npm - @optifye/dashboard-core - Versions diffs - 6.11.21 → 6.11.22 - Mend

@optifye/dashboard-core 6.11.21 → 6.11.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -2232,6 +2232,61 @@ var clearAuthSnapshot = () => {
   safeStorageRemoveItem(AUTH_SNAPSHOT_STORAGE_KEY);
 };
+// src/lib/auth/authAuditLog.ts
+var TAB_ID = typeof crypto !== "undefined" && crypto.randomUUID ? crypto.randomUUID().slice(0, 8) : Math.random().toString(36).slice(2, 10);
+var FLUSH_INTERVAL_MS = 3e4;
+var MAX_QUEUE_SIZE = 50;
+var queue = [];
+var flushTimer = null;
+var apiBaseUrl = "";
+var getAccessToken = null;
+var initAuthAuditLog = (baseUrl, tokenGetter) => {
+  apiBaseUrl = baseUrl;
+  getAccessToken = tokenGetter;
+  if (typeof window === "undefined") return;
+  if (!flushTimer) {
+    flushTimer = setInterval(flushAuthAuditLog, FLUSH_INTERVAL_MS);
+    window.addEventListener("visibilitychange", () => {
+      if (document.visibilityState === "hidden") {
+        void flushAuthAuditLog();
+      }
+    });
+  }
+};
+var logAuthEvent = (eventType, details = {}) => {
+  queue.push({
+    event_type: eventType,
+    tab_id: TAB_ID,
+    details: {
+      ...details,
+      ts: (/* @__PURE__ */ new Date()).toISOString()
+    }
+  });
+  if (queue.length >= MAX_QUEUE_SIZE) {
+    void flushAuthAuditLog();
+  }
+};
+var flushAuthAuditLog = async () => {
+  if (queue.length === 0 || !apiBaseUrl || !getAccessToken) return;
+  const events = queue.splice(0, MAX_QUEUE_SIZE);
+  try {
+    const token = await getAccessToken();
+    if (!token) return;
+    const body = JSON.stringify({ events });
+    const url = `${apiBaseUrl}/api/auth/audit`;
+    await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${token}`
+      },
+      body,
+      keepalive: document.visibilityState === "hidden"
+    });
+  } catch {
+  }
+};
 // src/lib/auth/session.ts
 var DEFAULT_MIN_VALIDITY_MS = 6e4;
 var refreshPromises = /* @__PURE__ */ new WeakMap();
@@ -2241,6 +2296,24 @@ var isInvalidRefreshTokenError = (error) => {
   if (!message.includes("refresh token")) return false;
   return message.includes("invalid") || message.includes("not found") || message.includes("revoked");
 };
+var getSessionFromStorage = () => {
+  if (typeof window === "undefined") return null;
+  try {
+    for (let i = 0; i < localStorage.length; i++) {
+      const key = localStorage.key(i);
+      if (key?.startsWith("sb-") && key?.endsWith("-auth-token")) {
+        const raw = localStorage.getItem(key);
+        if (!raw) continue;
+        const parsed = JSON.parse(raw);
+        if (parsed?.access_token && parsed?.refresh_token && parsed?.expires_at) {
+          return parsed;
+        }
+      }
+    }
+  } catch {
+  }
+  return null;
+};
 var isSessionValid = (session, minValidityMs = 0) => {
   if (!session) return false;
   if (!session.expires_at) return true;
@@ -2297,6 +2370,18 @@ var refreshSessionSingleFlight = async (supabase) => {
     }
     const invalidRefreshToken = isInvalidRefreshTokenError(refreshError);
     if (invalidRefreshToken) {
+      const storedSession = getSessionFromStorage();
+      if (storedSession && isSessionValid(storedSession, 0)) {
+        console.log("[Auth] Recovered session from localStorage after invalid refresh token (another tab refreshed)");
+        try {
+          await supabase.auth.setSession({
+            access_token: storedSession.access_token,
+            refresh_token: storedSession.refresh_token
+          });
+        } catch {
+        }
+        return { session: storedSession, error: null, invalidRefreshToken: false };
+      }
       try {
         await supabase.auth.signOut({ scope: "local" });
       } catch (error) {
@@ -10379,6 +10464,15 @@ var AuthProvider = ({ children }) => {
   const [error, setError] = React142.useState(null);
   const [authStatus, setAuthStatus] = React142.useState("loading");
   const [showOnboarding, setShowOnboarding] = React142.useState(false);
+  const auditInitRef = React142.useRef(false);
+  if (!auditInitRef.current && typeof window !== "undefined") {
+    const backendUrl = process.env.NEXT_PUBLIC_BACKEND_URL || "http://localhost:8000";
+    initAuthAuditLog(backendUrl, async () => {
+      const { data: { session: s } } = await supabase.auth.getSession();
+      return s?.access_token ?? null;
+    });
+    auditInitRef.current = true;
+  }
   const isFetchingRef = React142.useRef(false);
   const lastProcessedSessionRef = React142.useRef(null);
   const hasAuthenticatedRef = React142.useRef(false);
@@ -10542,6 +10636,7 @@ var AuthProvider = ({ children }) => {
           resetRecoveryState();
           if (refreshResult.invalidRefreshToken) {
             console.warn("[AuthContext] Refresh token invalid, redirecting to login");
+            logAuthEvent("forced_logout", { reason: "invalid_refresh_token", trigger: "fetchSession" });
