npm - @sinequa/atomic-angular - Versions diffs - 1.5.2 → 1.5.5 - Mend

@sinequa/atomic-angular 1.5.2 → 1.5.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +28 -0
package/features/auth/i18n/de.json +3 -1
package/features/auth/i18n/en.json +3 -1
package/features/auth/i18n/fr.json +3 -1
package/fesm2022/sinequa-atomic-angular.mjs +464 -202
package/fesm2022/sinequa-atomic-angular.mjs.map +1 -1
package/index.d.ts +109 -24
package/package.json +1 -1

package/fesm2022/sinequa-atomic-angular.mjs CHANGED Viewed

@@ -1,16 +1,16 @@
 import * as i0 from '@angular/core';
-import { Injectable, inject, HostBinding, Component, Pipe, InjectionToken, computed, ChangeDetectorRef, DestroyRef, LOCALE_ID, Inject, Optional, input, output, signal, effect, assertInInjectionContext, runInInjectionContext, Injector, EventEmitter, Directive, viewChild, ElementRef, afterNextRender, untracked, linkedSignal, model, TemplateRef, HostListener, Renderer2, contentChildren, contentChild, booleanAttribute, resource, ChangeDetectionStrategy, ViewContainerRef, numberAttribute, viewChildren, afterRenderEffect, afterEveryRender } from '@angular/core';
+import { Injectable, inject, HostBinding, Component, Pipe, InjectionToken, computed, ChangeDetectorRef, DestroyRef, LOCALE_ID, Inject, Optional, input, output, signal, effect, assertInInjectionContext, runInInjectionContext, EnvironmentInjector, Injector, EventEmitter, Directive, viewChild, ElementRef, afterNextRender, untracked, linkedSignal, model, TemplateRef, HostListener, Renderer2, contentChildren, contentChild, booleanAttribute, resource, ChangeDetectionStrategy, ViewContainerRef, numberAttribute, viewChildren, afterRenderEffect, afterEveryRender } from '@angular/core';
 import { BehaviorSubject, Subscription, firstValueFrom, catchError, map, Subject, of, tap, EMPTY, throwError, filter, shareReplay, switchMap, from, fromEvent, debounceTime } from 'rxjs';
 import { TranslocoService, TranslocoPipe, provideTranslocoScope } from '@jsverse/transloco';
-import { DropdownComponent, DropdownContentComponent, InputComponent, ButtonComponent, cn, FaIconComponent, EllipsisIcon, ChevronRightIcon, MenuComponent, MenuContentComponent, MenuItemComponent, LinkComponent, BadgeComponent, DialogComponent, DialogHeaderComponent, DialogTitleComponent, DialogContentComponent, DialogFooterComponent, ListItemComponent, SquareCheckIcon, SquareMinusIcon, SquareIcon, SwitchComponent, SelectOptionDirective, DialogService, XMarkIcon, InboxIcon, SparklesIcon, FileOutputIcon, TabsComponent, TabsListComponent, TabComponent, SidebarMenuComponent, SidebarMenuItemComponent, SidebarMenuButtonComponent, TooltipDirective, FrownIcon, ChevronLeftIcon, ChevronsLeftIcon, ChevronsRightIcon, ArrowUpAzIcon, ArrowDownZaIcon, ArrowUpRightFromSquareIcon, ToggleRightIcon, ToggleLeftIcon, Separator, SheetCloseDirective, ArrowLeftIcon, SheetService, DateRangePickerDirective, DatepickerDirective, FilterIcon, FilterXIcon, IconButtonComponent, HighlighterIcon, TagsIcon, SpinnerIcon, MagnifyingGlassIcon, LoadingCircleIcon, CircleCheckIcon, PopoverComponent, BellIcon, TrashIcon, BarsIcon, CardComponent, CardHeaderComponent, CardContentComponent, CardFooterComponent, InputGroupInput, InputGroupComponent, InputGroupAddonComponent, EyeSlashIcon, EyeIcon, BookmarkIcon, PopoverContentComponent, UserIcon, FolderIcon, VerticalDividerComponent, CommentIcon, ThumbsUpIcon, ThumbsDownIcon, DropdownDirective, SearchIcon, TriangleAlertIcon, ListFilterIcon, BreakpointObserverService, TrashCanIcon, CircleXIcon, InfoCircleIcon, HorizontalDividerComponent, HistoryIcon, StarIcon, FlagEnglishIcon, FlagFrenchIcon, EditIcon, UndoIcon, SaveIcon, AvatarComponent, AvatarFallbackComponent, AvatarImageComponent } from '@sinequa/ui';
+import { DropdownComponent, DropdownContentComponent, InputComponent, ButtonComponent, cn, FaIconComponent, EllipsisIcon, ChevronRightIcon, MenuComponent, MenuContentComponent, MenuItemComponent, LinkComponent, CardComponent, CardHeaderComponent, CardContentComponent, BadgeComponent, DialogComponent, DialogHeaderComponent, DialogTitleComponent, DialogContentComponent, DialogFooterComponent, ListItemComponent, SquareCheckIcon, SquareMinusIcon, SquareIcon, SwitchComponent, SelectOptionDirective, DialogService, XMarkIcon, InboxIcon, SparklesIcon, FileOutputIcon, TabsComponent, TabsListComponent, TabComponent, SidebarMenuComponent, SidebarMenuItemComponent, SidebarMenuButtonComponent, TooltipDirective, FrownIcon, ChevronLeftIcon, ChevronsLeftIcon, ChevronsRightIcon, ArrowUpAzIcon, ArrowDownZaIcon, ArrowUpRightFromSquareIcon, ToggleRightIcon, ToggleLeftIcon, Separator, SheetCloseDirective, ArrowLeftIcon, SheetService, DateRangePickerDirective, DatepickerDirective, FilterIcon, FilterXIcon, IconButtonComponent, HighlighterIcon, TagsIcon, SpinnerIcon, MagnifyingGlassIcon, LoadingCircleIcon, CircleCheckIcon, PopoverComponent, BellIcon, TrashIcon, BarsIcon, CardFooterComponent, InputGroupInput, InputGroupComponent, InputGroupAddonComponent, EyeSlashIcon, EyeIcon, BookmarkIcon, PopoverContentComponent, UserIcon, FolderIcon, VerticalDividerComponent, CommentIcon, ThumbsUpIcon, ThumbsDownIcon, DropdownDirective, SearchIcon, TriangleAlertIcon, ListFilterIcon, BreakpointObserverService, TrashCanIcon, CircleXIcon, InfoCircleIcon, HorizontalDividerComponent, HistoryIcon, StarIcon, FlagEnglishIcon, FlagFrenchIcon, EditIcon, UndoIcon, SaveIcon, AvatarComponent, AvatarFallbackComponent, AvatarImageComponent } from '@sinequa/ui';
 import highlightWords from 'highlight-words';
 import { ActivatedRoute, Router, NavigationEnd, RouterLink, RouterLinkActive, RouterModule } from '@angular/router';
 import { withDevtools } from '@angular-architects/ngrx-toolkit';
 import { signalStore, signalStoreFeature, withState, withMethods, patchState, getState, withComputed } from '@ngrx/signals';
-import { EngineType, fetchApp, extraColumns, sysLang, globalConfig, getQueryParamsFromUrl, clearSessionTokens, login, info, warn, error, setGlobalConfig, notify, addConcepts, queryParamsFromUrl, patchUserSettings, deleteUserSettings, fetchUserSettings, buildPathsAndLevels, escapeExpr, isAuthenticated, isExpired, debug, AuditEventType, fetchSuggest, isObject, Audit, getMetadata, bisect, isNotInputEvent, fetchSponsoredLinks, fetchQuery, translateAggregationToDateOptions, aggItemRegex, parseValueAndOperatorFromItem, fetchSuggestField, fetchSimilarDocuments, logout, fetchChangePassword, fetchSendPasswordResetEmail, expiresSoon, suggestionsToTreeAggregationNodes, labels, fetchLabels, guid, getRelativeDate, createUserProfile, deleteUserProfileProperty, patchUserProfile, isJsonable, addAuditAdditionalInfo, getToken, setToken, createHeaders } from '@sinequa/atomic';
+import { EngineType, fetchApp, extraColumns, sysLang, globalConfig, getQueryParamsFromUrl, clearSessionTokens, login, info, error, setGlobalConfig, initializeAppConfig, notify, addConcepts, queryParamsFromUrl, patchUserSettings, deleteUserSettings, fetchUserSettings, warn, buildPathsAndLevels, escapeExpr, isAuthenticated, isExpired, debug, AuditEventType, fetchSuggest, isObject, Audit, getMetadata, bisect, isNotInputEvent, fetchSponsoredLinks, fetchQuery, translateAggregationToDateOptions, aggItemRegex, parseValueAndOperatorFromItem, fetchSuggestField, fetchSimilarDocuments, logout, fetchChangePassword, fetchSendPasswordResetEmail, expiresSoon, suggestionsToTreeAggregationNodes, labels, fetchLabels, guid, getRelativeDate, createUserProfile, deleteUserProfileProperty, patchUserProfile, isJsonable, addAuditAdditionalInfo, getToken, setToken, createHeaders } from '@sinequa/atomic';
