@masterteam/gateway-auth 0.0.25 → 0.0.26

package/fesm2022/masterteam-gateway-auth.mjs

@@ -1,4 +1,4 @@
-import { firstValueFrom, EMPTY, of, defer, from, isObservable, map, tap as tap$1, catchError as catchError$1, throwError, switchMap as switchMap$1 } from 'rxjs';
+import { firstValueFrom, EMPTY, of, defer, from, isObservable, map, tap as tap$1, throwError, catchError as catchError$1, switchMap as switchMap$1 } from 'rxjs';
 import { HttpClient, HttpContextToken, HttpBackend, HttpResponse } from '@angular/common/http';
 import * as i0 from '@angular/core';
 import { InjectionToken, inject, Injectable, computed, input, ChangeDetectionStrategy, Component, signal, effect } from '@angular/core';
@@ -1435,25 +1435,64 @@ const normalizePath = (path) => {
     const withoutQuery = trimmed.split('?')[0] || '';
     return withoutQuery.startsWith('api/') ? withoutQuery.slice(4) : withoutQuery;
 };
-function resolveGatewayAuthPath(url, gatewayApiBaseUrl) {
+const getBasePath = (baseUrl) => {
+    if (!baseUrl) {
+        return '';
+    }
+    try {
+        return new URL(baseUrl).pathname;
+    }
+    catch {
+        return baseUrl.startsWith('/') ? baseUrl : '';
+    }
+};
+const stripBasePath = (path, baseUrl) => {
+    const basePath = getBasePath(baseUrl).replace(/^\/+/, '').replace(/\/+$/, '');
+    const normalizedPath = path.replace(/^\/+/, '');
+    if (basePath &&
+        (normalizedPath === basePath || normalizedPath.startsWith(`${basePath}/`))) {
+        return normalizedPath.slice(basePath.length).replace(/^\/+/, '');
+    }
+    return path;
+};
+const resolveRequestPath = (url, baseUrl) => {
+    let path = url;
     if (isAbsoluteUrl(url)) {
         try {
-            return normalizePath(new URL(url).pathname);
+            path = new URL(url).pathname;
         }
         catch {
-            return normalizePath(url);
+            path = url;
         }
     }
-    if (gatewayApiBaseUrl && url.startsWith(gatewayApiBaseUrl)) {
-        return normalizePath(url.slice(gatewayApiBaseUrl.length));
+    else if (baseUrl && url.startsWith(baseUrl)) {
+        path = url.slice(baseUrl.length);
     }
-    return normalizePath(url);
+    return normalizePath(stripBasePath(path, baseUrl));
+};
+function resolveGatewayAuthPath(url, gatewayApiBaseUrl) {
+    return resolveRequestPath(url, gatewayApiBaseUrl);
 }
 function isGatewayAuthRequestUrl(url, gatewayApiBaseUrl) {
     const path = resolveGatewayAuthPath(url, gatewayApiBaseUrl).toLowerCase();
     return (GATEWAY_AUTH_ENDPOINT_PATHS.has(path) ||
         GATEWAY_AUTH_ENDPOINT_PREFIXES.some((prefix) => path.startsWith(prefix)));
 }
+const GATEWAY_APPLICATION_LAUNCH_PATH_PATTERN = /^applications\/[^/]+\/launch$/i;
+const isGatewayEndpointRequestUrl = (url, gatewayApiBaseUrl) => {
+    const path = resolveGatewayAuthPath(url, gatewayApiBaseUrl).toLowerCase();
+    return (path.startsWith('auth/') ||
+        GATEWAY_APPLICATION_LAUNCH_PATH_PATTERN.test(path));
+};
+const isApplicationContextRequestUrl = (url, applicationApiBaseUrl) => resolveRequestPath(url, applicationApiBaseUrl).toLowerCase() ===
+    GATEWAY_AUTH_ENDPOINTS.applicationContext;
+class GatewaySessionDeadError extends Error {
+    constructor() {
+        super('GATEWAY_SESSION_DEAD');
+    }
+}
+const isGatewaySessionDeadError = (error) => error instanceof GatewaySessionDeadError;
+const isUnauthorizedError = (error) => error?.status === 401;
 const getBrowserRefreshLock = () => {
     if (typeof navigator === 'undefined') {
         return null;
@@ -1637,22 +1676,31 @@ const executeRelaunch = (context, options) => {
                 },
             };
         }
-        let gatewayAccessToken = context.auth.token();
-        const gatewayAccessTokenExpiresAt = context.auth.accessTokenExpiresAt();
-        const gatewayAccessExpired = !gatewayAccessToken ||
-            isExpired(gatewayAccessTokenExpiresAt, context.refreshSkewMs);
-        if (gatewayAccessExpired) {
+        const ensureGatewayAccessToken = async (forceRefresh = false) => {
+            const gatewayAccessToken = context.auth.token();