             setAuthStatus("failed");
             clearSessionState();
             await handleAuthRequired(supabase, "session_expired");
@@ -10641,6 +10736,7 @@ var AuthProvider = ({ children }) => {
   const signOut = React142.useCallback(async () => {
     try {
       console.log("[AuthContext] Signing out");
+      logAuthEvent("sign_out_initiated", { trigger: "user_action" });
       setAuthStatus("loading");
       resetRecoveryState();
       clearAuthSnapshot();
@@ -10665,6 +10761,22 @@ var AuthProvider = ({ children }) => {
       return;
     }
     const monitorTokenExpiry = async () => {
+      const storedSession = getSessionFromStorage();
+      if (storedSession && isSessionValid(storedSession, 5 * 60 * 1e3)) {
+        if (storedSession.access_token !== session.access_token) {
+          console.log("[AuthContext] Adopting session refreshed by another tab");
+          logAuthEvent("cross_tab_refresh_adopted", { source: "monitorTokenExpiry" });
+          setTrackedSession(storedSession);
+          try {
+            await supabase.auth.setSession({
+              access_token: storedSession.access_token,
+              refresh_token: storedSession.refresh_token
+            });
+          } catch {
+          }
+        }
+        return;
+      }
       const expiresAt = session.expires_at;
       if (!expiresAt) {
         console.warn("[AuthContext] Session has no expiry time");
@@ -10677,13 +10789,16 @@ var AuthProvider = ({ children }) => {
       console.log(`[AuthContext] Token expires in ${minutesUntilExpiry} minutes`);
       if (minutesUntilExpiry < 5 && timeUntilExpiry > 0) {
         console.warn("[AuthContext] Token expiring soon, attempting refresh...");
+        logAuthEvent("token_refresh_started", { reason: "expiring_soon", minutesUntilExpiry });
         const refreshResult = await refreshSessionSingleFlight(supabase);
         if (isSessionValid(refreshResult.session, 0)) {
           setTrackedSession(refreshResult.session);
+          logAuthEvent("token_refresh_succeeded", { expiresAt: refreshResult.session?.expires_at });
           console.log("[AuthContext] Token refreshed successfully");
           return;
         }
         if (refreshResult.invalidRefreshToken) {
+          logAuthEvent("token_refresh_failed", { reason: "invalid_refresh_token", trigger: "proactive" });
           clearAuthSnapshot();
           resetRecoveryState();
           console.error("[AuthContext] Refresh token invalid during proactive refresh");
@@ -10692,13 +10807,16 @@ var AuthProvider = ({ children }) => {
       }
       if (timeUntilExpiry <= 0) {
         console.warn("[AuthContext] Token has expired, attempting refresh...");
+        logAuthEvent("token_refresh_started", { reason: "expired", minutesUntilExpiry });
         const refreshResult = await refreshSessionSingleFlight(supabase);
         if (isSessionValid(refreshResult.session, 0)) {
           setTrackedSession(refreshResult.session);
+          logAuthEvent("token_refresh_succeeded", { expiresAt: refreshResult.session?.expires_at });
           console.log("[AuthContext] Token refreshed after expiry");
           return;
         }
         if (refreshResult.invalidRefreshToken) {
+          logAuthEvent("token_refresh_failed", { reason: "invalid_refresh_token", trigger: "expired" });
           clearAuthSnapshot();
           resetRecoveryState();
           console.error("[AuthContext] Refresh token invalid after expiry");
@@ -10750,6 +10868,29 @@ var AuthProvider = ({ children }) => {
     window.addEventListener("rbac:refresh-scope", handleScopeRefresh);
     return () => window.removeEventListener("rbac:refresh-scope", handleScopeRefresh);
   }, [fetchSession, session]);
+  React142.useEffect(() => {
+    if (typeof window === "undefined") return;
+    const handleStorageChange = (e) => {
+      if (!e.key?.startsWith("sb-") || !e.key?.endsWith("-auth-token")) return;
+      if (!e.newValue || !session) return;
+      try {
+        const stored = JSON.parse(e.newValue);
+        if (stored?.access_token && stored?.refresh_token && stored?.expires_at && stored.access_token !== session.access_token) {
+          console.log("[AuthContext] Cross-tab token update detected, syncing session");
+          logAuthEvent("cross_tab_refresh_adopted", { source: "storage_event" });
+          setTrackedSession(stored);
+          supabase.auth.setSession({
+            access_token: stored.access_token,
+            refresh_token: stored.refresh_token
+          }).catch(() => {
+          });
+        }
+      } catch {
+      }
+    };
+    window.addEventListener("storage", handleStorageChange);
+    return () => window.removeEventListener("storage", handleStorageChange);
+  }, [session, setTrackedSession, supabase]);
