npm - @startsimpli/auth - Versions diffs - 0.1.0 → 0.1.3 - Mend

@startsimpli/auth 0.1.0 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

package/dist/chunk-CDNZRZ7Q.mjs +767 -0
package/dist/chunk-CDNZRZ7Q.mjs.map +1 -0
package/dist/chunk-S6J5FYQY.mjs +134 -0
package/dist/chunk-S6J5FYQY.mjs.map +1 -0
package/dist/chunk-TA46ASDJ.mjs +37 -0
package/dist/chunk-TA46ASDJ.mjs.map +1 -0
package/dist/client/index.d.mts +175 -0
package/dist/client/index.d.ts +175 -0
package/dist/client/index.js +858 -0
package/dist/client/index.js.map +1 -0
package/dist/client/index.mjs +5 -0
package/dist/client/index.mjs.map +1 -0
package/dist/index.d.mts +68 -0
package/dist/index.d.ts +68 -0
package/dist/index.js +971 -0
package/dist/index.js.map +1 -0
package/dist/index.mjs +5 -0
package/dist/index.mjs.map +1 -0
package/dist/server/index.d.mts +83 -0
package/dist/server/index.d.ts +83 -0
package/dist/server/index.js +242 -0
package/dist/server/index.js.map +1 -0
package/dist/server/index.mjs +191 -0
package/dist/server/index.mjs.map +1 -0
package/dist/types/index.d.mts +209 -0
package/dist/types/index.d.ts +209 -0
package/dist/types/index.js +43 -0
package/dist/types/index.js.map +1 -0
package/dist/types/index.mjs +3 -0
package/dist/types/index.mjs.map +1 -0
package/package.json +50 -18
package/src/__tests__/auth-client.test.ts +125 -0
package/src/__tests__/auth-fetch.test.ts +128 -0
package/src/__tests__/token-storage.test.ts +61 -0
package/src/__tests__/validation.test.ts +60 -0
package/src/client/auth-client.ts +11 -1
package/src/client/functions.ts +83 -14
package/src/types/index.ts +100 -0
package/src/utils/validation.ts +190 -0

package/dist/types/index.mjs ADDED Viewed

@@ -0,0 +1,3 @@
+export { EmailErrorCode, PasswordErrorCode, ROLE_HIERARCHY, ValidationErrorCode, hasRolePermission } from '../chunk-TA46ASDJ.mjs';
+//# sourceMappingURL=index.mjs.map
+//# sourceMappingURL=index.mjs.map

package/dist/types/index.mjs.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"sources":[],"names":[],"mappings":"","file":"index.mjs"}

package/package.json CHANGED Viewed

@@ -1,37 +1,65 @@
 {
   "name": "@startsimpli/auth",
-  "version": "0.1.0",
+  "version": "0.1.3",
   "description": "Shared authentication package for StartSimpli Next.js apps",
-  "main": "./src/index.ts",
-  "types": "./src/index.ts",
-  "files": ["src"],
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    },
+    "./client": {
+      "types": "./dist/client/index.d.ts",
+      "import": "./dist/client/index.mjs",
+      "require": "./dist/client/index.js"
+    },
+    "./server": {
+      "types": "./dist/server/index.d.ts",
+      "import": "./dist/server/index.mjs",
+      "require": "./dist/server/index.js"
+    },
+    "./types": {
+      "types": "./dist/types/index.d.ts",
+      "import": "./dist/types/index.mjs",
+      "require": "./dist/types/index.js"
+    },
+    "./email": {
+      "types": "./dist/email/index.d.ts",
+      "import": "./dist/email/index.mjs",
+      "require": "./dist/email/index.js"
+    }
+  },
+  "files": [
+    "src",
+    "README.md",
+    "dist"
+  ],
   "publishConfig": {
     "access": "public"
   },
-  "exports": {
-    ".": "./src/index.ts",
-    "./client": "./src/client/index.ts",
-    "./server": "./src/server/index.ts",
-    "./types": "./src/types/index.ts",
-    "./email": "./src/email/index.ts"
-  },
   "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "type-check": "tsc --noEmit",
     "test": "vitest run",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
-    "type-check": "tsc --noEmit"
+    "clean": "rm -rf dist"
   },
   "peerDependencies": {
     "react": "^18.0.0 || ^19.0.0",
-    "next": "^14.0.0 || ^15.0.0"
+    "next": "^14.0.0 || ^15.0.0 || ^16.0.0"
   },
   "devDependencies": {
-    "@types/react": "^18.3.18",
     "@types/node": "^20.17.14",
-    "typescript": "^5.7.3",
-    "vitest": "^3.0.0",
+    "@types/react": "^18.3.18",
     "@vitest/ui": "^3.0.0",
-    "happy-dom": "^15.11.7"
+    "happy-dom": "^15.11.7",
+    "tsup": "^8.5.1",
+    "typescript": "^5.7.3",
+    "vitest": "^3.0.0"
   },
   "keywords": [
     "authentication",
@@ -39,5 +67,9 @@
     "nextjs",
     "django",
     "startsimpli"
-  ]
+  ],
+  "dependencies": {
+    "zod": "^4.3.6"
+  },
+  "module": "./dist/index.mjs"
 }