+            const gatewayAccessTokenExpiresAt = context.auth.accessTokenExpiresAt();
+            const gatewayAccessExpired = !gatewayAccessToken ||
+                isExpired(gatewayAccessTokenExpiresAt, context.refreshSkewMs);
+            if (!forceRefresh && !gatewayAccessExpired && gatewayAccessToken) {
+                return gatewayAccessToken;
+            }
             const gatewayRefreshToken = context.auth.refreshToken();
             if (!gatewayRefreshToken ||
                 isExpired(context.auth.refreshTokenExpiresAt())) {
-                throw new Error('GATEWAY_SESSION_DEAD');
+                throw new GatewaySessionDeadError();
             }
-            await refreshAccessToken({ ...context, scope: 'gateway', applicationCode: undefined }, gatewayRefreshToken);
-            gatewayAccessToken = context.auth.token();
-            if (!gatewayAccessToken) {
-                throw new Error('GATEWAY_SESSION_DEAD');
+            try {
+                await refreshAccessToken({ ...context, scope: 'gateway', applicationCode: undefined }, gatewayRefreshToken);
             }
-        }
+            catch {
+                throw new GatewaySessionDeadError();
+            }
+            const refreshedGatewayAccessToken = context.auth.token();
+            if (!refreshedGatewayAccessToken) {
+                throw new GatewaySessionDeadError();
+            }
+            return refreshedGatewayAccessToken;
+        };
         const url = buildGatewayUrl(context.gatewayApiBaseUrl, GATEWAY_AUTH_ENDPOINTS.applicationLaunch(code));
         const params = {};
         const returnUrl = resolveRelaunchReturnUrl(options, code);
@@ -1662,7 +1710,7 @@ const executeRelaunch = (context, options) => {
         if (context.deviceToken) {
             params['deviceToken'] = context.deviceToken;
         }
-        return firstValueFrom(context.http
+        const requestLaunch = (gatewayAccessToken) => firstValueFrom(context.http
             .get(url, {
             params,
             headers: {
@@ -1686,6 +1734,25 @@ const executeRelaunch = (context, options) => {
             context.auth.setAppSession(session);
             return data.tokens;
         })));
+        const gatewayAccessToken = await ensureGatewayAccessToken();
+        try {
+            return await requestLaunch(gatewayAccessToken);
+        }
+        catch (error) {
+            if (!isUnauthorizedError(error)) {
+                throw error;
+            }
+            const refreshedGatewayAccessToken = await ensureGatewayAccessToken(true);
+            try {
+                return await requestLaunch(refreshedGatewayAccessToken);
+            }
+            catch (retryError) {
+                if (isUnauthorizedError(retryError)) {
+                    throw new GatewaySessionDeadError();
+                }
+                throw retryError;
+            }
+        }
     });
 };
 const relaunchApplication = (context, options) => {
@@ -1728,13 +1795,46 @@ const prepareRequest = (req, token, markRetried, baseUrl) => {
     return modifiedReq;
 };
 const urlMatchesBase = (url, baseUrl) => {
-    if (!baseUrl || !isAbsoluteUrl(url)) {
+    if (!baseUrl) {
         return false;
     }
-    return url.startsWith(normalizeBase(baseUrl));
+    const normalizedBase = normalizeBase(baseUrl);
+    if (isAbsoluteUrl(url) && isAbsoluteUrl(normalizedBase)) {
+        return url.startsWith(normalizedBase);
+    }
+    const basePath = getBasePath(baseUrl).replace(/^\/+/, '').replace(/\/+$/, '');
+    if (!basePath) {
+        return !isAbsoluteUrl(url) && url.startsWith(normalizedBase);
+    }
+    let path = url;
+    if (isAbsoluteUrl(url)) {
+        try {
+            path = new URL(url).pathname;
+        }
+        catch {
+            path = url;
+        }
+    }
+    path = path.split('?')[0].replace(/^\/+/, '');
+    return path === basePath || path.startsWith(`${basePath}/`);
 };
-const resolveRequestScope = (req, options, auth, gatewayApiBaseUrl) => {
-    // 1. Per-request override wins.