   React142.useEffect(() => {
     if (typeof window === "undefined" || authStatus !== "recovering") {
       return;
@@ -10841,6 +10982,7 @@ var AuthProvider = ({ children }) => {
       }
       if (event === "SIGNED_OUT") {
         console.log("[AuthContext] User signed out");
+        logAuthEvent("signed_out", { trigger: "auth_state_change" });
         resetRecoveryState();
         clearAuthSnapshot();
         clearSessionState();
@@ -11117,7 +11259,7 @@ function useSessionTracking(options = {}) {
   const trackerRef = React142.useRef(null);
   const isTrackingRef = React142.useRef(false);
   const initRef = React142.useRef(false);
-  const getAccessToken = React142.useCallback(async () => {
+  const getAccessToken2 = React142.useCallback(async () => {
     return session?.access_token || null;
   }, [session?.access_token]);
   React142.useEffect(() => {
@@ -11125,14 +11267,14 @@ function useSessionTracking(options = {}) {
       return;
     }
     initRef.current = true;
-    const apiBaseUrl = config?.apiBaseUrl || process.env.NEXT_PUBLIC_API_BASE_URL || "";
-    if (!apiBaseUrl) {
+    const apiBaseUrl2 = config?.apiBaseUrl || process.env.NEXT_PUBLIC_API_BASE_URL || "";
+    if (!apiBaseUrl2) {
       console.warn("[useSessionTracking] No API base URL configured, session tracking disabled");
       return;
     }
     const tracker = createSessionTracker({
-      apiBaseUrl,
-      getAccessToken,
+      apiBaseUrl: apiBaseUrl2,
+      getAccessToken: getAccessToken2,
       onSessionStart: (sessionId) => {
         isTrackingRef.current = true;
         onSessionStart?.(sessionId);
@@ -11153,7 +11295,7 @@ function useSessionTracking(options = {}) {
       initRef.current = false;
       isTrackingRef.current = false;
     };
-  }, [enabled, isAuthenticated, user?.id, session?.access_token, config?.apiBaseUrl, getAccessToken, onSessionStart, onSessionEnd, user]);
+  }, [enabled, isAuthenticated, user?.id, session?.access_token, config?.apiBaseUrl, getAccessToken2, onSessionStart, onSessionEnd, user]);
   React142.useEffect(() => {
     if (!isAuthenticated && trackerRef.current && isTrackingRef.current) {
       trackerRef.current.endSession("logout");
@@ -19734,9 +19876,9 @@ function useUserUsage(userId, options = {}) {
   const [data, setData] = React142.useState(null);
   const [isLoading, setIsLoading] = React142.useState(true);
   const [error, setError] = React142.useState(null);
-  const apiBaseUrl = config?.apiBaseUrl || process.env.NEXT_PUBLIC_API_BASE_URL || "";
+  const apiBaseUrl2 = config?.apiBaseUrl || process.env.NEXT_PUBLIC_API_BASE_URL || "";
   const fetchData = React142.useCallback(async () => {
-    if (!userId || !apiBaseUrl || !session?.access_token) {
+    if (!userId || !apiBaseUrl2 || !session?.access_token) {
       setIsLoading(false);
       return;
     }
@@ -19746,7 +19888,7 @@ function useUserUsage(userId, options = {}) {
       const params = new URLSearchParams();
       if (startDate) params.append("start_date", startDate);
       if (endDate) params.append("end_date", endDate);
-      const url = `${apiBaseUrl}/api/usage/user/${userId}${params.toString() ? `?${params}` : ""}`;
+      const url = `${apiBaseUrl2}/api/usage/user/${userId}${params.toString() ? `?${params}` : ""}`;
       const response = await fetch(url, {
         headers: {
           "Authorization": `Bearer ${session.access_token}`
@@ -19764,7 +19906,7 @@ function useUserUsage(userId, options = {}) {
     } finally {
       setIsLoading(false);
     }
-  }, [userId, apiBaseUrl, session?.access_token, startDate, endDate]);
+  }, [userId, apiBaseUrl2, session?.access_token, startDate, endDate]);
   React142.useEffect(() => {
     if (enabled) {
       fetchData();
@@ -19786,12 +19928,12 @@ function useCompanyUsersUsage(companyId, options = {}) {
   const [isLoading, setIsLoading] = React142.useState(true);
   const [isTodayLoading, setIsTodayLoading] = React142.useState(true);
   const [error, setError] = React142.useState(null);
-  const apiBaseUrl = config?.apiBaseUrl || process.env.NEXT_PUBLIC_BACKEND_URL || "";
+  const apiBaseUrl2 = config?.apiBaseUrl || process.env.NEXT_PUBLIC_BACKEND_URL || "";
   const userRole = user?.role || user?.role_level;
   const canAccess = userRole === "owner" || userRole === "optifye";
-  const isEnabled = enabled && canAccess && !!apiBaseUrl;
+  const isEnabled = enabled && canAccess && !!apiBaseUrl2;
   const fetchOwnerReport = React142.useCallback(async () => {
-    if (!apiBaseUrl || !session?.access_token || !canAccess || !isEnabled) {
+    if (!apiBaseUrl2 || !session?.access_token || !canAccess || !isEnabled) {
       setIsLoading(false);
       return;
     }
@@ -19806,7 +19948,7 @@ function useCompanyUsersUsage(companyId, options = {}) {
