@nauth-toolkit/client-angular 0.1.56 → 0.1.58

package/ng-package.json

@@ -1,12 +0,0 @@
-{
-  "$schema": "node_modules/ng-packagr/ng-package.schema.json",
-  "dest": "./dist",
-  "lib": {
-    "entryFile": "src/public-api.ts",
-    "flatModuleFile": "nauth-toolkit-client-angular"
-  },
-  "allowedNonPeerDependencies": [
-    "@nauth-toolkit/client"
-  ]
-}
-

package/src/lib/auth.interceptor.ts

@@ -1,194 +0,0 @@
-import { inject, PLATFORM_ID } from '@angular/core';
-import { isPlatformBrowser } from '@angular/common';
-import { HttpHandlerFn, HttpInterceptorFn, HttpRequest, HttpClient, HttpErrorResponse } from '@angular/common/http';
-import { Router } from '@angular/router';
-import { catchError, switchMap, throwError, filter, take, BehaviorSubject, from } from 'rxjs';
-import { NAUTH_CLIENT_CONFIG } from '../ngmodule/tokens';
-import { AuthService } from '../ngmodule/auth.service';
-
-/**
- * Refresh state management.
- * BehaviorSubject pattern is the industry-standard for token refresh.
- */
-let isRefreshing = false;
-const refreshTokenSubject = new BehaviorSubject<string | null>(null);
-
-/**
- * Track retried requests to prevent infinite loops.
- */
-const retriedRequests = new WeakSet<HttpRequest<unknown>>();
-
-/**
- * Get CSRF token from cookie.
- */
-function getCsrfToken(cookieName: string): string | null {
-  if (typeof document === 'undefined') return null;
-  const match = document.cookie.match(new RegExp(`(^| )${cookieName}=([^;]+)`));
-  return match ? decodeURIComponent(match[2]) : null;
-}
-
-/**
- * Angular HTTP interceptor for nauth-toolkit.
- *
- * Handles:
- * - Cookies mode: withCredentials + CSRF tokens + refresh via POST
- * - JSON mode: refresh via SDK, retry with new token
- */
-export const authInterceptor: HttpInterceptorFn = (req: HttpRequest<unknown>, next: HttpHandlerFn) => {
-  const config = inject(NAUTH_CLIENT_CONFIG);
-  const http = inject(HttpClient);
-  const authService = inject(AuthService);
-  const platformId = inject(PLATFORM_ID);
-  const router = inject(Router);
-  const isBrowser = isPlatformBrowser(platformId);
-
-  if (!isBrowser) {
-    return next(req);
-  }
-
-  const tokenDelivery = config.tokenDelivery;
-  const baseUrl = config.baseUrl;
-  const endpoints = config.endpoints ?? {};
-  const refreshPath = endpoints.refresh ?? '/refresh';
-  const loginPath = endpoints.login ?? '/login';
-  const signupPath = endpoints.signup ?? '/signup';
-  const socialExchangePath = endpoints.socialExchange ?? '/social/exchange';
-  const refreshUrl = `${baseUrl}${refreshPath}`;
-
-  const isAuthApiRequest = req.url.includes(baseUrl);
-  const isRefreshEndpoint = req.url.includes(refreshPath);
-  const isPublicEndpoint =
-    req.url.includes(loginPath) || req.url.includes(signupPath) || req.url.includes(socialExchangePath);
-
-  // Build request with credentials (cookies mode only)
-  let authReq = req;
-  if (tokenDelivery === 'cookies') {
-    authReq = authReq.clone({ withCredentials: true });
-
-    if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(req.method)) {
-      const csrfCookieName = config.csrf?.cookieName ?? 'nauth_csrf_token';
-      const csrfHeaderName = config.csrf?.headerName ?? 'x-csrf-token';
-      const csrfToken = getCsrfToken(csrfCookieName);
-      if (csrfToken) {
-        authReq = authReq.clone({ setHeaders: { [csrfHeaderName]: csrfToken } });
-      }
-    }
-  }
-
-  return next(authReq).pipe(
-    catchError((error: unknown) => {
-      const shouldHandle =
-        error instanceof HttpErrorResponse &&
-        error.status === 401 &&
