scope === 'gateway'
+        ? GATEWAY_REFRESH_SCOPE
+        : `application:${context.applicationCode ?? ''}`;
+    const existing = inflightRefreshByScope.get(scopeKey);
+    if (existing) {
+        return existing;
+    }
+    const observable = from(executeRefresh(context, refreshToken)).pipe(shareReplay({ bufferSize: 1, refCount: true }), finalize(() => {
+        inflightRefreshByScope.delete(scopeKey);
+    }));
+    inflightRefreshByScope.set(scopeKey, observable);
+    return observable;
 };
 const prepareRequest = (req, token, markRetried, baseUrl) => {
     let modifiedReq = req;
@@ -1167,6 +1523,35 @@ const prepareRequest = (req, token, markRetried, baseUrl) => {
     }
     return modifiedReq;
 };
+const resolveRequestScope = (req, options, auth) => {
+    const useGatewayBaseUrl = options.shouldUseGatewayApiBaseUrl?.(req) ?? false;
+    const explicitCode = options.resolveApplicationCodeForRequest?.(req);
+    if (explicitCode) {
+        const session = auth.getAppSession(explicitCode);
+        return {
+            scope: 'application',
+            applicationCode: explicitCode,
+            session,
+            useGatewayBaseUrl,
+        };
+    }
+    if (useGatewayBaseUrl) {
+        return { scope: 'gateway', useGatewayBaseUrl: true };
+    }
+    const defaultCode = resolveApplicationCodeOption(options.applicationCode);
+    if (defaultCode) {
+        const session = auth.getAppSession(defaultCode);
+        if (session) {
+            return {
+                scope: 'application',
+                applicationCode: defaultCode,
+                session,
+                useGatewayBaseUrl,
+            };
+        }
+    }
+    return { scope: 'gateway', useGatewayBaseUrl };
+};
 const gatewayAuthInterceptor = (req, next) => {
     if (isAssetRequest(req.url)) {
         return next(req);
@@ -1176,41 +1561,86 @@ const gatewayAuthInterceptor = (req, next) => {
     const http = new HttpClient(inject(HttpBackend));
     const gatewayApiBaseUrl = options.getGatewayApiBaseUrl();
     const appApiBaseUrl = options.getApplicationApiBaseUrl?.();
-    const useGatewayBaseUrl = options.shouldUseGatewayApiBaseUrl?.(req) ?? false;
-    const baseUrl = useGatewayBaseUrl ? gatewayApiBaseUrl : appApiBaseUrl;
     const deviceToken = resolveGatewayDeviceToken(options.deviceToken);
     const refreshSkewMs = resolveAccessTokenRefreshSkewMs(options.accessTokenRefreshSkewMs);
-    const accessToken = auth.token();
-    const refreshToken = auth.refreshToken();
-    const accessTokenExpiresAt = auth.accessTokenExpiresAt();
-    const refreshTokenExpiresAt = auth.refreshTokenExpiresAt();
+    const isAuthRequest = isGatewayAuthRequestUrl(req.url, gatewayApiBaseUrl);
+    const alreadyRetried = req.context.get(GATEWAY_AUTH_RETRY_CONTEXT);
+    const resolved = resolveRequestScope(req, options, auth);
+    const baseUrl = resolved.useGatewayBaseUrl
+        ? gatewayApiBaseUrl
+        : appApiBaseUrl;
+    const gatewayAccessToken = auth.token();
+    const gatewayRefreshToken = auth.refreshToken();
+    const gatewayAccessTokenExpiresAt = auth.accessTokenExpiresAt();
+    const gatewayRefreshTokenExpiresAt = auth.refreshTokenExpiresAt();
+    const session = resolved.session ?? null;
+    const accessToken = resolved.scope === 'application' && session
+        ? session.accessToken
+        : gatewayAccessToken;
+    const accessTokenExpiresAt = resolved.scope === 'application' && session
+        ? session.accessTokenExpiresAt
+        : gatewayAccessTokenExpiresAt;
+    const refreshToken = resolved.scope === 'application' && session
+        ? session.refreshToken
+        : gatewayRefreshToken;
+    const refreshTokenExpiresAt = resolved.scope === 'application' && session
+        ? session.refreshTokenExpiresAt
+        : gatewayRefreshTokenExpiresAt;
     const accessTokenValid = !!accessToken && !isExpired(accessTokenExpiresAt, refreshSkewMs);
     const canRefresh = !!refreshToken && !isExpired(refreshTokenExpiresAt);
-    const alreadyRetried = req.context.get(GATEWAY_AUTH_RETRY_CONTEXT);
-    const isAuthRequest = isGatewayAuthRequestUrl(req.url, gatewayApiBaseUrl);
     const tokenToAttach = !isAuthRequest && accessTokenValid ? accessToken : null;
-    if (!isAuthRequest && !accessTokenValid && canRefresh) {