       if (startDate) params.append("start_date", startDate);
       if (endDate) params.append("end_date", endDate);
       if (roleFilter) params.append("role_filter", roleFilter);
-      const url = `${apiBaseUrl}/api/usage/owner-report${params.toString() ? `?${params}` : ""}`;
+      const url = `${apiBaseUrl2}/api/usage/owner-report${params.toString() ? `?${params}` : ""}`;
       const response = await fetch(url, {
         headers: {
           "Authorization": `Bearer ${session.access_token}`
@@ -19824,15 +19966,15 @@ function useCompanyUsersUsage(companyId, options = {}) {
     } finally {
       setIsLoading(false);
     }
-  }, [apiBaseUrl, session?.access_token, canAccess, isEnabled, startDate, endDate, roleFilter]);
+  }, [apiBaseUrl2, session?.access_token, canAccess, isEnabled, startDate, endDate, roleFilter]);
   const fetchTodayUsage = React142.useCallback(async () => {
-    if (!apiBaseUrl || !session?.access_token || !canAccess || !isEnabled) {
+    if (!apiBaseUrl2 || !session?.access_token || !canAccess || !isEnabled) {
       setIsTodayLoading(false);
       return;
     }
     setIsTodayLoading(true);
     try {
-      const url = `${apiBaseUrl}/api/usage/today`;
+      const url = `${apiBaseUrl2}/api/usage/today`;
       const response = await fetch(url, {
         headers: {
           "Authorization": `Bearer ${session.access_token}`
@@ -19848,7 +19990,7 @@ function useCompanyUsersUsage(companyId, options = {}) {
     } finally {
       setIsTodayLoading(false);
     }
-  }, [apiBaseUrl, session?.access_token, canAccess, isEnabled]);
+  }, [apiBaseUrl2, session?.access_token, canAccess, isEnabled]);
   const fetchAll = React142.useCallback(async () => {
     await Promise.all([
       fetchOwnerReport(),
@@ -19918,9 +20060,9 @@ function useCompanyClipsCost() {
   const hasFetchedOnceRef = React142.useRef(false);
   const canViewClipsCost = user?.role_level === "owner" || user?.role_level === "optifye";
   const companyId = user?.properties?.company_id || user?.company_id || entityConfig.companyId;
-  const apiBaseUrl = config?.apiBaseUrl || process.env.NEXT_PUBLIC_API_BASE_URL || "";
+  const apiBaseUrl2 = config?.apiBaseUrl || process.env.NEXT_PUBLIC_API_BASE_URL || "";
   const fetchData = React142.useCallback(async () => {
-    if (!canViewClipsCost || !companyId || !supabase || !apiBaseUrl || !session?.access_token) {
+    if (!canViewClipsCost || !companyId || !supabase || !apiBaseUrl2 || !session?.access_token) {
       setIsLoading(false);
       setData(null);
       hasFetchedOnceRef.current = false;
@@ -19932,7 +20074,7 @@ function useCompanyClipsCost() {
     setError(null);
     try {
       const [statsResponse, linesResult] = await Promise.all([
-        fetch(`${apiBaseUrl}/api/classification/company-stats?company_id=${encodeURIComponent(companyId)}`, {
+        fetch(`${apiBaseUrl2}/api/classification/company-stats?company_id=${encodeURIComponent(companyId)}`, {
           headers: {
             "Authorization": `Bearer ${session.access_token}`
           }
@@ -19967,7 +20109,7 @@ function useCompanyClipsCost() {
       hasFetchedOnceRef.current = true;
       setIsLoading(false);
     }
-  }, [canViewClipsCost, companyId, supabase, apiBaseUrl, session?.access_token]);
+  }, [canViewClipsCost, companyId, supabase, apiBaseUrl2, session?.access_token]);
   React142.useEffect(() => {
     fetchData();
   }, [fetchData]);
@@ -23503,11 +23645,11 @@ function createRenderStep(runNextFrame) {
      */
     schedule: (callback, keepAlive = false, immediate = false) => {
       const addToCurrentFrame = immediate && isProcessing;
-      const queue = addToCurrentFrame ? thisFrame : nextFrame;
+      const queue2 = addToCurrentFrame ? thisFrame : nextFrame;
       if (keepAlive)
         toKeepAlive.add(callback);
-      if (!queue.has(callback))
-        queue.add(callback);
+      if (!queue2.has(callback))
+        queue2.add(callback);
       return callback;
     },
     /**
@@ -53956,7 +54098,7 @@ var AwardNotificationManager = () => {
   const supabase = useSupabase();
   const { user } = useAuth();
   const router$1 = router.useRouter();
-  const [queue, setQueue] = React142.useState([]);
+  const [queue2, setQueue] = React142.useState([]);
   const [activeNotification, setActiveNotification] = React142.useState(null);
   const lastUserIdRef = React142.useRef(null);
   React142.useEffect(() => {
@@ -53977,10 +54119,10 @@ var AwardNotificationManager = () => {
     loadNotifications();
   }, [user, supabase]);
   React142.useEffect(() => {
-    if (!activeNotification && queue.length > 0) {
-      setActiveNotification(queue[0]);
+    if (!activeNotification && queue2.length > 0) {
+      setActiveNotification(queue2[0]);
     }
-  }, [queue, activeNotification]);
+  }, [queue2, activeNotification]);
   const dismissActive = async () => {