-        isAuthApiRequest &&
-        !isRefreshEndpoint &&
-        !isPublicEndpoint &&
-        !retriedRequests.has(req);
-
-      if (!shouldHandle) {
-        return throwError(() => error);
-      }
-
-      if (config.debug) {
-        console.warn('[nauth-interceptor] 401 detected:', req.url);
-      }
-
-      if (!isRefreshing) {
-        isRefreshing = true;
-        refreshTokenSubject.next(null);
-
-        if (config.debug) {
-          console.warn('[nauth-interceptor] Starting refresh...');
-        }
-
-        // Refresh based on mode
-        const refresh$ =
-          tokenDelivery === 'cookies'
-            ? http.post<{ accessToken?: string }>(refreshUrl, {}, { withCredentials: true })
-            : from(authService.refresh());
-
-        return refresh$.pipe(
-          switchMap((response) => {
-            if (config.debug) {
-              console.warn('[nauth-interceptor] Refresh successful');
-            }
-            isRefreshing = false;
-
-            // Get new token (JSON mode) or signal success (cookies mode)
-            const newToken = 'accessToken' in response ? response.accessToken : 'success';
-            refreshTokenSubject.next(newToken ?? 'success');
-
-            // Build retry request
-            const retryReq = buildRetryRequest(authReq, tokenDelivery, newToken);
-            retriedRequests.add(retryReq);
-
-            if (config.debug) {
-              console.warn('[nauth-interceptor] Retrying:', req.url);
-            }
-            return next(retryReq);
-          }),
-          catchError((err) => {
-            if (config.debug) {
-              console.error('[nauth-interceptor] Refresh failed:', err);
-            }
-            isRefreshing = false;
-            refreshTokenSubject.next(null);
-
-            // Handle session expiration - redirect to configured URL
-            if (config.redirects?.sessionExpired) {
-              router.navigateByUrl(config.redirects.sessionExpired).catch((navError) => {
-                if (config.debug) {
-                  console.error('[nauth-interceptor] Navigation failed:', navError);
-                }
-              });
-            }
-
-            return throwError(() => err);
-          }),
-        );
-      } else {
-        // Wait for ongoing refresh
-        if (config.debug) {
-          console.warn('[nauth-interceptor] Waiting for refresh...');
-        }
-        return refreshTokenSubject.pipe(
-          filter((token): token is string => token !== null),
-          take(1),
-          switchMap((token) => {
-            if (config.debug) {
-              console.warn('[nauth-interceptor] Refresh done, retrying:', req.url);
-            }
-            const retryReq = buildRetryRequest(authReq, tokenDelivery, token);
-            retriedRequests.add(retryReq);
-            return next(retryReq);
-          }),
-        );
-      }
-    }),
-  );
-};
-
-/**
- * Build retry request with appropriate auth.
- */
-function buildRetryRequest(
-  originalReq: HttpRequest<unknown>,
-  tokenDelivery: string,
-  newToken?: string,
-): HttpRequest<unknown> {
-  if (tokenDelivery === 'json' && newToken && newToken !== 'success') {
-    return originalReq.clone({
-      setHeaders: { Authorization: `Bearer ${newToken}` },
-    });
-  }
-  return originalReq.clone();
-}
-
-/**
- * Class-based interceptor for NgModule compatibility.
- */
-export class AuthInterceptor {
-  intercept(req: HttpRequest<unknown>, next: HttpHandlerFn) {
-    return authInterceptor(req, next);
-  }
-}