+const resolveRequestScope = (req, options, auth, gatewayApiBaseUrl, applicationApiBaseUrl) => {
+    // 1. Public app context is deliberately unauthenticated app scope.
+    if (isApplicationContextRequestUrl(req.url, applicationApiBaseUrl)) {
+        return { scope: 'application', useGatewayBaseUrl: false };
+    }
+    // 2. Known Gateway endpoints must always use GatewaySession.
+    if (isGatewayEndpointRequestUrl(req.url, gatewayApiBaseUrl)) {
+        return {
+            scope: 'gateway',
+            useGatewayBaseUrl: !urlMatchesBase(req.url, gatewayApiBaseUrl),
+        };
+    }
+    // 3. Caller hint via request context.
+    if (options.shouldUseGatewayApiBaseUrl?.(req)) {
+        return { scope: 'gateway', useGatewayBaseUrl: true };
+    }
+    // 4. Per-request app override.
     const explicitCode = options.resolveApplicationCodeForRequest?.(req);
     if (explicitCode) {
         const session = auth.getAppSession(explicitCode);
@@ -1745,30 +1845,34 @@ const resolveRequestScope = (req, options, auth, gatewayApiBaseUrl) => {
             useGatewayBaseUrl: false,
         };
     }
-    // 2. Caller hint via request context.
-    if (options.shouldUseGatewayApiBaseUrl?.(req)) {
-        return { scope: 'gateway', useGatewayBaseUrl: true };
+    const defaultCode = resolveApplicationCodeOption(options.applicationCode) ??
+        auth.activeApplicationCode();
+    // 5. Requests targeting the configured app API use ApplicationAccess.
+    if (urlMatchesBase(req.url, applicationApiBaseUrl) && defaultCode) {
+        return {
+            scope: 'application',
+            applicationCode: defaultCode,
+            session: auth.getAppSession(defaultCode),
+            useGatewayBaseUrl: false,
+        };
     }
-    // 3. Absolute URL pointing at the Gateway base must use GatewaySession.
-    //    Covers /api/auth/*, /api/auth/me/applications, /api/applications/{code}/launch.
+    // 6. Absolute URL pointing at the Gateway base must use GatewaySession.
     if (urlMatchesBase(req.url, gatewayApiBaseUrl)) {
         return { scope: 'gateway', useGatewayBaseUrl: false };
     }
-    // 4. Otherwise treat as app scope when a session exists.
-    const defaultCode = resolveApplicationCodeOption(options.applicationCode) ??
-        auth.activeApplicationCode();
+    // 7. App shells with a configured/active app code should not send the
+    // GatewaySession to direct app APIs. The interceptor will launch the app
+    // if the ApplicationAccess pair is not available yet.
     if (defaultCode) {
         const session = auth.getAppSession(defaultCode);
-        if (session) {
-            return {
-                scope: 'application',
-                applicationCode: defaultCode,
-                session,
-                useGatewayBaseUrl: false,
-            };
-        }
+        return {
+            scope: 'application',
+            applicationCode: defaultCode,
+            session,
+            useGatewayBaseUrl: false,
+        };
     }
-    // 5. No app session known yet — fall back to GatewaySession.