     if (!activeNotification) return;
     if (!activeNotification.id.startsWith("mock-")) {

package/dist/index.mjs CHANGED Viewed

@@ -2203,6 +2203,61 @@ var clearAuthSnapshot = () => {
   safeStorageRemoveItem(AUTH_SNAPSHOT_STORAGE_KEY);
 };
+// src/lib/auth/authAuditLog.ts
+var TAB_ID = typeof crypto !== "undefined" && crypto.randomUUID ? crypto.randomUUID().slice(0, 8) : Math.random().toString(36).slice(2, 10);
+var FLUSH_INTERVAL_MS = 3e4;
+var MAX_QUEUE_SIZE = 50;
+var queue = [];
+var flushTimer = null;
+var apiBaseUrl = "";
+var getAccessToken = null;
+var initAuthAuditLog = (baseUrl, tokenGetter) => {
+  apiBaseUrl = baseUrl;
+  getAccessToken = tokenGetter;
+  if (typeof window === "undefined") return;
+  if (!flushTimer) {
+    flushTimer = setInterval(flushAuthAuditLog, FLUSH_INTERVAL_MS);
+    window.addEventListener("visibilitychange", () => {
+      if (document.visibilityState === "hidden") {
+        void flushAuthAuditLog();
+      }
+    });
+  }
+};
+var logAuthEvent = (eventType, details = {}) => {
+  queue.push({
+    event_type: eventType,
+    tab_id: TAB_ID,
+    details: {
+      ...details,
+      ts: (/* @__PURE__ */ new Date()).toISOString()
+    }
+  });
+  if (queue.length >= MAX_QUEUE_SIZE) {
+    void flushAuthAuditLog();
+  }
+};
+var flushAuthAuditLog = async () => {
+  if (queue.length === 0 || !apiBaseUrl || !getAccessToken) return;
+  const events = queue.splice(0, MAX_QUEUE_SIZE);
+  try {
+    const token = await getAccessToken();
+    if (!token) return;
+    const body = JSON.stringify({ events });
+    const url = `${apiBaseUrl}/api/auth/audit`;
+    await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${token}`
+      },
+      body,
+      keepalive: document.visibilityState === "hidden"
+    });
+  } catch {
+  }
+};
 // src/lib/auth/session.ts
 var DEFAULT_MIN_VALIDITY_MS = 6e4;
 var refreshPromises = /* @__PURE__ */ new WeakMap();
@@ -2212,6 +2267,24 @@ var isInvalidRefreshTokenError = (error) => {
   if (!message.includes("refresh token")) return false;
   return message.includes("invalid") || message.includes("not found") || message.includes("revoked");
 };
+var getSessionFromStorage = () => {
+  if (typeof window === "undefined") return null;
+  try {
+    for (let i = 0; i < localStorage.length; i++) {
+      const key = localStorage.key(i);
+      if (key?.startsWith("sb-") && key?.endsWith("-auth-token")) {
+        const raw = localStorage.getItem(key);
+        if (!raw) continue;
+        const parsed = JSON.parse(raw);
+        if (parsed?.access_token && parsed?.refresh_token && parsed?.expires_at) {
+          return parsed;
+        }
+      }
+    }
+  } catch {
+  }
+  return null;
+};
 var isSessionValid = (session, minValidityMs = 0) => {
   if (!session) return false;
   if (!session.expires_at) return true;
@@ -2268,6 +2341,18 @@ var refreshSessionSingleFlight = async (supabase) => {
     }
     const invalidRefreshToken = isInvalidRefreshTokenError(refreshError);
     if (invalidRefreshToken) {
+      const storedSession = getSessionFromStorage();
+      if (storedSession && isSessionValid(storedSession, 0)) {
+        console.log("[Auth] Recovered session from localStorage after invalid refresh token (another tab refreshed)");
+        try {
+          await supabase.auth.setSession({
+            access_token: storedSession.access_token,
+            refresh_token: storedSession.refresh_token
+          });
+        } catch {
+        }
+        return { session: storedSession, error: null, invalidRefreshToken: false };
+      }
       try {
         await supabase.auth.signOut({ scope: "local" });
       } catch (error) {
@@ -10350,6 +10435,15 @@ var AuthProvider = ({ children }) => {
   const [error, setError] = useState(null);
   const [authStatus, setAuthStatus] = useState("loading");
   const [showOnboarding, setShowOnboarding] = useState(false);
+  const auditInitRef = useRef(false);
+  if (!auditInitRef.current && typeof window !== "undefined") {
+    const backendUrl = process.env.NEXT_PUBLIC_BACKEND_URL || "http://localhost:8000";
+    initAuthAuditLog(backendUrl, async () => {
+      const { data: { session: s } } = await supabase.auth.getSession();
+      return s?.access_token ?? null;
+    });
+    auditInitRef.current = true;
+  }
   const isFetchingRef = useRef(false);
   const lastProcessedSessionRef = useRef(null);
   const hasAuthenticatedRef = useRef(false);
@@ -10513,6 +10607,7 @@ var AuthProvider = ({ children }) => {
           resetRecoveryState();
           if (refreshResult.invalidRefreshToken) {
             console.warn("[AuthContext] Refresh token invalid, redirecting to login");
+            logAuthEvent("forced_logout", { reason: "invalid_refresh_token", trigger: "fetchSession" });
             setAuthStatus("failed");