 import { takeUntilDestroyed, toObservable, toSignal } from '@angular/core/rxjs-interop';
 import { DatePipe, DATE_PIPE_DEFAULT_TIMEZONE, DATE_PIPE_DEFAULT_OPTIONS, Location, NgTemplateOutlet, NgStyle, NgClass, NgComponentOutlet } from '@angular/common';
-import { HttpClient, HttpParams, httpResource, HttpResponse, HttpHeaders, HttpContextToken } from '@angular/common/http';
+import { HttpClient, HttpParams, httpResource, HttpResponse, HttpContextToken, HttpHeaders } from '@angular/common/http';
 import { Title, DomSanitizer } from '@angular/platform-browser';
 import { cva } from 'class-variance-authority';
 import * as i1 from '@angular/forms';
@@ -1525,100 +1525,174 @@ function withThemes(app, themes) {
 }
 /**
- * Signs in the user by checking the global configuration for authentication method and acting accordingly.
+ * Signs the user in according to the resolved {@link globalConfig.authMode}.
  *
- * This function first clears any existing session tokens to ensure a clean authentication state. It then checks the
- * global configuration to determine whether to use credentials-based authentication or Single Sign-On (SSO). If
- * credentials are used, it redirects the user to the login page. If SSO is enabled, it reloads the page to trigger
- * the SSO login process. If neither method is specified, it attempts a standard login and handles any errors that
- * may occur during the process.
- * @returns A promise resolving to a boolean indicating the success of the sign-in operation.
+ * The mode is expected to be resolved beforehand (by `initializeAppConfig`, awaited in
+ * `bootstrapApp`). This function clears any existing session, then:
+ * - `credentials` → redirect to the login form;
+ * - `sso` → reload the page so the browser/proxy performs the handshake;
+ * - `oauth` / `saml` → delegate to `login()`, which redirects to the provider;
+ * - `bearer` → delegate to `login()`;
+ * - `unknown` → `login()` tries SSO silently then resolves to credentials; on failure the login
+ *   form is shown.
+ *
+ * @returns A promise resolving to a boolean indicating whether the user is authenticated.
  */
 async function signIn() {
     assertInInjectionContext(signIn);
     const router = inject(Router);
     const lastUrlAfterNavigation = inject(NavigationService).urlAfterNavigation;
-    const { useCredentials, loginPath, useSSO } = globalConfig;
+    const { loginPath, authMode } = globalConfig;
     // Always clear authentication tokens first to clear any existing session
     clearSessionTokens();
-    // If credentials are used, redirect to the login page
-    if (useCredentials) {
+    // Credentials: show the login form.
+    if (authMode?.kind === "credentials") {
         router.navigate([loginPath], { queryParams: { returnUrl: lastUrlAfterNavigation } });
         return false; // prevent further execution
     }
-    // SSO is set to true when the browser handles authentication automatically
-    // If SSO is used, reload the page to trigger SSO login
-    if (useSSO) {
-        // reload the page to trigger SSO login
+    // SSO: the browser/proxy handles authentication — reload to trigger it.
+    if (authMode?.kind === "sso") {
         window.location.reload();
         return false; // prevent further execution
     }
-    // Otherwise, perform a standard login
+    // oauth / saml / bearer / unknown — let login() drive the handshake.
     try {
         const response = await login();
         if (response) {
             info("Response from login", response);
             return true;
         }
-        else {
-            warn("Response from login", response);
+        // Not authenticated. For provider redirects (oauth/saml) the page is already navigating away,
+        // so we don't touch the router. Otherwise (unknown resolved to credentials, or bearer failed)
+        // show the login form.
+        if (authMode?.kind !== "oauth" && authMode?.kind !== "saml") {
+            router.navigate([loginPath], { queryParams: { returnUrl: lastUrlAfterNavigation } });
         }
+        return false;
     }
     catch (err) {
         error("Error during login", err);
-        if (err.status === 401) {
+        // A 401 is recoverable: the user just needs to authenticate → show the login form.
+        if (err?.status === 401) {
             error("Unauthorized access - please check your credentials:", err?.errorMessage);
-            router.navigate([loginPath]);
+            router.navigate([loginPath], { queryParams: { returnUrl: lastUrlAfterNavigation } });
+            return false;
         }
-        throw err;
+        // Any other error (e.g. a misconfigured OAuth/SAML provider → 5xx) is fatal and not something
+        // the user can resolve from the login form. Stop here: navigate straight to the error page with
+        // the reason. We return false (instead of rethrowing) so the application does NOT initialize and
+        // fire further authenticated API calls (e.g. usersettings → 401).
+        const message = (err?.errorMessage ?? err?.message) || undefined;
+        router.navigate(["/error"], { queryParams: { message } });
+        return false;
     }
-    return false; // prevent further execution
 }
 /**
  * Bootstraps the application by ensuring the user is authenticated and initializing the application.
  *
- * This function first attempts to sign in the user using the provided `Router`. If authentication is successful,
- * it proceeds to initialize the application and create routes using the `applicationService`. Any errors during
- * authentication or initialization are logged to the console, but the returned promise always resolves.
+ * This function first attempts to sign in the user via `signIn()`. If authentication is successful,
+ * it initializes the application (stores and, optionally, dynamic routes) through `ApplicationService`
+ * and waits for the initialization to complete before resolving. Any errors during authentication or
+ * initialization are logged to the console, but the returned promise never rejects.
  *
- * @param Router - The application's router instance used for navigation and authentication.
- * @param applicationService - The service responsible for initializing the application and creating routes.
- * @returns A promise that resolves when the application is ready to be initialized, regardless of success or failure.
+ * Note: this function relies on Angular's injection context, so it must be called within one
+ * (e.g. from `provideAppInitializer`).
+ *
+ * @param options - Configuration options for the bootstrap process.
+ * @param options.createRoutes - Whether to create routes during initialization. Defaults to `true`.
+ * @returns A promise that resolves to `true` when the application has been fully initialized,
+ * or `false` when the user is not authenticated or an error occurred.
  */
-async function withBootstrapApp(applicationService, { createRoutes = true }) {
-    // This function is used to test if the application is ready to be initialized
-    // set the createRoutes flag in the global config
+async function bootstrapApp({ createRoutes = true } = {}) {
+    assertInInjectionContext(bootstrapApp);
+    // Capture the injector synchronously: Angular's injection context does not survive across an
+    // `await`, so after awaiting `initializeAppConfig()` we must re-enter it to inject services and
+    // run `signIn()` (which use `inject()` internally).