-        return refreshTokens$(http, gatewayApiBaseUrl, refreshToken, auth, deviceToken, refreshSkewMs).pipe(switchMap((tokens) => next(prepareRequest(req, tokens.accessToken, true, baseUrl))), catchError$1((error) => {
-            auth.logout();
-            return throwError(() => error);
-        }));
+    const buildRefreshContext = (scopeOverride, appCodeOverride) => ({
+        http,
+        gatewayApiBaseUrl,
+        auth,
+        deviceToken,
+        refreshSkewMs,
+        scope: scopeOverride ?? resolved.scope,
+        applicationCode: appCodeOverride ?? resolved.applicationCode,
+    });
+    if (!isAuthRequest && !accessTokenValid && canRefresh && refreshToken) {
+        return refreshTokens$(buildRefreshContext(), refreshToken).pipe(catchError$1((refreshError) => {
+            if (resolved.scope === 'application' && resolved.applicationCode) {
+                auth.clearAppSession(resolved.applicationCode);
+            }
+            else {
+                auth.logout();
+            }
+            return throwError(() => refreshError);
+        }), switchMap((tokens) => next(prepareRequest(req, tokens.accessToken, true, baseUrl))));
     }
     return next(prepareRequest(req, tokenToAttach, false, baseUrl)).pipe(catchError$1((error) => {
-        if (error?.status === 401 && !isAuthRequest && !alreadyRetried) {
-            const latestRefreshToken = auth.refreshToken();
-            const latestRefreshTokenExpiresAt = auth.refreshTokenExpiresAt();
-            const canRefreshNow = !!latestRefreshToken && !isExpired(latestRefreshTokenExpiresAt);
-            if (canRefreshNow) {
-                return refreshTokens$(http, gatewayApiBaseUrl, latestRefreshToken, auth, deviceToken, refreshSkewMs).pipe(switchMap((tokens) => next(prepareRequest(req, tokens.accessToken, true, baseUrl))), catchError$1((refreshError) => {
-                    auth.logout();
-                    return throwError(() => refreshError);
-                }));
-            }
+        if (error?.status !== 401 || isAuthRequest || alreadyRetried) {
+            return throwError(() => error);
         }
-        if (error?.status === 401 && !isAuthRequest) {
-            auth.logout();
+        const latestAppSession = resolved.scope === 'application' && resolved.applicationCode
+            ? auth.getAppSession(resolved.applicationCode)
+            : null;
+        const latestRefreshToken = resolved.scope === 'application' && resolved.applicationCode
+            ? (latestAppSession?.refreshToken ?? null)
+            : auth.refreshToken();
+        const latestRefreshTokenExpiresAt = resolved.scope === 'application' && resolved.applicationCode
+            ? (latestAppSession?.refreshTokenExpiresAt ?? null)
+            : auth.refreshTokenExpiresAt();
+        const canRefreshNow = !!latestRefreshToken && !isExpired(latestRefreshTokenExpiresAt);
+        if (!canRefreshNow || !latestRefreshToken) {
+            if (resolved.scope === 'application' && resolved.applicationCode) {
+                auth.clearAppSession(resolved.applicationCode);
+            }
+            else {
+                auth.logout();
+            }
+            return throwError(() => error);
         }
-        return throwError(() => error);
+        return refreshTokens$(buildRefreshContext(), latestRefreshToken).pipe(catchError$1((refreshError) => {
+            if (resolved.scope === 'application' && resolved.applicationCode) {
+                auth.clearAppSession(resolved.applicationCode);
+            }
+            else {
+                auth.logout();
+            }
+            return throwError(() => refreshError);
+        }), switchMap((tokens) => next(prepareRequest(req, tokens.accessToken, true, baseUrl))));
     }));
 };
 
@@ -1415,9 +1845,11 @@ class GatewayLoginPage {
             return;
         }
         const { username, password } = this.loginForm.getRawValue();
+        const applicationCode = resolveApplicationCodeOption(this.options.applicationCode);
         this.authFacade.login({
             userName: username,
             password,
+            applicationCode: applicationCode ?? undefined,
             isEncrypted: false,
             deviceToken: resolveGatewayDeviceToken(this.options.deviceToken),
         });
@@ -1557,5 +1989,5 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.8", ngImpor
  * Generated bundle index. Do not edit.