             clearSessionState();
             await handleAuthRequired(supabase, "session_expired");
@@ -10612,6 +10707,7 @@ var AuthProvider = ({ children }) => {
   const signOut = useCallback(async () => {
     try {
       console.log("[AuthContext] Signing out");
+      logAuthEvent("sign_out_initiated", { trigger: "user_action" });
       setAuthStatus("loading");
       resetRecoveryState();
       clearAuthSnapshot();
@@ -10636,6 +10732,22 @@ var AuthProvider = ({ children }) => {
       return;
     }
     const monitorTokenExpiry = async () => {
+      const storedSession = getSessionFromStorage();
+      if (storedSession && isSessionValid(storedSession, 5 * 60 * 1e3)) {
+        if (storedSession.access_token !== session.access_token) {
+          console.log("[AuthContext] Adopting session refreshed by another tab");
+          logAuthEvent("cross_tab_refresh_adopted", { source: "monitorTokenExpiry" });
+          setTrackedSession(storedSession);
+          try {
+            await supabase.auth.setSession({
+              access_token: storedSession.access_token,
+              refresh_token: storedSession.refresh_token
+            });
+          } catch {
+          }
+        }
+        return;
+      }
       const expiresAt = session.expires_at;
       if (!expiresAt) {
         console.warn("[AuthContext] Session has no expiry time");
@@ -10648,13 +10760,16 @@ var AuthProvider = ({ children }) => {
       console.log(`[AuthContext] Token expires in ${minutesUntilExpiry} minutes`);
       if (minutesUntilExpiry < 5 && timeUntilExpiry > 0) {
         console.warn("[AuthContext] Token expiring soon, attempting refresh...");
+        logAuthEvent("token_refresh_started", { reason: "expiring_soon", minutesUntilExpiry });
         const refreshResult = await refreshSessionSingleFlight(supabase);
         if (isSessionValid(refreshResult.session, 0)) {
           setTrackedSession(refreshResult.session);
+          logAuthEvent("token_refresh_succeeded", { expiresAt: refreshResult.session?.expires_at });
           console.log("[AuthContext] Token refreshed successfully");
           return;
         }
         if (refreshResult.invalidRefreshToken) {
+          logAuthEvent("token_refresh_failed", { reason: "invalid_refresh_token", trigger: "proactive" });
           clearAuthSnapshot();
           resetRecoveryState();
           console.error("[AuthContext] Refresh token invalid during proactive refresh");
@@ -10663,13 +10778,16 @@ var AuthProvider = ({ children }) => {
       }
       if (timeUntilExpiry <= 0) {
         console.warn("[AuthContext] Token has expired, attempting refresh...");
+        logAuthEvent("token_refresh_started", { reason: "expired", minutesUntilExpiry });
         const refreshResult = await refreshSessionSingleFlight(supabase);
         if (isSessionValid(refreshResult.session, 0)) {
           setTrackedSession(refreshResult.session);
+          logAuthEvent("token_refresh_succeeded", { expiresAt: refreshResult.session?.expires_at });
           console.log("[AuthContext] Token refreshed after expiry");
           return;
         }
         if (refreshResult.invalidRefreshToken) {
+          logAuthEvent("token_refresh_failed", { reason: "invalid_refresh_token", trigger: "expired" });
           clearAuthSnapshot();
           resetRecoveryState();
           console.error("[AuthContext] Refresh token invalid after expiry");
@@ -10721,6 +10839,29 @@ var AuthProvider = ({ children }) => {
     window.addEventListener("rbac:refresh-scope", handleScopeRefresh);
     return () => window.removeEventListener("rbac:refresh-scope", handleScopeRefresh);
   }, [fetchSession, session]);
+  useEffect(() => {
+    if (typeof window === "undefined") return;
+    const handleStorageChange = (e) => {
+      if (!e.key?.startsWith("sb-") || !e.key?.endsWith("-auth-token")) return;
+      if (!e.newValue || !session) return;
+      try {
+        const stored = JSON.parse(e.newValue);
+        if (stored?.access_token && stored?.refresh_token && stored?.expires_at && stored.access_token !== session.access_token) {
+          console.log("[AuthContext] Cross-tab token update detected, syncing session");
+          logAuthEvent("cross_tab_refresh_adopted", { source: "storage_event" });
+          setTrackedSession(stored);
+          supabase.auth.setSession({
+            access_token: stored.access_token,
+            refresh_token: stored.refresh_token
+          }).catch(() => {
+          });
+        }
+      } catch {
+      }
+    };
+    window.addEventListener("storage", handleStorageChange);
+    return () => window.removeEventListener("storage", handleStorageChange);
+  }, [session, setTrackedSession, supabase]);
   useEffect(() => {
     if (typeof window === "undefined" || authStatus !== "recovering") {