+    const injector = inject(EnvironmentInjector);
+    // set the createRoutes flag early so it is defined even when sign-in fails
+    // (ApplicationService.initialize() sets it again when it runs)
     setGlobalConfig({ createRoutes });
-    return new Promise(resolve => {
-        // Check if the user is authenticated
-        signIn()
-            .then(async (response) => {
-            if (response) {
-                info('User authenticated, initializing application...');
-                // Initialize the application.
-                // Awaited so the APP_INITIALIZER does not resolve (and bootstrap does not
-                // complete) until initialization is done. Otherwise routed components render
-                // and set their page title before `initialize()` runs `setGeneralApp()`, which
-                // would then overwrite the page title with the bare application name.
-                try {
-                    await applicationService.initialize(createRoutes);
-                    info(`Application initialized with routes: ${createRoutes} successfully.`);
-                }
-                catch (err) {
-                    error(`Error initializing application with routes: ${createRoutes}:`, err);
-                }
-            }
-            else {
-                info('User not authenticated, skipping application initialization.');
-            }
-            ;
-        })
-            .catch(err => {
-            error('Error while signing in:', err);
-        })
-            .finally(() => resolve());
-    });
+    // Resolve the authentication mode (queries the server pre-login when needed) BEFORE signing in.
+    // Doing it here — rather than as a separate, concurrent APP_INITIALIZER — guarantees that
+    // signIn() reads a fully resolved `authMode` and removes the long-standing bootstrap race.
+    // Crucially, this also sets `backendUrl` BEFORE any service/store is constructed, so those that
+    // derive their API URL from `globalConfig.backendUrl` (e.g. PrincipalStore) don't capture
+    // `undefined` (which produced requests to `/undefined/api/v1/...`).
+    try {
+        await initializeAppConfig();
+    }
+    catch (err) {
+        error('Error while initializing application config:', err);
+        // Pre-login failed (e.g. a 500 "app not found: 'mint_rnd-yoyo'" for a bad app name). This is
+        // fatal — backendUrl/authMode can't be resolved — so route to the error page with the reason
+        // instead of continuing to signIn() (which would otherwise fail with a less meaningful error).
+        const message = err?.errorMessage
+            ?? err?.message;
+        runInInjectionContext(injector, () => inject(Router).navigate(['/error'], { queryParams: { message } }));
+        return false;
+    }
+    // Inject ApplicationService AFTER initializeAppConfig (re-entering the injection context lost
+    // across the await), so its dependent services/stores are constructed with `backendUrl` set.
+    const applicationService = runInInjectionContext(injector, () => inject(ApplicationService));
+    let authenticated = false;
+    try {
+        // Re-enter the injection context lost across the await above.
+        authenticated = await runInInjectionContext(injector, () => signIn());
+    }
+    catch (err) {
+        error('Error while signing in:', err);
+        return false;
+    }
+    if (!authenticated) {
+        info('User not authenticated, skipping application initialization.');
+        return false;
+    }
+    info('User authenticated, initializing application...');
+    try {
+        await applicationService.initialize(createRoutes);
+        info(`Application initialized successfully (createRoutes: ${createRoutes}).`);
+        return true;
+    }
+    catch (err) {
+        error(`Error initializing application (createRoutes: ${createRoutes}):`, err);
+        // Authenticated, but the application failed to initialize (e.g. fetchApp/usersettings failed).
+        // Route to the error page with the failure reason instead of leaving a half-initialized app.
+        const message = err?.errorMessage
+            ?? err?.message;
+        runInInjectionContext(injector, () => inject(Router).navigate(['/error'], { queryParams: { message } }));
+        return false;
+    }
+}
+/**
+ * Bootstraps the application by ensuring the user is authenticated and initializing the application.
+ *
+ * @deprecated Use {@link bootstrapApp} instead, and let it inject `ApplicationService` itself.
+ *
+ * Migration — in your `app.config.ts`, replace:
+ * ```ts
+ * // ❌ Deprecated: eagerly injecting ApplicationService in the factory constructs it (and its
+ * //    dependent stores/services) BEFORE bootstrapApp resolves the config, so services that build
+ * //    their API URL from `globalConfig.backendUrl` capture `undefined` (→ `/undefined/api/v1/...`).
+ * provideAppInitializer(() => withBootstrapApp(inject(ApplicationService), { createRoutes: true })),
+ * ```
+ * with:
+ * ```ts
+ * // ✅ bootstrapApp injects ApplicationService internally, AFTER initializeAppConfig() has set
+ * //    `backendUrl` and resolved the auth mode.
+ * provideAppInitializer(() => bootstrapApp({ createRoutes: true })),
+ * ```
+ * (Remove the now-unused `inject` / `ApplicationService` imports.)
+ *
+ * @param applicationService - Ignored; kept for backward compatibility. `ApplicationService` is
+ * provided in root and injected internally by {@link bootstrapApp}, so the instance is the same.
+ * Passing `inject(ApplicationService)` here is discouraged — see the migration note above.
+ * @param options - Configuration options for the bootstrap process.
+ * @param options.createRoutes - Whether to create routes during initialization. Defaults to `true`.
+ * @returns A promise that resolves when the bootstrap process is complete, regardless of success or failure.
+ */
+async function withBootstrapApp(_applicationService, { createRoutes = true } = {}) {
+    await bootstrapApp({ createRoutes });
 }
 /**
@@ -3384,8 +3458,9 @@ class AppService {
      *
      * @remarks
      * This method constructs an HTTP GET request to fetch the application configuration
-     * using the `app` parameter from the global configuration. If the request fails,
-     * it logs the error to the console and returns an empty observable.
+     * using the `app` parameter from the global configuration. If the request fails, it logs the
+     * error and re-throws a normalized `Error` carrying the server's `errorMessage` when available
+     * (e.g. "app not found: '...'"), so callers can surface the reason on the error page.
      *
      * @example
      * ```typescript
@@ -3397,9 +3472,19 @@ class AppService {
     getApp(appName) {
         const app = appName || globalConfig.app;
         const params = new HttpParams().set('app', app || '');
-        return this.http.get(this.API_URL + '/app', { params }).pipe(catchError(error => {
-            console.error('AppService.getApp failure - error: ', error);
-            return EMPTY;
+        return this.http.get(this.API_URL + '/app', { params }).pipe(catchError((err) => {
+            console.error('AppService.getApp failure - error: ', err);
+            // Propagate the failure (previously swallowed with EMPTY, which hid the cause and surfaced a
+            // generic "no elements in sequence" downstream). Surface the Sinequa error-envelope message
+            // when present — e.g. a 500 with { errorMessage: "app not found: 'mint_rnd-yoyo'" } — so the
+            // bootstrap/login flow can route to the error page with the actual reason.
+            const e = err;
+            const message = e?.error?.errorMessage ??
+                e?.error?.message ??
+                e?.errorMessage ??
+                e?.message ??
+                'Failed to fetch application configuration';
+            return throwError(() => new Error(message));
         }));
     }
     static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "20.3.18", ngImport: i0, type: AppService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
@@ -3421,12 +3506,13 @@ function AuthGuard() {
     return async (_, state) => {
         const router = inject(Router);
         const principalStore = inject(PrincipalStore);
-        const { loginPath, useCredentials, useSSO } = globalConfig;
+        const { loginPath, authMode } = globalConfig;
         if (state.url.startsWith("/login"))
             return true;
         // If the user is not authenticated, navigate to the login page.
         // The login page handles every authentication method (credentials, OAuth, SAML).
-        if (!isAuthenticated() && !useSSO) {
+        // In SSO mode the browser/proxy carries the auth, so we let it through.