+    // 8. No app context known yet - fall back to GatewaySession.
     return { scope: 'gateway', useGatewayBaseUrl: false };
 };
 const gatewayAuthInterceptor = (req, next) => {
@@ -1784,21 +1888,18 @@ const gatewayAuthInterceptor = (req, next) => {
     const refreshSkewMs = resolveAccessTokenRefreshSkewMs(options.accessTokenRefreshSkewMs);
     const isAuthRequest = isGatewayAuthRequestUrl(req.url, gatewayApiBaseUrl);
     const alreadyRetried = req.context.get(GATEWAY_AUTH_RETRY_CONTEXT);
-    const resolved = resolveRequestScope(req, options, auth, gatewayApiBaseUrl);
+    const resolved = resolveRequestScope(req, options, auth, gatewayApiBaseUrl, appApiBaseUrl);
     const baseUrl = resolved.useGatewayBaseUrl
         ? gatewayApiBaseUrl
         : appApiBaseUrl;
     const gatewayAccessToken = auth.token();
     const session = resolved.session ?? null;
-    const accessToken = resolved.scope === 'application' && session
-        ? session.accessToken
+    const accessToken = resolved.scope === 'application'
+        ? (session?.accessToken ?? null)
         : gatewayAccessToken;
-    // Reactive-only refresh: we never call /auth/refresh proactively. If the
-    // access token is genuinely expired the request goes out with the existing
-    // one, the backend will 401, and the catchError below refreshes once and
-    // retries. This avoids the post-login refresh cascade caused by short
-    // access-token TTLs versus any skew.
-    const tokenToAttach = !isAuthRequest && accessToken ? accessToken : null;
+    const isApplicationContextRequest = isApplicationContextRequestUrl(req.url, appApiBaseUrl);
+    const shouldAttachAuth = !isAuthRequest && !isApplicationContextRequest;
+    const tokenToAttach = shouldAttachAuth && accessToken ? accessToken : null;
     const buildRefreshContext = (scopeOverride, appCodeOverride) => ({
         http,
         gatewayApiBaseUrl,
@@ -1808,18 +1909,74 @@ const gatewayAuthInterceptor = (req, next) => {
         scope: scopeOverride ?? resolved.scope,
         applicationCode: appCodeOverride ?? resolved.applicationCode,
     });
-    const initialAccessToken = accessToken;
-    return next(prepareRequest(req, tokenToAttach, false, baseUrl)).pipe(catchError$1((error) => {
-        if (error?.status !== 401 || isAuthRequest || alreadyRetried) {
+    const handleRelaunchError = (relaunchError) => {
+        if (isGatewaySessionDeadError(relaunchError)) {
+            auth.logout();
+        }
+        else if (resolved.applicationCode) {
+            auth.clearAppSession(resolved.applicationCode);
+        }
+        return throwError(() => relaunchError);
+    };
+    const relaunch$ = (clearAppSessionBeforeLaunch = true) => {
+        if (clearAppSessionBeforeLaunch && resolved.applicationCode) {
+            auth.clearAppSession(resolved.applicationCode);
+        }
+        return from(relaunchApplication(buildRefreshContext('application', resolved.applicationCode), options)).pipe(catchError$1(handleRelaunchError));
+    };
+    const resolveGatewayTokenBeforeRequest$ = () => {
+        const currentAccessToken = auth.token();
+        const currentAccessTokenExpiresAt = auth.accessTokenExpiresAt();
+        if (currentAccessToken &&
+            !isExpired(currentAccessTokenExpiresAt, refreshSkewMs)) {
+            return of(currentAccessToken);
+        }
+        const gatewayRefreshToken = auth.refreshToken();
+        if (!currentAccessToken && !gatewayRefreshToken) {
+            return of(null);
+        }
+        if (!gatewayRefreshToken || isExpired(auth.refreshTokenExpiresAt())) {
+            auth.logout();
+            return throwError(() => new GatewaySessionDeadError());
+        }
+        return refreshTokens$(buildRefreshContext('gateway', undefined), gatewayRefreshToken).pipe(map((tokens) => tokens.accessToken), catchError$1((refreshError) => {