package/src/__tests__/auth-client.test.ts ADDED Viewed

@@ -0,0 +1,125 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { AuthClient } from '../client/auth-client';
+// Helpers
+function makeToken(exp: number): string {
+  const header = btoa(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
+  const body = btoa(JSON.stringify({ token_type: 'access', exp, iat: exp - 3600, jti: 'test', user_id: '123' }));
+  return `${header}.${body}.signature`;
+}
+const VALID_TOKEN = makeToken(Math.floor(Date.now() / 1000) + 3600);
+function makeConfig() {
+  return { apiBaseUrl: 'http://localhost:8001' };
+}
+describe('AuthClient.getCurrentUser', () => {
+  beforeEach(() => {
+    vi.restoreAllMocks();
+  });
+  it('unwraps {"user": {...}} envelope from Django /me/ response', async () => {
+    const client = new AuthClient(makeConfig());
+    // Set a session so getAuthHeaders works
+    (client as any).session = {
+      user: { id: '', email: '', firstName: '', lastName: '', isEmailVerified: false, createdAt: '', updatedAt: '' },
+      accessToken: VALID_TOKEN,
+      expiresAt: Date.now() + 3600000,
+    };
+    vi.stubGlobal('fetch', vi.fn().mockResolvedValueOnce({
+      ok: true,
+      json: async () => ({
+        user: {
+          id: 'abc-123',
+          email: 'test@example.com',
+          first_name: 'Test',
+          last_name: 'User',
+          is_email_verified: true,
+          created_at: '2026-01-01T00:00:00Z',
+          updated_at: '2026-01-02T00:00:00Z',
+        },
+      }),
+    }));
+    const user = await client.getCurrentUser();
+    expect(user.id).toBe('abc-123');
+    expect(user.email).toBe('test@example.com');
+    expect(user.firstName).toBe('Test');
+    expect(user.lastName).toBe('User');
+    expect(user.isEmailVerified).toBe(true);
+    expect(user.createdAt).toBe('2026-01-01T00:00:00Z');
+  });
+  it('handles flat response (no wrapper) for forwards-compat', async () => {
+    const client = new AuthClient(makeConfig());
+    (client as any).session = {
+      user: { id: '', email: '', firstName: '', lastName: '', isEmailVerified: false, createdAt: '', updatedAt: '' },
+      accessToken: VALID_TOKEN,
+      expiresAt: Date.now() + 3600000,
+    };
+    vi.stubGlobal('fetch', vi.fn().mockResolvedValueOnce({
+      ok: true,
+      json: async () => ({
+        id: 'xyz-456',
+        email: 'flat@example.com',
+        first_name: 'Flat',
+        last_name: 'Response',
+        is_email_verified: false,
+        created_at: '2026-01-01T00:00:00Z',
+        updated_at: '2026-01-01T00:00:00Z',
+      }),
+    }));
+    const user = await client.getCurrentUser();
+    expect(user.id).toBe('xyz-456');
+    expect(user.email).toBe('flat@example.com');
+    expect(user.firstName).toBe('Flat');
+  });
+});
+describe('AuthClient.login', () => {
+  beforeEach(() => {
+    vi.restoreAllMocks();
+  });
+  it('fetches /me/ when token response has no user and maps fields correctly', async () => {
+    const client = new AuthClient(makeConfig());
+    vi.stubGlobal('fetch', vi.fn()
+      // First call: token endpoint
+      .mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({ access: VALID_TOKEN }),
+      })
+      // Second call: /me/ endpoint
+      .mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({
+          user: {
+            id: 'login-user-id',
+            email: 'login@example.com',
+            first_name: 'Login',
+            last_name: 'Test',
+            is_email_verified: false,
+            created_at: '2026-01-01T00:00:00Z',
+            updated_at: '2026-01-01T00:00:00Z',
+          },
+        }),
+      }),
+    );
+    const session = await client.login('login@example.com', 'password');
+    expect(session.user.email).toBe('login@example.com');
+    expect(session.user.firstName).toBe('Login');
+    expect(session.user.lastName).toBe('Test');
+    expect(session.accessToken).toBe(VALID_TOKEN);
+  });
+});