+        if (!isAuthenticated() && authMode?.kind !== "sso") {
             router.navigate([loginPath], { queryParams: { returnUrl: state.url } });
             return false;
         }
@@ -3452,7 +3538,7 @@ function AuthGuard() {
         // check if the password is expired and if the partition is editable
         // changing password is only possible when user use credentials to auhtenticate
         // only in credentials mode
-        if (useCredentials) {
+        if (authMode?.kind === "credentials") {
             const exp = passwordExpirationDate;
             const editable = !!editablePartition;
             if (editable && exp && isExpired(exp)) {
@@ -5278,101 +5364,160 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.18", ngImpo
         }], ctorParameters: () => [], propDecorators: { article: [{ type: i0.Input, args: [{ isSignal: true, alias: "article", required: true }] }], aggregation: [{ type: i0.Input, args: [{ isSignal: true, alias: "aggregation", required: true }] }], shadow: [{ type: i0.ViewChild, args: ["shadowRender", { ...{ read: ElementRef }, isSignal: true }] }], client: [{ type: i0.ViewChild, args: ["documentLocator", { ...{ read: ElementRef }, isSignal: true }] }] } });
 class ErrorComponent {
+    route = inject(ActivatedRoute);
     router = inject(Router);
-    reload() {
+    /**
+     * Human-readable error detail shown on the page, taken from the `message` query param.
+     * Callers navigating here can pass it, e.g. on an auth failure:
+     * `router.navigate(["error"], { queryParams: { message: err.message } })`.
+     */
+    message = (() => {
+        const value = this.route.snapshot.queryParams['message'];
+        return typeof value === 'string' && value.trim().length ? value : undefined;
+    })();
+    /** Navigate home and re-bootstrap the application (fresh authentication attempt). */
+    goHome() {
         this.router.navigate(['/']).then(() => window.location.reload());
     }
     static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "20.3.18", ngImport: i0, type: ErrorComponent, deps: [], target: i0.ɵɵFactoryTarget.Component });
-    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "14.0.0", version: "20.3.18", type: ErrorComponent, isStandalone: true, selector: "error-component, ErrorComponent", ngImport: i0, template: `
-    <div class="bg-background text-foreground flex min-h-screen flex-col items-center justify-center">
-      <svg
-        class="mb-8 h-20 w-20 text-red-600"
-        xmlns="http://www.w3.org/2000/svg"
-        width="24"
-        height="24"
-        viewBox="0 0 24 24"
-        fill="none"
-        stroke="currentColor"
-        stroke-width="2"
-        stroke-linecap="round"
-        stroke-linejoin="round">
-        <path d="m21.73 18-8-14a2 2 0 0 0-3.48 0l-8 14A2 2 0 0 0 4 21h16a2 2 0 0 0 1.73-3" />
-        <path d="M12 9v4" />
-        <path d="M12 17h.01" />
-      </svg>
-      <h1 class="mb-4 text-4xl font-bold">Oops! Something went wrong</h1>
-      <p class="text-muted-foreground mb-8 text-xl">We apologize for the inconvenience.</p>
-      <div class="flex space-x-4">
-        <button
-          (click)="reload()"
-          class="btn btn-outline rounded-lg border-neutral-300 text-neutral-700 transition hover:bg-neutral-200 hover:text-neutral-700">
+    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "17.0.0", version: "20.3.18", type: ErrorComponent, isStandalone: true, selector: "error-component, ErrorComponent", host: { classAttribute: "bg-background text-foreground grid min-h-dvh w-full place-content-center p-6" }, ngImport: i0, template: `
+    <Card
+      hover="no"
+      class="bg-background border-(--popover-border) w-full max-w-md rounded-3xl border shadow-2xl">
+      <CardHeader class="flex flex-col items-center gap-4 pt-8 text-center">
+        <span
+          class="bg-destructive/10 text-destructive inline-flex h-16 w-16 items-center justify-center rounded-full">
           <svg
-            class="mr-2 h-4 w-4"
             xmlns="http://www.w3.org/2000/svg"
-            width="24"
-            height="24"
+            class="h-8 w-8"
             viewBox="0 0 24 24"
             fill="none"
             stroke="currentColor"
             stroke-width="2"
             stroke-linecap="round"
-            stroke-linejoin="round">
-            <path d="M15 21v-8a1 1 0 0 0-1-1h-4a1 1 0 0 0-1 1v8" />
-            <path d="M3 10a2 2 0 0 1 .709-1.528l7-5.999a2 2 0 0 1 2.582 0l7 5.999A2 2 0 0 1 21 10v9a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2z" />
+            stroke-linejoin="round"
+            aria-hidden="true">
+            <path d="m21.73 18-8-14a2 2 0 0 0-3.48 0l-8 14A2 2 0 0 0 4 21h16a2 2 0 0 0 1.73-3" />
+            <path d="M12 9v4" />
+            <path d="M12 17h.01" />
           </svg>
-          Go to Homepage
-        </button>
-      </div>
-    </div>
-  `, isInline: true });
+        </span>
+        <div class="grid gap-1.5">
+          <h1 class="text-2xl font-semibold tracking-tight">Something went wrong</h1>
+          <p class="text-muted-foreground text-sm">
+            We're sorry — the application ran into a problem and couldn't continue.
+          </p>
+        </div>
+      </CardHeader>
+      <CardContent class="grid gap-5 pb-8">
+        @if (message) {
+          <div class="border-border bg-muted/40 grid gap-1 rounded-lg border p-3 text-left">
+            <span class="text-muted-foreground text-[0.7rem] font-medium uppercase tracking-wider">
+              Details
+            </span>
+            <p class="text-foreground text-sm break-words" role="alert">{{ message }}</p>
+          </div>
+        }
+        <div class="flex justify-center">
+          <button variant="primary" (click)="goHome()">
+            <svg
+              xmlns="http://www.w3.org/2000/svg"
+              class="mr-2 h-4 w-4"
+              viewBox="0 0 24 24"
+              fill="none"
+              stroke="currentColor"
+              stroke-width="2"
+              stroke-linecap="round"
+              stroke-linejoin="round"
+              aria-hidden="true">
+              <path d="M15 21v-8a1 1 0 0 0-1-1h-4a1 1 0 0 0-1 1v8" />
+              <path d="M3 10a2 2 0 0 1 .709-1.528l7-5.999a2 2 0 0 1 2.582 0l7 5.999A2 2 0 0 1 21 10v9a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2z" />
+            </svg>
+            Go to homepage
+          </button>
+        </div>
+      </CardContent>
+    </Card>
+  `, isInline: true, dependencies: [{ kind: "directive", type: ButtonComponent, selector: "button", inputs: ["class", "variant", "decoration", "scheme", "iconOnly", "size", "solid"] }, { kind: "directive", type: CardComponent, selector: ".card, card, Card", inputs: ["class", "variant", "hover"] }, { kind: "directive", type: CardHeaderComponent, selector: ".card-header, card-header, CardHeader, cardheader", inputs: ["class"] }, { kind: "directive", type: CardContentComponent, selector: ".card-content, card-content, CardContent, cardcontent", inputs: ["class"] }] });
 }
 i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.18", ngImport: i0, type: ErrorComponent, decorators: [{
             type: Component,
             args: [{
                     selector: 'error-component, ErrorComponent',
                     standalone: true,
-                    imports: [],
+                    imports: [
+                        ButtonComponent,
+                        CardComponent,
+                        CardHeaderComponent,
+                        CardContentComponent
+                    ],
+                    host: {
+                        class: 'bg-background text-foreground grid min-h-dvh w-full place-content-center p-6'
+                    },
                     template: `
-    <div class="bg-background text-foreground flex min-h-screen flex-col items-center justify-center">
-      <svg
-        class="mb-8 h-20 w-20 text-red-600"
-        xmlns="http://www.w3.org/2000/svg"
-        width="24"
-        height="24"
-        viewBox="0 0 24 24"
-        fill="none"
-        stroke="currentColor"
-        stroke-width="2"
-        stroke-linecap="round"
-        stroke-linejoin="round">
-        <path d="m21.73 18-8-14a2 2 0 0 0-3.48 0l-8 14A2 2 0 0 0 4 21h16a2 2 0 0 0 1.73-3" />