       return;
@@ -10812,6 +10953,7 @@ var AuthProvider = ({ children }) => {
       }
       if (event === "SIGNED_OUT") {
         console.log("[AuthContext] User signed out");
+        logAuthEvent("signed_out", { trigger: "auth_state_change" });
         resetRecoveryState();
         clearAuthSnapshot();
         clearSessionState();
@@ -11088,7 +11230,7 @@ function useSessionTracking(options = {}) {
   const trackerRef = useRef(null);
   const isTrackingRef = useRef(false);
   const initRef = useRef(false);
-  const getAccessToken = useCallback(async () => {
+  const getAccessToken2 = useCallback(async () => {
     return session?.access_token || null;
   }, [session?.access_token]);
   useEffect(() => {
@@ -11096,14 +11238,14 @@ function useSessionTracking(options = {}) {
       return;
     }
     initRef.current = true;
-    const apiBaseUrl = config?.apiBaseUrl || process.env.NEXT_PUBLIC_API_BASE_URL || "";
-    if (!apiBaseUrl) {
+    const apiBaseUrl2 = config?.apiBaseUrl || process.env.NEXT_PUBLIC_API_BASE_URL || "";
+    if (!apiBaseUrl2) {
       console.warn("[useSessionTracking] No API base URL configured, session tracking disabled");
       return;
     }
     const tracker = createSessionTracker({
-      apiBaseUrl,
-      getAccessToken,
+      apiBaseUrl: apiBaseUrl2,
+      getAccessToken: getAccessToken2,
       onSessionStart: (sessionId) => {
         isTrackingRef.current = true;
         onSessionStart?.(sessionId);
@@ -11124,7 +11266,7 @@ function useSessionTracking(options = {}) {
       initRef.current = false;
       isTrackingRef.current = false;
     };
-  }, [enabled, isAuthenticated, user?.id, session?.access_token, config?.apiBaseUrl, getAccessToken, onSessionStart, onSessionEnd, user]);
+  }, [enabled, isAuthenticated, user?.id, session?.access_token, config?.apiBaseUrl, getAccessToken2, onSessionStart, onSessionEnd, user]);
   useEffect(() => {
     if (!isAuthenticated && trackerRef.current && isTrackingRef.current) {
       trackerRef.current.endSession("logout");
@@ -19705,9 +19847,9 @@ function useUserUsage(userId, options = {}) {
   const [data, setData] = useState(null);
   const [isLoading, setIsLoading] = useState(true);
   const [error, setError] = useState(null);
-  const apiBaseUrl = config?.apiBaseUrl || process.env.NEXT_PUBLIC_API_BASE_URL || "";
+  const apiBaseUrl2 = config?.apiBaseUrl || process.env.NEXT_PUBLIC_API_BASE_URL || "";
   const fetchData = useCallback(async () => {
-    if (!userId || !apiBaseUrl || !session?.access_token) {
+    if (!userId || !apiBaseUrl2 || !session?.access_token) {
       setIsLoading(false);
       return;
     }
@@ -19717,7 +19859,7 @@ function useUserUsage(userId, options = {}) {
       const params = new URLSearchParams();
       if (startDate) params.append("start_date", startDate);
       if (endDate) params.append("end_date", endDate);
-      const url = `${apiBaseUrl}/api/usage/user/${userId}${params.toString() ? `?${params}` : ""}`;
+      const url = `${apiBaseUrl2}/api/usage/user/${userId}${params.toString() ? `?${params}` : ""}`;
       const response = await fetch(url, {
         headers: {
           "Authorization": `Bearer ${session.access_token}`
@@ -19735,7 +19877,7 @@ function useUserUsage(userId, options = {}) {
     } finally {
       setIsLoading(false);
     }
-  }, [userId, apiBaseUrl, session?.access_token, startDate, endDate]);
+  }, [userId, apiBaseUrl2, session?.access_token, startDate, endDate]);
   useEffect(() => {
     if (enabled) {
       fetchData();
@@ -19757,12 +19899,12 @@ function useCompanyUsersUsage(companyId, options = {}) {
   const [isLoading, setIsLoading] = useState(true);
   const [isTodayLoading, setIsTodayLoading] = useState(true);
   const [error, setError] = useState(null);
-  const apiBaseUrl = config?.apiBaseUrl || process.env.NEXT_PUBLIC_BACKEND_URL || "";
+  const apiBaseUrl2 = config?.apiBaseUrl || process.env.NEXT_PUBLIC_BACKEND_URL || "";
   const userRole = user?.role || user?.role_level;
   const canAccess = userRole === "owner" || userRole === "optifye";
-  const isEnabled = enabled && canAccess && !!apiBaseUrl;
+  const isEnabled = enabled && canAccess && !!apiBaseUrl2;
   const fetchOwnerReport = useCallback(async () => {
-    if (!apiBaseUrl || !session?.access_token || !canAccess || !isEnabled) {
+    if (!apiBaseUrl2 || !session?.access_token || !canAccess || !isEnabled) {
       setIsLoading(false);
       return;
     }
@@ -19777,7 +19919,7 @@ function useCompanyUsersUsage(companyId, options = {}) {
       if (startDate) params.append("start_date", startDate);
       if (endDate) params.append("end_date", endDate);
       if (roleFilter) params.append("role_filter", roleFilter);
-      const url = `${apiBaseUrl}/api/usage/owner-report${params.toString() ? `?${params}` : ""}`;