package/src/lib/social-redirect-callback.guard.ts

@@ -1,87 +0,0 @@
-import { inject, PLATFORM_ID } from '@angular/core';
-import { isPlatformBrowser } from '@angular/common';
-import { type CanActivateFn } from '@angular/router';
-import { AuthService } from '../ngmodule/auth.service';
-import { NAUTH_CLIENT_CONFIG } from '../ngmodule/tokens';
-
-/**
- * Social redirect callback route guard.
- *
- * This guard supports the redirect-first social flow where the backend redirects
- * back to the frontend with:
- * - `appState` (always optional)
- * - `exchangeToken` (present for json/hybrid flows, and for cookie flows that return a challenge)
- * - `error` / `error_description` (provider errors)
- *
- * Behavior:
- * - If `exchangeToken` exists: exchanges it via backend and redirects to success or challenge routes.
- * - If no `exchangeToken`: treat as cookie-success path and redirect to success route.
- * - If `error` exists: redirects to oauthError route.
- *
- * @example
- * ```typescript
- * import { socialRedirectCallbackGuard } from '@nauth-toolkit/client/angular';
- *
- * export const routes: Routes = [
- *   { path: 'auth/callback', canActivate: [socialRedirectCallbackGuard], component: CallbackComponent },
- * ];
- * ```
- */
-export const socialRedirectCallbackGuard: CanActivateFn = async (): Promise<boolean> => {
-  const auth = inject(AuthService);
-  const config = inject(NAUTH_CLIENT_CONFIG);
-  const platformId = inject(PLATFORM_ID);
-  const isBrowser = isPlatformBrowser(platformId);
-
-  if (!isBrowser) {
-    return false;
-  }
-
-  const params = new URLSearchParams(window.location.search);
-  const error = params.get('error');
-  const exchangeToken = params.get('exchangeToken');
-
-  // Provider error: redirect to oauthError
-  if (error) {
-    const errorUrl = config.redirects?.oauthError || '/login';
-    window.location.replace(errorUrl);
-    return false;
-  }
-
-  // No exchangeToken: cookie success path; redirect to success.
-  //
-  // Note: we do not "activate" the callback route to avoid consumers needing to render a page.
-  if (!exchangeToken) {
-    // ============================================================================
-    // Cookies mode: hydrate user state before redirecting
-    // ============================================================================
-    // WHY: In cookie delivery, the OAuth callback completes via browser redirects, so the frontend
-    // does not receive a JSON AuthResponse to populate the SDK's cached `currentUser`.
-    //
-    // Without this, sync guards (`authGuard`) can immediately redirect to /login because
-    // `currentUser` is still null even though cookies were set successfully.
-    try {
-      await auth.getProfile();
-    } catch {
-      const errorUrl = config.redirects?.oauthError || '/login';
-      window.location.replace(errorUrl);
-      return false;
-    }
-    const successUrl = config.redirects?.success || '/';
-    window.location.replace(successUrl);
-    return false;
-  }
-
-  // Exchange token and route accordingly
-  const response = await auth.exchangeSocialRedirect(exchangeToken);
-  if (response.challengeName) {
-    const challengeBase = config.redirects?.challengeBase || '/auth/challenge';
-    const challengeRoute = response.challengeName.toLowerCase().replace(/_/g, '-');
-    window.location.replace(`${challengeBase}/${challengeRoute}`);
-    return false;
-  }
-
-  const successUrl = config.redirects?.success || '/';
-  window.location.replace(successUrl);
-  return false;
-};