-        <path d="M12 9v4" />
-        <path d="M12 17h.01" />
-      </svg>
-      <h1 class="mb-4 text-4xl font-bold">Oops! Something went wrong</h1>
-      <p class="text-muted-foreground mb-8 text-xl">We apologize for the inconvenience.</p>
-      <div class="flex space-x-4">
-        <button
-          (click)="reload()"
-          class="btn btn-outline rounded-lg border-neutral-300 text-neutral-700 transition hover:bg-neutral-200 hover:text-neutral-700">
+    <Card
+      hover="no"
+      class="bg-background border-(--popover-border) w-full max-w-md rounded-3xl border shadow-2xl">
+      <CardHeader class="flex flex-col items-center gap-4 pt-8 text-center">
+        <span
+          class="bg-destructive/10 text-destructive inline-flex h-16 w-16 items-center justify-center rounded-full">
           <svg
-            class="mr-2 h-4 w-4"
             xmlns="http://www.w3.org/2000/svg"
-            width="24"
-            height="24"
+            class="h-8 w-8"
             viewBox="0 0 24 24"
             fill="none"
             stroke="currentColor"
             stroke-width="2"
             stroke-linecap="round"
-            stroke-linejoin="round">
-            <path d="M15 21v-8a1 1 0 0 0-1-1h-4a1 1 0 0 0-1 1v8" />
-            <path d="M3 10a2 2 0 0 1 .709-1.528l7-5.999a2 2 0 0 1 2.582 0l7 5.999A2 2 0 0 1 21 10v9a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2z" />
+            stroke-linejoin="round"
+            aria-hidden="true">
+            <path d="m21.73 18-8-14a2 2 0 0 0-3.48 0l-8 14A2 2 0 0 0 4 21h16a2 2 0 0 0 1.73-3" />
+            <path d="M12 9v4" />
+            <path d="M12 17h.01" />
           </svg>
-          Go to Homepage
-        </button>
-      </div>
-    </div>
+        </span>
+        <div class="grid gap-1.5">
+          <h1 class="text-2xl font-semibold tracking-tight">Something went wrong</h1>
+          <p class="text-muted-foreground text-sm">
+            We're sorry — the application ran into a problem and couldn't continue.
+          </p>
+        </div>
+      </CardHeader>
+      <CardContent class="grid gap-5 pb-8">
+        @if (message) {
+          <div class="border-border bg-muted/40 grid gap-1 rounded-lg border p-3 text-left">
+            <span class="text-muted-foreground text-[0.7rem] font-medium uppercase tracking-wider">
+              Details
+            </span>
+            <p class="text-foreground text-sm break-words" role="alert">{{ message }}</p>
+          </div>
+        }
+        <div class="flex justify-center">
+          <button variant="primary" (click)="goHome()">
+            <svg
+              xmlns="http://www.w3.org/2000/svg"
+              class="mr-2 h-4 w-4"
+              viewBox="0 0 24 24"
+              fill="none"
+              stroke="currentColor"
+              stroke-width="2"
+              stroke-linecap="round"
+              stroke-linejoin="round"
+              aria-hidden="true">
+              <path d="M15 21v-8a1 1 0 0 0-1-1h-4a1 1 0 0 0-1 1v8" />
+              <path d="M3 10a2 2 0 0 1 .709-1.528l7-5.999a2 2 0 0 1 2.582 0l7 5.999A2 2 0 0 1 21 10v9a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2z" />
+            </svg>
+            Go to homepage
+          </button>
+        </div>
+      </CardContent>
+    </Card>
   `
                 }]
         }] });
@@ -10588,6 +10733,96 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.18", ngImpo
                 }]
         }], propDecorators: { cancel: [{ type: i0.Output, args: ["cancel"] }], success: [{ type: i0.Output, args: ["success"] }], userName: [{ type: i0.Input, args: [{ isSignal: true, alias: "userName", required: false }] }, { type: i0.Output, args: ["userNameChange"] }] } });
+/**
+ * Post-logout confirmation shown on the `/logout` route.
+ *
+ * Rendering this view (instead of the sign-in form) is essential for the external-auth modes
+ * (`sso` / `oauth` / `saml`): the sign-in form auto-initiates the handshake when
+ * `authMode` is external, so showing it on `/logout` would immediately re-authenticate the user
+ * (a spinner that loops back in). This view gives a clear "signed out" state and a single explicit
+ * action to sign in again.
+ */
+class SignedOutComponent {
+    router = inject(Router);
+    /**
+     * Navigate to the login screen, which then drives the normal sign-in handshake.
+     *
+     * A `returnUrl` is required: in the external-auth modes the sign-in screen only navigates away
+     * once the handshake completes IF a `returnUrl` is present (otherwise it stays on the loader).
+     * We send the user back to the app root after signing in again.
+     */
+    signInAgain() {
+        this.router.navigate([globalConfig.loginPath ?? "/login"], {
+            queryParams: { returnUrl: "/" }
+        });
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "20.3.18", ngImport: i0, type: SignedOutComponent, deps: [], target: i0.ɵɵFactoryTarget.Component });
+    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "14.0.0", version: "20.3.18", type: SignedOutComponent, isStandalone: true, selector: "signed-out, SignedOut, signedout", providers: [provideTranslocoScope("login")], ngImport: i0, template: `
+    <Card hover="no" class="bg-card rounded-xl shadow-sm">
+      <CardHeader class="flex flex-col items-center gap-3">
+        <img class="h-12 content-(--logo-large)" alt="logo" />
+        <h2 class="text-lg font-semibold">
+          {{ 'login.signedOutTitle' | transloco }}
+        </h2>
+        <p class="text-xs text-muted-foreground text-center">
+          {{ 'login.signedOutDescription' | transloco }}
+        </p>
+      </CardHeader>
+      <CardContent />
+      <CardFooter class="mt-4 flex justify-center">
+        <button
+          type="button"
+          class="w-full rounded-md bg-primary px-4 py-2 text-sm font-medium text-primary-foreground hover:bg-primary/90"
+          (click)="signInAgain()"
+        >
+          {{ 'login.connect' | transloco }}
+        </button>
+      </CardFooter>
+    </Card>
+  `, isInline: true, dependencies: [{ kind: "directive", type: CardComponent, selector: ".card, card, Card", inputs: ["class", "variant", "hover"] }, { kind: "directive", type: CardHeaderComponent, selector: ".card-header, card-header, CardHeader, cardheader", inputs: ["class"] }, { kind: "directive", type: CardContentComponent, selector: ".card-content, card-content, CardContent, cardcontent", inputs: ["class"] }, { kind: "directive", type: CardFooterComponent, selector: ".card-footer, card-footer, CardFooter, cardfooter", inputs: ["class"] }, { kind: "pipe", type: TranslocoPipe, name: "transloco" }] });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.18", ngImport: i0, type: SignedOutComponent, decorators: [{
+            type: Component,
+            args: [{
+                    selector: "signed-out, SignedOut, signedout",
+                    imports: [
+                        TranslocoPipe,
+                        CardComponent,
+                        CardHeaderComponent,
+                        CardContentComponent,
+                        CardFooterComponent
+                    ],
+                    providers: [provideTranslocoScope("login")],
+                    template: `
+    <Card hover="no" class="bg-card rounded-xl shadow-sm">
+      <CardHeader class="flex flex-col items-center gap-3">
+        <img class="h-12 content-(--logo-large)" alt="logo" />
+        <h2 class="text-lg font-semibold">
+          {{ 'login.signedOutTitle' | transloco }}
+        </h2>
+        <p class="text-xs text-muted-foreground text-center">
+          {{ 'login.signedOutDescription' | transloco }}
+        </p>
+      </CardHeader>
+      <CardContent />
+      <CardFooter class="mt-4 flex justify-center">
+        <button
+          type="button"
+          class="w-full rounded-md bg-primary px-4 py-2 text-sm font-medium text-primary-foreground hover:bg-primary/90"
+          (click)="signInAgain()"
+        >
+          {{ 'login.connect' | transloco }}
+        </button>
+      </CardFooter>
+    </Card>
+  `
+                }]
+        }] });
 /**
  * Represents the LoginComponent class, which is responsible for handling the login functionality.
