@sinequa/atomic-angular 1.6.0 → 1.6.2

package/fesm2022/sinequa-atomic-angular.mjs

@@ -4470,9 +4470,11 @@ class PreviewService {
     getEntityId(entity, value, index) {
         if (!this.previewData)
             return undefined;
-        // Combine filters for better performance
+        // Combine filters for better performance.
+        // NB: positionInCategories[entity] is a zero-based index, so the first occurrence is 0.
+        // Use a presence check (not truthiness) to avoid dropping that first occurrence.
         const entitySearched = this.previewData.highlightsPerLocation
-            .filter((item) => item.positionInCategories[entity] && item.values.some((v) => v === value))
+            .filter((item) => item.positionInCategories[entity] !== undefined && item.values.some((v) => v === value))
             .map((e) => ({ id: e.positionInCategories[entity] }));
         const id = entitySearched[index]?.id;
         return id;
@@ -10881,6 +10883,12 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.25", ngImpo
                 }]
         }] });
 
+/**
+ * Mirrors @sinequa/atomic's `AUTH_REDIRECT_ATTEMPT_KEY` (src/authentication/constants.ts): the
+ * sessionStorage flag set right before a provider full-page redirect (`window.location.href`).
+ * Reading it lets us tell "an IdP redirect is under way" from "no session", without a blind timer.
+ */
+const AUTH_REDIRECT_ATTEMPT_KEY = "sinequa-auth-redirect-attempt";
 /**
  * Represents the LoginComponent class, which is responsible for handling the login functionality.
  * This component is used to authenticate users and manage the user's authentication status.
@@ -10922,6 +10930,13 @@ class SignInComponent {
     authenticated = signal(isAuthenticated(), ...(ngDevMode ? [{ debugName: "authenticated" }] : []));
     user = signal(getState(this.principalStore), ...(ngDevMode ? [{ debugName: "user" }] : []));
     expiresSoonNotified = signal(false, ...(ngDevMode ? [{ debugName: "expiresSoonNotified" }] : []));
+    /**
+     * Forces the credentials form to show even while `externalAuth` is true. Set when a silent
+     * SSO/browser auth attempt fails and no OAuth/SAML provider is configured: in that case
+     * `useSSO` only meant "unknown — try SSO, then credentials", so we fall back to the form
+     * instead of routing to /error.
+     */
+    showCredentialsFallback = signal(false, ...(ngDevMode ? [{ debugName: "showCredentialsFallback" }] : []));
     constructor(destroyRef) {
         this.destroyRef = destroyRef;
         // If the user is already authenticated when landing here (e.g. page refresh on
@@ -10931,21 +10946,45 @@ class SignInComponent {
             const url = this.route.snapshot.queryParams["returnUrl"] || "/";
             this.router.navigateByUrl(url);
         }
-        // When authentication is delegated to the browser/proxy (SSO) or an OAuth/SAML
-        // provider, no credentials form is shown: this screen shows a loader and initiates
-        // the handshake automatically by calling `handleLogin()`. If the handshake never
-        // completes, fall back to /error after 5s; the fallback is cancelled as soon as
-        // the login succeeds (the `authenticated` event then drives navigation).
+        // When authentication is delegated to the browser/proxy (SSO) or an OAuth/SAML provider, no
+        // credentials form is shown: this screen shows a loader and starts the handshake automatically.
+        // Drive what happens next from the OUTCOME of `login()`, never a blind timer racing the network
+        // call (the old 5s timer fired while a slow but legitimate provider call — up to its own 10s
+        // network timeout — was still in flight, flashing /error just before the IdP redirect):
+        //   • rejected      → real failure (network timeout, 5xx, callback loop) → /error WITH the reason;
+        //   • resolved true  → authenticated → the `authenticated` event / returnUrl drives navigation;
+        //   • resolved false → either an OAuth/SAML full-page redirect is under way (the redirect flag was
+        //                      set just before `window.location.href`; the page is about to unload, so do
+        //                      nothing and let it leave for the IdP), or no provider is configured
+        //                      (ambiguous SSO → show the credentials form), or the provider returned no
+        //                      redirect at all (→ /error).
         if (this.externalAuth && !this.authenticated()) {
-            const timeout = setTimeout(() => {
+            login()
+                .then(result => {
+                if (result) {
+                    this.auditService.notifyLogin();
+                    return;
+                }
+                const hasAutoProvider = !!(globalConfig.autoOAuthProvider || globalConfig.autoSAMLProvider);
+                if (!hasAutoProvider) {
+                    this.showCredentialsFallback.set(true);
+                    return;
+                }
+                // A full-page redirect to the IdP was initiated → the page is about to unload. Routing to
+                // /error here is exactly what caused the transient "error" flash, so skip it.
+                if (sessionStorage.getItem(AUTH_REDIRECT_ATTEMPT_KEY))
+                    return;
+                // Provider configured but the server returned no redirectUrl and there is no session → error.
                 this.router.navigate(["/error"], {
                     queryParams: { returnUrl: this.route.snapshot.queryParams["returnUrl"] }
                 });
-            }, 5000);
-            destroyRef.onDestroy(() => clearTimeout(timeout));
-            this.handleLogin().then(result => {
-                if (result)
-                    clearTimeout(timeout);
+            })
+                .catch((err) => {
+                warn("An error occurred while logging in", err);
+                this.auditService.notify({ type: "Login_Denied" });
+                // Surface the failure reason on the error page (e.g. "OAuth provider not found: identity-dev").
+                const message = (err?.errorMessage ?? err?.message) || undefined;
+                this.router.navigate(["error"], { queryParams: { message } });
             });
         }
         effect(() => {
@@ -11057,7 +11096,7 @@ class SignInComponent {
     }
     static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "20.3.25", ngImport: i0, type: SignInComponent, deps: [{ token: i0.DestroyRef }], target: i0.ɵɵFactoryTarget.Component });
     static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "17.0.0", version: "20.3.25", type: SignInComponent, isStandalone: true, selector: "signIn, signin, sign-in", inputs: { class: { classPropertyName: "class", publicName: "class", isSignal: true, isRequired: false, transformFunction: null }, username: { classPropertyName: "username", publicName: "username", isSignal: true, isRequired: false, transformFunction: null }, password: { classPropertyName: "password", publicName: "password", isSignal: true, isRequired: false, transformFunction: null } }, outputs: { forgotPassword: "forgotPassword", username: "usernameChange", password: "passwordChange" }, host: { properties: { "class": "cn('grid h-dvh w-full place-content-center', class())" } }, providers: [provideTranslocoScope("login")], ngImport: i0, template: `
-    @if (!authenticated() && !externalAuth) {
+    @if (!authenticated() && (!externalAuth || showCredentialsFallback())) {
       <Card
         hover="no"
         cdkTrapFocus
@@ -11130,7 +11169,7 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.25", ngImpo
                         CardHeaderComponent,
                         CardContentComponent
                     ], providers: [provideTranslocoScope("login")], template: `
-    @if (!authenticated() && !externalAuth) {
+    @if (!authenticated() && (!externalAuth || showCredentialsFallback())) {
       <Card
         hover="no"
         cdkTrapFocus