+      const url = `${apiBaseUrl2}/api/usage/owner-report${params.toString() ? `?${params}` : ""}`;
       const response = await fetch(url, {
         headers: {
           "Authorization": `Bearer ${session.access_token}`
@@ -19795,15 +19937,15 @@ function useCompanyUsersUsage(companyId, options = {}) {
     } finally {
       setIsLoading(false);
     }
-  }, [apiBaseUrl, session?.access_token, canAccess, isEnabled, startDate, endDate, roleFilter]);
+  }, [apiBaseUrl2, session?.access_token, canAccess, isEnabled, startDate, endDate, roleFilter]);
   const fetchTodayUsage = useCallback(async () => {
-    if (!apiBaseUrl || !session?.access_token || !canAccess || !isEnabled) {
+    if (!apiBaseUrl2 || !session?.access_token || !canAccess || !isEnabled) {
       setIsTodayLoading(false);
       return;
     }
     setIsTodayLoading(true);
     try {
-      const url = `${apiBaseUrl}/api/usage/today`;
+      const url = `${apiBaseUrl2}/api/usage/today`;
       const response = await fetch(url, {
         headers: {
           "Authorization": `Bearer ${session.access_token}`
@@ -19819,7 +19961,7 @@ function useCompanyUsersUsage(companyId, options = {}) {
     } finally {
       setIsTodayLoading(false);
     }
-  }, [apiBaseUrl, session?.access_token, canAccess, isEnabled]);
+  }, [apiBaseUrl2, session?.access_token, canAccess, isEnabled]);
   const fetchAll = useCallback(async () => {
     await Promise.all([
       fetchOwnerReport(),
@@ -19889,9 +20031,9 @@ function useCompanyClipsCost() {
   const hasFetchedOnceRef = useRef(false);
   const canViewClipsCost = user?.role_level === "owner" || user?.role_level === "optifye";
   const companyId = user?.properties?.company_id || user?.company_id || entityConfig.companyId;
-  const apiBaseUrl = config?.apiBaseUrl || process.env.NEXT_PUBLIC_API_BASE_URL || "";
+  const apiBaseUrl2 = config?.apiBaseUrl || process.env.NEXT_PUBLIC_API_BASE_URL || "";
   const fetchData = useCallback(async () => {
-    if (!canViewClipsCost || !companyId || !supabase || !apiBaseUrl || !session?.access_token) {
+    if (!canViewClipsCost || !companyId || !supabase || !apiBaseUrl2 || !session?.access_token) {
       setIsLoading(false);
       setData(null);
       hasFetchedOnceRef.current = false;
@@ -19903,7 +20045,7 @@ function useCompanyClipsCost() {
     setError(null);
     try {
       const [statsResponse, linesResult] = await Promise.all([
-        fetch(`${apiBaseUrl}/api/classification/company-stats?company_id=${encodeURIComponent(companyId)}`, {
+        fetch(`${apiBaseUrl2}/api/classification/company-stats?company_id=${encodeURIComponent(companyId)}`, {
           headers: {
             "Authorization": `Bearer ${session.access_token}`
           }
@@ -19938,7 +20080,7 @@ function useCompanyClipsCost() {
       hasFetchedOnceRef.current = true;
       setIsLoading(false);
     }
-  }, [canViewClipsCost, companyId, supabase, apiBaseUrl, session?.access_token]);
+  }, [canViewClipsCost, companyId, supabase, apiBaseUrl2, session?.access_token]);
   useEffect(() => {
     fetchData();
   }, [fetchData]);
@@ -23474,11 +23616,11 @@ function createRenderStep(runNextFrame) {
      */
     schedule: (callback, keepAlive = false, immediate = false) => {
       const addToCurrentFrame = immediate && isProcessing;
-      const queue = addToCurrentFrame ? thisFrame : nextFrame;
+      const queue2 = addToCurrentFrame ? thisFrame : nextFrame;
       if (keepAlive)
         toKeepAlive.add(callback);
-      if (!queue.has(callback))
-        queue.add(callback);
+      if (!queue2.has(callback))
+        queue2.add(callback);
       return callback;
     },
     /**
@@ -53927,7 +54069,7 @@ var AwardNotificationManager = () => {
   const supabase = useSupabase();
   const { user } = useAuth();
   const router = useRouter();
-  const [queue, setQueue] = useState([]);
+  const [queue2, setQueue] = useState([]);
   const [activeNotification, setActiveNotification] = useState(null);
   const lastUserIdRef = useRef(null);
   useEffect(() => {
@@ -53948,10 +54090,10 @@ var AwardNotificationManager = () => {
     loadNotifications();
   }, [user, supabase]);
   useEffect(() => {
-    if (!activeNotification && queue.length > 0) {
-      setActiveNotification(queue[0]);
+    if (!activeNotification && queue2.length > 0) {
+      setActiveNotification(queue2[0]);
     }
-  }, [queue, activeNotification]);
+  }, [queue2, activeNotification]);
   const dismissActive = async () => {
     if (!activeNotification) return;
     if (!activeNotification.id.startsWith("mock-")) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@optifye/dashboard-core",
-  "version": "6.11.21",
+  "version": "6.11.22",
   "description": "Reusable UI & logic for Optifye dashboard",
   "main": "dist/index.js",
   "module": "dist/index.mjs",