  * This component is used to authenticate users and manage the user's authentication status.
@@ -10598,13 +10833,18 @@ class SignInComponent {
     config = globalConfig;
     /**
      * True when authentication is handled outside the credentials form — i.e. by the
-     * browser/proxy (`useSSO`) or by an auto-configured OAuth/SAML provider. In those
-     * modes this screen shows a loader instead of a login form and initiates the
-     * handshake automatically by calling `handleLogin()`.
-     */
-    externalAuth = !!(globalConfig.useSSO ||
-        globalConfig.autoOAuthProvider ||
-        globalConfig.autoSAMLProvider);
+     * browser/proxy (`sso`) or by an auto-configured OAuth/SAML provider. In those modes
+     * this screen shows a loader instead of a login form and initiates the handshake
+     * automatically by calling `handleLogin()`.
+     *
+     * Note: the ambiguous `unknown` mode is intentionally excluded — it is resolved upstream
+     * (in `login()`/`signIn()`) to either `sso` or `credentials` before this screen renders,
+     * so reaching here in `unknown` should still show the form, never a dead-end loader.
+     */
+    externalAuth = (() => {
+        const kind = globalConfig.authMode?.kind;
+        return kind === "sso" || kind === "oauth" || kind === "saml";
+    })();
     class = input(...(ngDevMode ? [undefined, { debugName: "class" }] : []));
     forgotPassword = output();
     username = model("", ...(ngDevMode ? [{ debugName: "username" }] : []));
@@ -10700,10 +10940,13 @@ class SignInComponent {
                 this.auditService.notifyLogin();
             }
             return result;
-        }).catch(error => {
-            warn("An error occurred while logging in", error);
+        }).catch((err) => {
+            warn("An error occurred while logging in", err);
             this.auditService.notify({ type: 'Login_Denied' });
-            this.router.navigate(["error"]);
+            // Surface the failure reason on the error page (e.g. "OAuth provider not found: identity-dev")
+            // so the user/admin knows what to fix, instead of a bare generic error screen.
+            const message = (err?.errorMessage ?? err?.message) || undefined;
+            this.router.navigate(["error"], { queryParams: { message } });
             return false;
         });
     }
@@ -10718,7 +10961,16 @@ class SignInComponent {
             }
             this.auditService.notifyLogin();
             const { createRoutes = false } = globalConfig;
-            await this.applicationService.initialize(createRoutes);
+            try {
+                await this.applicationService.initialize(createRoutes);
+            }
+            catch (initErr) {
+                // Authenticated, but the application failed to initialize (e.g. fetchApp failed). Surface the
+                // reason on the error page rather than leaving the user stuck on the login form.
+                const { errorMessage, message } = (initErr ?? {});
+                this.router.navigate(["/error"], { queryParams: { message: errorMessage ?? message } });
+                return;
+            }
             this.checkPasswordExpiresSoon();
             const url = this.route.snapshot.queryParams["returnUrl"] || "/";
             this.router.navigateByUrl(url);
@@ -10885,10 +11137,18 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.18", ngImpo
 class AuthPageComponent {
     mode = input(...(ngDevMode ? [undefined, { debugName: "mode" }] : []));
-    view = linkedSignal(() => this.mode() ?? "signin", ...(ngDevMode ? [{ debugName: "view" }] : []));
+    view = linkedSignal(() => this.mode() ?? this.routeView(), ...(ngDevMode ? [{ debugName: "view" }] : []));
     username = signal("", ...(ngDevMode ? [{ debugName: "username" }] : []));
     alert = signal(undefined, ...(ngDevMode ? [{ debugName: "alert" }] : []));
     route = inject(ActivatedRoute);
+    /**
+     * Default view derived from the route. The `/logout` route renders the "signed out" confirmation
+     * (NOT the sign-in form): in external-auth modes the form would auto-restart the handshake and
+     * re-authenticate the user, defeating the logout. Everything else defaults to the sign-in form.
+     */
+    routeView() {
+        return this.route.snapshot.routeConfig?.path === "logout" ? "signedout" : "signin";
+    }
     constructor() {
         const params = this.route.snapshot.queryParams;
         const u = params["username"] || "";
@@ -10915,6 +11175,8 @@ class AuthPageComponent {
           (cancel)="view.set('signin')"
           (success)="view.set('signin')"
         />
+      } @else if (view() === 'signedout') {
+        <signed-out />
       } @else {
         <sign-in
           (changePassword)="view.set('changepassword')"
@@ -10922,14 +11184,14 @@ class AuthPageComponent {
         />
       }
     </div>
-  `, isInline: true, dependencies: [{ kind: "component", type: SignInComponent, selector: "signIn, signin, sign-in", inputs: ["class", "username", "password"], outputs: ["forgotPassword", "usernameChange", "passwordChange"] }, { kind: "component", type: ChangePasswordComponent, selector: "change-password, ChangePassword, changepassword", inputs: ["username", "alert", "redirectAfterSuccess", "redirectAfterCancel", "currentPassword", "newPassword", "confirmPassword"], outputs: ["success", "cancel", "currentPasswordChange", "newPasswordChange", "confirmPasswordChange"] }, { kind: "component", type: ForgotPasswordComponent, selector: "forgot-password, ForgotPassword, forgotpassword", inputs: ["userName"], outputs: ["cancel", "success", "userNameChange"] }] });
+  `, isInline: true, dependencies: [{ kind: "component", type: SignInComponent, selector: "signIn, signin, sign-in", inputs: ["class", "username", "password"], outputs: ["forgotPassword", "usernameChange", "passwordChange"] }, { kind: "component", type: ChangePasswordComponent, selector: "change-password, ChangePassword, changepassword", inputs: ["username", "alert", "redirectAfterSuccess", "redirectAfterCancel", "currentPassword", "newPassword", "confirmPassword"], outputs: ["success", "cancel", "currentPasswordChange", "newPasswordChange", "confirmPasswordChange"] }, { kind: "component", type: ForgotPasswordComponent, selector: "forgot-password, ForgotPassword, forgotpassword", inputs: ["userName"], outputs: ["cancel", "success", "userNameChange"] }, { kind: "component", type: SignedOutComponent, selector: "signed-out, SignedOut, signedout" }] });
 }
 i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.18", ngImport: i0, type: AuthPageComponent, decorators: [{
             type: Component,
             args: [{
                     selector: "auth-page, AuthPage, authpage",
                     providers: [provideTranslocoScope("login")],
-                    imports: [SignInComponent, ChangePasswordComponent, ForgotPasswordComponent],
+                    imports: [SignInComponent, ChangePasswordComponent, ForgotPasswordComponent, SignedOutComponent],
                     host: { class: "min-h-screen grid place-items-center p-6 bg-background" },
                     template: `
     <div class="w-full max-w-md">
@@ -10944,6 +11206,8 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.18", ngImpo
           (cancel)="view.set('signin')"
           (success)="view.set('signin')"
         />
+      } @else if (view() === 'signedout') {
+        <signed-out />
       } @else {
         <sign-in
           (changePassword)="view.set('changepassword')"
@@ -11272,50 +11536,29 @@ class OverrideUserDialogComponent {
         }
     }
     handleOverrideUser(username, domain) {
-        const { useSSO, createRoutes, useCredentials } = globalConfig;
+        const { createRoutes } = globalConfig;
         if (username === undefined || domain === undefined) {
             setGlobalConfig({ userOverrideActive: false, userOverride: undefined });
         }
         else {
             setGlobalConfig({ userOverrideActive: true, userOverride: { username, domain } });
         }
-        // Login with the new user
-        if (useSSO && !useCredentials) {
-            this.appService
-                .initialize(createRoutes)
-                .then(() => {
-                const fullName = this.principalStore.fullName();
-                notify.success(`Welcome back ${fullName}!`, { duration: 2000 });
-            })
-                .catch((err) => {
-                error("An error occured while overriding (SSO - initialize)", err);
-                notify.error("An error occurred while overriding (SSO - initialize)", { duration: 2000 });
-                setGlobalConfig({ userOverrideActive: false, userOverride: undefined });
-            });
-        }
-        else {
-            login()
-                .then((value) => {
-                if (value) {
-                    this.appService
-                        .initialize(createRoutes)
-                        .then(() => {
-                        const fullName = this.principalStore.fullName();
-                        notify.success(`Welcome back ${fullName}!`, { duration: 2000 });
-                    })
-                        .catch((err) => {
-                        error("An error occured while overriding (initialize)", err);
-                        notify.error(err.message, { duration: 2000 });
-                        setGlobalConfig({ userOverrideActive: false, userOverride: undefined });
-                    });
-                }
-            })
-                .catch((err) => {
-                error("An error occured while overriding (login)", err);
-                notify.error("An error occured while overriding (login)", { duration: 2000 });
-                setGlobalConfig({ userOverrideActive: false, userOverride: undefined });
-            });
-        }
+        // Impersonation is header-driven: `createHeaders` adds `sinequa-override-user`/`-domain` to every
+        // request while `userOverrideActive`, on top of the current (admin) session. We therefore do NOT
+        // need to re-authenticate — re-initializing the stores refetches the principal/usersettings as the
+        // overridden user. This works in every auth mode, including `credentials` where `login()` (without
+        // credentials) is intentionally a no-op in atomic 2.0 and would otherwise skip initialization.