  */
 
-export { AUTH_STATE_DEFAULTS, ClearError, ClearPendingMfa, ClearRateLimit, ExchangeSsoCode, GATEWAY_AUTH_ACCESS_TOKEN_REFRESH_SKEW_MS, GATEWAY_AUTH_DEVICE_TOKEN, GATEWAY_AUTH_DEVICE_TOKEN_STORAGE_KEY, GATEWAY_AUTH_ENDPOINTS, GATEWAY_AUTH_NGSW_BYPASS_PARAM, GATEWAY_AUTH_OPTIONS, GATEWAY_AUTH_RETRY_CONTEXT, GATEWAY_RATE_LIMIT_ERROR_CODE, GATEWAY_RATE_LIMIT_STATUS, GatewayAuthFacade, GatewayAuthState, GatewayLoginPage, GatewayMfa, GatewaySsoButtons, GatewaySsoCallback, GatewaySsoSession, LoadSsoProviders, Login, LoginFailure, LoginSuccess, Logout, ResendMfa, SetRateLimit, StartSso, UpdateTokens, UpdateUserData, VerifyMfa, buildGatewayUrl, buildSsoStartUrl, createSecureClientState, extractGatewayRateLimitInfo, gatewayAuthInterceptor, getGatewayErrorMessage, hasGatewayTokens, isExpired, isGatewayAuthRequestUrl, mapGatewayTokens, mapGatewayUser, normalizeGatewayBase, readPersistedGatewayAuthTokens, resolveAccessTokenRefreshSkewMs, resolveApiDateValue, resolveGatewayAuthPath, resolveGatewayDeviceToken, sanitizePersistedAuthState, withGatewayAuthNgswBypass };
+export { AUTH_STATE_DEFAULTS, ClearAllAppSessions, ClearAppSession, ClearError, ClearPendingMfa, ClearRateLimit, ExchangeSsoCode, GATEWAY_AUTH_ACCESS_TOKEN_REFRESH_SKEW_MS, GATEWAY_AUTH_DEVICE_TOKEN, GATEWAY_AUTH_DEVICE_TOKEN_STORAGE_KEY, GATEWAY_AUTH_ENDPOINTS, GATEWAY_AUTH_NGSW_BYPASS_PARAM, GATEWAY_AUTH_OPTIONS, GATEWAY_AUTH_RETRY_CONTEXT, GATEWAY_RATE_LIMIT_ERROR_CODE, GATEWAY_RATE_LIMIT_STATUS, GatewayAuthFacade, GatewayAuthState, GatewayLoginPage, GatewayMfa, GatewaySsoButtons, GatewaySsoCallback, GatewaySsoSession, LaunchApplication, LoadApplications, LoadSsoProviders, Login, LoginFailure, LoginSuccess, Logout, ResendMfa, SetAppSession, SetApplications, SetRateLimit, StartSso, UpdateAppTokens, UpdateTokens, UpdateUserData, VerifyMfa, buildGatewayUrl, buildSsoStartUrl, createSecureClientState, extractGatewayRateLimitInfo, gatewayAuthInterceptor, getGatewayErrorMessage, hasGatewayTokens, isExpired, isGatewayAuthRequestUrl, mapGatewayTokens, mapGatewayUser, normalizeGatewayBase, readPersistedGatewayAuthTokens, resolveAccessTokenRefreshSkewMs, resolveApiDateValue, resolveApplicationCodeOption, resolveGatewayAuthPath, resolveGatewayDeviceToken, sanitizePersistedAuthState, withGatewayAuthNgswBypass };
 //# sourceMappingURL=masterteam-gateway-auth.mjs.map