package/src/__tests__/auth-fetch.test.ts ADDED Viewed

@@ -0,0 +1,128 @@
+/**
+ * Tests for authFetch refresh-singleton (uhxu fix).
+ * Concurrent 401 responses must share a single refreshAccessToken() call.
+ */
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+// We import the module functions directly so we can control mocks around them.
+// The mock must be set up before the module is imported.
+// Mock fetch globally before importing the module under test
+const mockFetch = vi.fn();
+vi.stubGlobal('fetch', mockFetch);
+// Mock sessionStorage (available in browser but not in vitest/node)
+const mockSessionStorage = (() => {
+  let store: Record<string, string> = {};
+  return {
+    getItem: (k: string) => store[k] ?? null,
+    setItem: (k: string, v: string) => { store[k] = v },
+    removeItem: (k: string) => { delete store[k] },
+    clear: () => { store = {} },
+  };
+})();
+vi.stubGlobal('sessionStorage', mockSessionStorage);
+// Import after globals are set up
+const {
+  authFetch,
+  setAccessToken,
+  getAccessToken,
+} = await import('../client/functions');
+function makeJwt(payload: object): string {
+  const encode = (obj: object) =>
+    btoa(JSON.stringify(obj)).replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
+  return `${encode({ alg: 'HS256' })}.${encode(payload)}.sig`;
+}
+const VALID_TOKEN = makeJwt({ exp: Math.floor(Date.now() / 1000) + 3600, user_id: '1' });
+const REFRESHED_TOKEN = makeJwt({ exp: Math.floor(Date.now() / 1000) + 7200, user_id: '1' });
+// Stub the CSRF token helper so refreshAccessToken() doesn't fail
+vi.mock('../utils/cookies', () => ({
+  getCsrfToken: () => 'test-csrf',
+  setCsrfToken: vi.fn(),
+}));
+// Stub fetchCsrfToken (called inside refreshAccessToken)
+vi.mock('../client/functions', async (importOriginal) => {
+  const original = await importOriginal<typeof import('../client/functions')>();
+  return {
+    ...original,
+    fetchCsrfToken: vi.fn().mockResolvedValue(undefined),
+  };
+});
+describe('authFetch — concurrent 401 refresh atomicity (uhxu)', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockSessionStorage.clear();
+    setAccessToken(VALID_TOKEN);
+  });
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+  it('calls refreshAccessToken only once when two concurrent requests get 401', async () => {
+    let refreshCallCount = 0;
+    mockFetch.mockImplementation((url: string) => {
+      // Refresh endpoint
+      if (typeof url === 'string' && url.includes('token/refresh')) {
+        refreshCallCount++;
+        return Promise.resolve({
+          ok: true,
+          status: 200,
+          json: async () => ({ access: REFRESHED_TOKEN }),
+        });
+      }
+      // First call for any request: return 401; second (retry): return 200
+      return Promise.resolve({
+        ok: false,
+        status: 401,
+        json: async () => ({}),
+      });
+    });
+    // Simulate two concurrent requests that both receive 401
+    const [r1, r2] = await Promise.all([
+      authFetch('/api/v1/data/'),
+      authFetch('/api/v1/other/'),
+    ]);
+    // Both requests eventually fail (since the mock always returns 401 for non-refresh URLs)
+    // but the refresh endpoint was only called once
+    expect(refreshCallCount).toBe(1);
+    expect(r1.status).toBe(401);
+    expect(r2.status).toBe(401);
+  });
+  it('retries with the refreshed token on 401', async () => {
+    let callCount = 0;
+    mockFetch.mockImplementation((url: string) => {
+      if (typeof url === 'string' && url.includes('token/refresh')) {
+        return Promise.resolve({
+          ok: true,
+          status: 200,
+          json: async () => ({ access: REFRESHED_TOKEN }),
+        });
+      }
+      callCount++;
+      if (callCount === 1) {
+        // First call returns 401
+        return Promise.resolve({ ok: false, status: 401, json: async () => ({}) });
+      }
+      // Retry call returns 200
+      return Promise.resolve({ ok: true, status: 200, json: async () => ({ data: 'ok' }) });
+    });
+    const response = await authFetch('/api/v1/resource/');
+    expect(response.status).toBe(200);
+    // Retry was called with the refreshed token
+    const lastCall = mockFetch.mock.calls[mockFetch.mock.calls.length - 1];
+    const retryHeaders = lastCall[1]?.headers as Headers;
+    expect(retryHeaders.get('Authorization')).toBe(`Bearer ${REFRESHED_TOKEN}`);
+  });
+});