+            auth.logout();
+            return throwError(() => refreshError);
+        }));
+    };
+    const resolveAppTokenBeforeRequest$ = () => {
+        const code = resolved.applicationCode;
+        if (!code) {
+            return of(tokenToAttach);
+        }
+        const latestSession = auth.getAppSession(code);
+        if (latestSession?.accessToken &&
+            !isExpired(latestSession.accessTokenExpiresAt, refreshSkewMs)) {
+            return of(latestSession.accessToken);
+        }
+        if (!latestSession?.refreshToken ||
+            isExpired(latestSession.refreshTokenExpiresAt)) {
+            return relaunch$().pipe(map((tokens) => tokens.accessToken));
+        }
+        return refreshTokens$(buildRefreshContext('application', code), latestSession.refreshToken).pipe(map((tokens) => tokens.accessToken), catchError$1(() => relaunch$().pipe(map((tokens) => tokens.accessToken))));
+    };
+    const initialToken$ = !shouldAttachAuth
+        ? of(null)
+        : resolved.scope === 'application'
+            ? resolveAppTokenBeforeRequest$()
+            : resolveGatewayTokenBeforeRequest$();
+    return initialToken$.pipe(switchMap$1((requestAccessToken) => next(prepareRequest(req, requestAccessToken, false, baseUrl)).pipe(catchError$1((error) => {
+        if (error?.status !== 401 || !shouldAttachAuth || alreadyRetried) {
             return throwError(() => error);
         }
         // If a concurrent flow already rotated the token while this request was
-        // in flight, just retry with the freshest token — do NOT trigger another
+        // in flight, just retry with the freshest token - do NOT trigger another
         // refresh against the backend.
         const currentAccessToken = resolved.scope === 'application' && resolved.applicationCode
-            ? (auth.getAppSession(resolved.applicationCode)?.accessToken ?? null)
+            ? (auth.getAppSession(resolved.applicationCode)?.accessToken ??
+                null)
             : auth.token();
-        if (currentAccessToken && currentAccessToken !== initialAccessToken) {
+        if (currentAccessToken && currentAccessToken !== requestAccessToken) {
             return next(prepareRequest(req, currentAccessToken, true, baseUrl));
         }
         const isApp = resolved.scope === 'application' && !!resolved.applicationCode;
@@ -1833,21 +1990,6 @@ const gatewayAuthInterceptor = (req, next) => {
             ? (latestAppSession?.refreshTokenExpiresAt ?? null)
             : auth.refreshTokenExpiresAt();
         const canRefreshNow = !!latestRefreshToken && !isExpired(latestRefreshTokenExpiresAt);
-        // App-scope recovery: prefer app-refresh, fall back to silent re-launch
-        // (so direct Pplus calls keep working when only the app's refresh
-        // token expired but the Gateway session is still alive).
-        const relaunch$ = () => from(relaunchApplication(buildRefreshContext(), options)).pipe(catchError$1((relaunchError) => {
-            const gatewayDead = !auth.token() &&
-                (!auth.refreshToken() ||
-                    isExpired(auth.refreshTokenExpiresAt()));
-            if (gatewayDead) {
-                auth.logout();
-            }
-            else if (resolved.applicationCode) {
-                auth.clearAppSession(resolved.applicationCode);
-            }
-            return throwError(() => relaunchError);
-        }));
         const tokens$ = !canRefreshNow || !latestRefreshToken
             ? isApp
                 ? relaunch$()
@@ -1860,7 +2002,7 @@ const gatewayAuthInterceptor = (req, next) => {
                 return throwError(() => refreshError);
             }));
         return tokens$.pipe(switchMap$1((tokens) => next(prepareRequest(req, tokens.accessToken, true, baseUrl))));
-    }));
+    }))));
 };
 
 const CORRELATION_ID_HEADER = 'X-Correlation-ID';