+        this.appService
+            .initialize(createRoutes)
+            .then(() => {
+            const fullName = this.principalStore.fullName();
+            notify.success(`Welcome back ${fullName}!`, { duration: 2000 });
+        })
+            .catch((err) => {
+            error("An error occurred while overriding (initialize)", err);
+            notify.error("An error occurred while overriding (initialize)", { duration: 2000 });
+            setGlobalConfig({ userOverrideActive: false, userOverride: undefined });
+        });
     }
     static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "20.3.18", ngImport: i0, type: OverrideUserDialogComponent, deps: [], target: i0.ɵɵFactoryTarget.Component });
     static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "17.2.0", version: "20.3.18", type: OverrideUserDialogComponent, isStandalone: true, selector: "override-user-dialog", inputs: { overrideUser: { classPropertyName: "overrideUser", publicName: "overrideUser", isSignal: true, isRequired: false, transformFunction: null } }, outputs: { overrideUser: "overrideUserChange" }, providers: [provideTranslocoScope("dialogs")], viewQueries: [{ propertyName: "dialog", first: true, predicate: DialogComponent, descendants: true, isSignal: true }], ngImport: i0, template: `
@@ -16006,8 +16249,18 @@ const bodyInterceptorFn = (request, next) => {
 };
 /**
- * Interceptor function that handles HTTP 401 errors by refreshing authentication
- * and retrying the original request. For 403 errors, logs out the user.
+ * Marks a request that has already been retried once after a re-authentication attempt.
+ * Carried on the request's HttpContext (not sent to the server) so a second 401 on the retry
+ * propagates instead of triggering another sign-in — which would loop forever.
+ */
+const AUTH_RETRIED = new HttpContextToken(() => false);
+/**
+ * Interceptor function that handles HTTP 401 errors by refreshing authentication and retrying the
+ * original request once. For 403 errors, the error is propagated as a permanent auth failure.
+ *
+ * The retry happens ONLY when `signIn()` reports the user is authenticated, and AT MOST once per
+ * request. Without these two guards a persistent 401 (credentials required, or an endpoint that
+ * keeps rejecting even after a successful CSRF handshake) would retry endlessly.
  *
  * @param request - The HTTP request object.
  * @param next - The HTTP handler function.
@@ -16020,14 +16273,23 @@ const errorInterceptorFn = (request, next) => {
     }
     return next(request).pipe(catchError$1((err) => {
         if (err.status === 401) {
-            error("ErrorInterceptor: 401 error detected, attempting to refresh auth and retry");
-            // Handle 401 by refreshing auth and retrying the request
-            return runInInjectionContext(injector, () => from(signIn()).pipe(switchMap$1(() => {
-                error("Auth refreshed, retrying original request");
-                // Retry the original request with cloned copy
-                const headersObj = createHeaders();
-                const headers = new HttpHeaders(headersObj);
-                return next(request.clone({ headers }));
+            // Already retried once after a re-auth — give up to avoid an infinite loop.
+            if (request.context.get(AUTH_RETRIED)) {
+                error("ErrorInterceptor: 401 again after re-auth retry, giving up");
+                return throwError(() => err);
+            }
+            error("ErrorInterceptor: 401 detected, attempting to refresh auth");
+            return runInInjectionContext(injector, () => from(signIn()).pipe(switchMap$1((authenticated) => {
+                // signIn() could not authenticate (e.g. credentials required → redirected to login,
+                // or a provider redirect is in progress). Do NOT retry — propagate the 401 instead,
+                // otherwise every subsequent 401 re-triggers sign-in and loops.
+                if (!authenticated) {
+                    error("ErrorInterceptor: re-auth did not authenticate, not retrying");
+                    return throwError(() => err);
+                }
+                error("Auth refreshed, retrying original request once");
+                const headers = new HttpHeaders(createHeaders());
+                return next(request.clone({ headers, context: request.context.set(AUTH_RETRIED, true) }));
             }), catchError$1((signInErr) => {
                 error("Failed to refresh auth, redirecting to login", signInErr);
                 return throwError(() => signInErr);
@@ -16110,5 +16372,5 @@ const queryNameResolver = () => {
  * Generated bundle index. Do not edit.