package/src/__tests__/token-storage.test.ts ADDED Viewed

@@ -0,0 +1,61 @@
+/**
+ * Tests for getAccessToken / setAccessToken using sessionStorage.
+ * Regression for fund-your-startup-fe28 (access token was in module-level global).
+ */
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+import { getAccessToken, setAccessToken } from '../client/functions';
+describe('Token storage (sessionStorage)', () => {
+  beforeEach(() => {
+    // Clear sessionStorage before each test
+    sessionStorage.clear();
+    // Reset to null so tests are independent
+    setAccessToken(null);
+  });
+  it('stores the token in sessionStorage, not a module-level global', () => {
+    setAccessToken('tok-abc123');
+    // Value is readable via the getter
+    expect(getAccessToken()).toBe('tok-abc123');
+    // Value is also in sessionStorage (not just a module variable)
+    expect(sessionStorage.getItem('auth_access_token')).toBe('tok-abc123');
+  });
+  it('returns null when no token has been stored', () => {
+    expect(getAccessToken()).toBeNull();
+  });
+  it('clearing the token removes it from sessionStorage', () => {
+    setAccessToken('some-token');
+    setAccessToken(null);
+    expect(getAccessToken()).toBeNull();
+    expect(sessionStorage.getItem('auth_access_token')).toBeNull();
+  });
+  it('overwrites an existing token', () => {
+    setAccessToken('first-token');
+    setAccessToken('second-token');
+    expect(getAccessToken()).toBe('second-token');
+    expect(sessionStorage.getItem('auth_access_token')).toBe('second-token');
+  });
+  it('reads fresh value from sessionStorage (survives module reload simulation)', () => {
+    // Simulate token set by a previous page load that wrote to sessionStorage
+    sessionStorage.setItem('auth_access_token', 'pre-existing-token');
+    // getAccessToken reads from sessionStorage, not just a cached module variable
+    expect(getAccessToken()).toBe('pre-existing-token');
+  });
+  it('isolated from other sessionStorage keys', () => {
+    sessionStorage.setItem('unrelated_key', 'should-not-matter');
+    setAccessToken('my-token');
+    expect(getAccessToken()).toBe('my-token');
+    expect(sessionStorage.getItem('unrelated_key')).toBe('should-not-matter');
+  });
+});

package/src/__tests__/validation.test.ts ADDED Viewed

@@ -0,0 +1,60 @@
+import { describe, it, expect } from 'vitest';
+import { validatePassword, validateEmail } from '../validation';
+describe('validatePassword', () => {
+  it('rejects passwords shorter than 8 chars', () => {
+    const result = validatePassword('Ab1');
+    expect(result.isValid).toBe(false);
+    expect(result.error).toMatch(/8 characters/);
+  });
+  it('rejects passwords with no uppercase letter', () => {
+    const result = validatePassword('abcdefg1');
+    expect(result.isValid).toBe(false);
+    expect(result.error).toMatch(/uppercase/i);
+  });
+  it('rejects passwords with no lowercase letter', () => {
+    const result = validatePassword('ABCDEFG1');
+    expect(result.isValid).toBe(false);
+    expect(result.error).toMatch(/lowercase/i);
+  });
+  it('rejects passwords with no number', () => {
+    const result = validatePassword('Abcdefgh');
+    expect(result.isValid).toBe(false);
+    expect(result.error).toMatch(/number/i);
+  });
+  it('accepts a password with uppercase, lowercase, and number — no special char required', () => {
+    const result = validatePassword('Testpassword1');
+    expect(result.isValid).toBe(true);
+    expect(result.error).toBeUndefined();
+  });
+  it('accepts a password that also has a special character', () => {
+    const result = validatePassword('Testpassword1!');
+    expect(result.isValid).toBe(true);
+  });
+  it('accepts the canonical test credential', () => {
+    // Ensures test account Testpassword1! passes both frontend and backend rules
+    expect(validatePassword('Testpassword1!').isValid).toBe(true);
+    // Without special char — must also pass (no drift from backend)
+    expect(validatePassword('Testpassword1').isValid).toBe(true);
+  });
+});
+describe('validateEmail', () => {
+  it('accepts valid email', () => {
+    expect(validateEmail('user@example.com')).toBe(true);
+  });
+  it('rejects email without @', () => {
+    expect(validateEmail('notanemail')).toBe(false);
+  });
+  it('rejects email without domain', () => {
+    expect(validateEmail('user@')).toBe(false);
+  });
+});