package/src/ngmodule/auth.interceptor.class.ts

@@ -1,124 +0,0 @@
-import { Injectable, Inject } from '@angular/core';
-import {
-  HttpInterceptor,
-  HttpRequest,
-  HttpHandler,
-  HttpEvent,
-  HttpClient,
-  HttpErrorResponse,
-} from '@angular/common/http';
-import { Router } from '@angular/router';
-import { Observable, catchError, switchMap, throwError, filter, take, BehaviorSubject, from } from 'rxjs';
-import { NAUTH_CLIENT_CONFIG } from './tokens';
-import { AuthService } from './auth.service';
-import { NAuthClientConfig } from '@nauth-toolkit/client';
-
-/**
- * Refresh state management.
- */
-let isRefreshing = false;
-const refreshTokenSubject = new BehaviorSubject<string | null>(null);
-const retriedRequests = new WeakSet<HttpRequest<unknown>>();
-
-/**
- * Get CSRF token from cookie.
- */
-function getCsrfToken(cookieName: string): string | null {
-  if (typeof document === 'undefined') return null;
-  const match = document.cookie.match(new RegExp(`(^| )${cookieName}=([^;]+)`));
-  return match ? decodeURIComponent(match[2]) : null;
-}
-
-/**
- * Class-based HTTP interceptor for NgModule apps (Angular < 17).
- *
- * For standalone components (Angular 17+), use the functional `authInterceptor` instead.
- *
- * @example
- * ```typescript
- * // app.module.ts
- * import { HTTP_INTERCEPTORS } from '@angular/common/http';
- * import { AuthInterceptorClass } from '@nauth-toolkit/client-angular';
- *
- * @NgModule({
- *   providers: [
- *     { provide: HTTP_INTERCEPTORS, useClass: AuthInterceptorClass, multi: true }
- *   ]
- * })
- * ```
- */
-@Injectable()
-export class AuthInterceptorClass implements HttpInterceptor {
-  constructor(
-    @Inject(NAUTH_CLIENT_CONFIG) private readonly config: NAuthClientConfig,
-    private readonly http: HttpClient,
-    private readonly authService: AuthService,
-    private readonly router: Router,
-  ) {}
-
-  intercept(req: HttpRequest<unknown>, next: HttpHandler): Observable<HttpEvent<unknown>> {
-    const tokenDelivery = this.config.tokenDelivery;
-    const baseUrl = this.config.baseUrl;
-
-    // ============================================================================
-    // COOKIES MODE: withCredentials + CSRF token
-    // ============================================================================
-    if (tokenDelivery === 'cookies') {
-      let clonedReq = req.clone({ withCredentials: true });
-
-      // Add CSRF token header if it's a mutating request
-      if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(req.method)) {
-        const csrfToken = getCsrfToken(this.config.csrf?.cookieName || 'XSRF-TOKEN');
-        if (csrfToken) {
-          clonedReq = clonedReq.clone({
-            setHeaders: { [this.config.csrf?.headerName || 'X-XSRF-TOKEN']: csrfToken },
-          });
-        }
-      }
-
-      return next.handle(clonedReq).pipe(
-        catchError((error: HttpErrorResponse) => {
-          if (error.status === 401 && !retriedRequests.has(req)) {
-            retriedRequests.add(req);
-
-            if (!isRefreshing) {
-              isRefreshing = true;
-              refreshTokenSubject.next(null);
-
-              return from(
-                this.http
-                  .post<{ accessToken?: string }>(`${baseUrl}/refresh`, {}, { withCredentials: true })
-                  .toPromise(),
-              ).pipe(
-                switchMap(() => {
-                  isRefreshing = false;
-                  refreshTokenSubject.next('refreshed');
-                  return next.handle(clonedReq);
-                }),
-                catchError((refreshError) => {
-                  isRefreshing = false;
-                  this.authService.logout();
-                  this.router.navigate([this.config.redirects?.sessionExpired || '/login']);
-                  return throwError(() => refreshError);
-                }),
-              );
-            } else {
-              return refreshTokenSubject.pipe(
-                filter((token) => token !== null),
-                take(1),
-                switchMap(() => next.handle(clonedReq)),
-              );
-            }
-          }
-
-          return throwError(() => error);
-        }),
-      );
-    }
-
-    // ============================================================================
-    // JSON MODE: Delegate to SDK for token handling
-    // ============================================================================
-    return next.handle(req);
-  }
-}