  */
-export { AGGREGATIONS_NAMES, AGGREGATIONS_NAMES_PRESET_DEFAULT, APP_FEATURES, AdvancedFiltersComponent, AdvancedSearch, AdvancedSearchComponent, AggregationComponent, AggregationDateComponent, AggregationDateRangeDialogComponent, AggregationListComponent, AggregationPanelComponent, AggregationTreeComponent, AggregationsService, AggregationsStore, Alert, AlertDialog, AlertsComponent, AppService, AppStore, ApplicationService, ApplicationStore, ArticleEntities, ArticleExtracts, ArticleLabels, ArticleSimilarDocuments, AsideFiltersComponent, AuditFeedbackType, AuditService, AuthGuard, AuthPageComponent, AutocompleteService, BOOKMARKS_CONFIG, BOOKMARKS_OPTIONS, BackdropComponent, BackdropService, BookmarkButtonComponent, BookmarksComponent, COLLECTIONS_CONFIG, COLLECTIONS_OPTIONS, COMPONENTS_FOR_DOCUMENT_TYPE, ChangePasswordComponent, ChildMarkerDirective, CollectionsComponent, CollectionsDialog, DRAWER_COMPONENT, DRAWER_STACK_MAX_COUNT, DateComponent, DeleteCollectionDialog, DidYouMeanComponent, DocumentLocatorComponent, DrawerAdvancedFiltersComponent, DrawerComponent, DrawerNavbarComponent, DrawerPreviewComponent, DrawerService, DrawerStackComponent, DrawerStackService, DropdownInputComponent, DropdownListComponent, ErrorComponent, ExportDialog, ExportService, FILTERS_BREAKPOINT, FILTER_DATE_ALLOW_CUSTOM_RANGE, FeedbackDialogComponent, FileSizePipe, FilterButtonComponent, FiltersBarComponent, HIGHLIGHTS, HighlightWordPipe, InfinityScrollDirective, InlineWorker, JsonMethodPluginService, KeyboardNavigatorDirective, LabelService, LabelsEditDialog, LoadingComponent, MetadataComponent, MissingTermsComponent, MoreButtonComponent, MoreComponent, MultiSelectLabelsComponent, MultiSelectionToolbarComponent, NON_SEARCHABLE_COLUMNS, NON_SEARCHABLE_DEFAULTS, NavbarTabsComponent, NavigationService, NoResultComponent, OpenArticleOnCtrlEnterDirective, OperatorPipe, OverflowItemDirective, OverflowManagerDirective, OverflowStopDirective, OverrideUserDialogComponent, PREVIEW_CONFIG, PagerComponent, PreviewNavigator, PreviewService, PrincipalService, PrincipalStore, QueryParamsStore, QueryService, RECENT_SEARCHES_CONFIG, RECENT_SEARCHES_OPTIONS, ROUTE_COMPONENTS, RecentSearchesComponent, ResetUserSettingsDialogComponent, SAVED_SEARCHES_CONFIG, SAVED_SEARCHES_OPTIONS, SavedSearchDialog, SavedSearchesComponent, SavedSearchesService, SearchFeedbackComponent, SearchInputFooter, SearchService, SelectArticleDirective, SelectArticleOnClickDirective, SelectionHistoryService, SelectionService, SelectionStore, ShowBookmarkDirective, SidebarNavComponent, SignInComponent, SortSelectorComponent, SourceComponent, SourceIconPipe, SponsoredResultsComponent, SyslangPipe, THEMES, TextChunkService, ThemeProviderDirective, ThemeSelectorComponent, ThemeStore, ThemeToggleComponent, TranslocoDateImpurePipe, UserProfileDialog, UserProfileFormComponent, UserProfileService, UserSettingsStore, applyThemeToNativeElement, auditInterceptorFn, authInterceptorFn, bodyInterceptorFn, buildQuery, debouncedSignal, errorInterceptorFn, getCurrentPath, getCurrentQueryName, getQueryNameFromRoute, injectRouteNavigation, processCssVars, queryNameResolver, signIn, themeColorNameToCssVariable, themeColorsToCssVariables, toastInterceptorFn, withAggregationsFeatures, withAlertsFeatures, withAppFeatures, withApplicationFeatures, withAssistantFeatures, withBasketsFeatures, withBookmarkFeatures, withBootstrapApp, withExtractsFeatures, withFetch, withMultiSelectionFeatures, withPrincipalFeatures, withQueryParamsFeatures, withRecentSearchesFeatures, withSavedSearchesFeatures, withSelectionFeatures, withThemeBodyHook, withThemes, withThemesFeatures, withUserSettingsFeatures };
+export { AGGREGATIONS_NAMES, AGGREGATIONS_NAMES_PRESET_DEFAULT, APP_FEATURES, AdvancedFiltersComponent, AdvancedSearch, AdvancedSearchComponent, AggregationComponent, AggregationDateComponent, AggregationDateRangeDialogComponent, AggregationListComponent, AggregationPanelComponent, AggregationTreeComponent, AggregationsService, AggregationsStore, Alert, AlertDialog, AlertsComponent, AppService, AppStore, ApplicationService, ApplicationStore, ArticleEntities, ArticleExtracts, ArticleLabels, ArticleSimilarDocuments, AsideFiltersComponent, AuditFeedbackType, AuditService, AuthGuard, AuthPageComponent, AutocompleteService, BOOKMARKS_CONFIG, BOOKMARKS_OPTIONS, BackdropComponent, BackdropService, BookmarkButtonComponent, BookmarksComponent, COLLECTIONS_CONFIG, COLLECTIONS_OPTIONS, COMPONENTS_FOR_DOCUMENT_TYPE, ChangePasswordComponent, ChildMarkerDirective, CollectionsComponent, CollectionsDialog, DRAWER_COMPONENT, DRAWER_STACK_MAX_COUNT, DateComponent, DeleteCollectionDialog, DidYouMeanComponent, DocumentLocatorComponent, DrawerAdvancedFiltersComponent, DrawerComponent, DrawerNavbarComponent, DrawerPreviewComponent, DrawerService, DrawerStackComponent, DrawerStackService, DropdownInputComponent, DropdownListComponent, ErrorComponent, ExportDialog, ExportService, FILTERS_BREAKPOINT, FILTER_DATE_ALLOW_CUSTOM_RANGE, FeedbackDialogComponent, FileSizePipe, FilterButtonComponent, FiltersBarComponent, HIGHLIGHTS, HighlightWordPipe, InfinityScrollDirective, InlineWorker, JsonMethodPluginService, KeyboardNavigatorDirective, LabelService, LabelsEditDialog, LoadingComponent, MetadataComponent, MissingTermsComponent, MoreButtonComponent, MoreComponent, MultiSelectLabelsComponent, MultiSelectionToolbarComponent, NON_SEARCHABLE_COLUMNS, NON_SEARCHABLE_DEFAULTS, NavbarTabsComponent, NavigationService, NoResultComponent, OpenArticleOnCtrlEnterDirective, OperatorPipe, OverflowItemDirective, OverflowManagerDirective, OverflowStopDirective, OverrideUserDialogComponent, PREVIEW_CONFIG, PagerComponent, PreviewNavigator, PreviewService, PrincipalService, PrincipalStore, QueryParamsStore, QueryService, RECENT_SEARCHES_CONFIG, RECENT_SEARCHES_OPTIONS, ROUTE_COMPONENTS, RecentSearchesComponent, ResetUserSettingsDialogComponent, SAVED_SEARCHES_CONFIG, SAVED_SEARCHES_OPTIONS, SavedSearchDialog, SavedSearchesComponent, SavedSearchesService, SearchFeedbackComponent, SearchInputFooter, SearchService, SelectArticleDirective, SelectArticleOnClickDirective, SelectionHistoryService, SelectionService, SelectionStore, ShowBookmarkDirective, SidebarNavComponent, SignInComponent, SignedOutComponent, SortSelectorComponent, SourceComponent, SourceIconPipe, SponsoredResultsComponent, SyslangPipe, THEMES, TextChunkService, ThemeProviderDirective, ThemeSelectorComponent, ThemeStore, ThemeToggleComponent, TranslocoDateImpurePipe, UserProfileDialog, UserProfileFormComponent, UserProfileService, UserSettingsStore, applyThemeToNativeElement, auditInterceptorFn, authInterceptorFn, bodyInterceptorFn, bootstrapApp, buildQuery, debouncedSignal, errorInterceptorFn, getCurrentPath, getCurrentQueryName, getQueryNameFromRoute, injectRouteNavigation, processCssVars, queryNameResolver, signIn, themeColorNameToCssVariable, themeColorsToCssVariables, toastInterceptorFn, withAggregationsFeatures, withAlertsFeatures, withAppFeatures, withApplicationFeatures, withAssistantFeatures, withBasketsFeatures, withBookmarkFeatures, withBootstrapApp, withExtractsFeatures, withFetch, withMultiSelectionFeatures, withPrincipalFeatures, withQueryParamsFeatures, withRecentSearchesFeatures, withSavedSearchesFeatures, withSelectionFeatures, withThemeBodyHook, withThemes, withThemesFeatures, withUserSettingsFeatures };
 //# sourceMappingURL=sinequa-atomic-angular.mjs.map