package/src/client/auth-client.ts CHANGED Viewed

@@ -158,7 +158,17 @@ export class AuthClient {
       throw new Error('Failed to fetch user data');
     }
-    const user: AuthUser = await response.json();
+    const data = await response.json();
+    const raw = data.user || data;
+    const user: AuthUser = {
+      id: raw.id,
+      email: raw.email,
+      firstName: raw.first_name || raw.firstName || '',
+      lastName: raw.last_name || raw.lastName || '',
+      isEmailVerified: raw.is_email_verified ?? raw.isEmailVerified ?? false,
+      createdAt: raw.created_at || raw.createdAt || '',
+      updatedAt: raw.updated_at || raw.updatedAt || '',
+    };
     if (this.session) {
       this.session.user = user;

package/src/client/functions.ts CHANGED Viewed

@@ -69,20 +69,66 @@ export function resolveAuthUrl(path: string): string {
   return `${AUTH_BASE_URL}${normalized}`;
 }
-// --- In-memory token store ---
+// --- Token storage ---
+// Uses sessionStorage when available (browser) so the token is scoped to the
+// current tab and cleared automatically when the tab closes.  Falls back to a
+// module-level variable for SSR environments where sessionStorage is absent.
-let accessToken: string | null = null;
+const TOKEN_STORAGE_KEY = 'auth_access_token';
+let _memToken: string | null = null;
+function _sessionStorageAvailable(): boolean {
+  try {
+    return typeof window !== 'undefined' && !!window.sessionStorage;
+  } catch {
+    return false;
+  }
+}
 export function getAccessToken(): string | null {
-  return accessToken;
+  if (_sessionStorageAvailable()) {
+    return sessionStorage.getItem(TOKEN_STORAGE_KEY);
+  }
+  return _memToken;
 }
 export function setAccessToken(token: string | null): void {
-  accessToken = token;
+  if (_sessionStorageAvailable()) {
+    if (token === null) {
+      sessionStorage.removeItem(TOKEN_STORAGE_KEY);
+    } else {
+      sessionStorage.setItem(TOKEN_STORAGE_KEY, token);
+    }
+    return;
+  }
+  _memToken = token;
 }
 // --- Internal helpers ---
+const AUTH_TIMEOUT_MS = 15_000;
+/** Extract a human-readable message from a Django REST Framework error response body. */
+function extractApiError(d: Record<string, unknown>, fallback: string): string {
+  // Standard DRF: { detail: "..." }
+  if (typeof d.detail === 'string') return d.detail
+  // Field-level: { email: ["already exists"] } or { non_field_errors: ["..."] }
+  for (const val of Object.values(d)) {
+    if (typeof val === 'string') return val
+    if (Array.isArray(val) && val.length > 0 && typeof val[0] === 'string') return val[0]
+  }
+  return fallback
+}
+function fetchWithTimeout(url: string, options: RequestInit): Promise<Response> {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), AUTH_TIMEOUT_MS);
+  return fetch(url, { ...options, signal: controller.signal }).finally(() =>
+    clearTimeout(timer)
+  );
+}
 function normalizeUser(raw: unknown): AuthUser | null {
   if (!raw || typeof raw !== 'object') return null;
   const obj = raw as Record<string, unknown>;
@@ -121,7 +167,7 @@ function parseAuthResponse(data: unknown): { access?: string; user?: AuthUser }
 // --- Auth functions ---
 export async function signInWithCredentials(email: string, password: string) {
-  const response = await fetch(resolveAuthUrl(AUTH_PATHS.TOKEN), {
+  const response = await fetchWithTimeout(resolveAuthUrl(AUTH_PATHS.TOKEN), {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
     credentials: 'include',
@@ -159,7 +205,7 @@ export async function registerAccount(payload: {
   const [firstFromName, ...rest] = rawName ? rawName.split(/\s+/) : [];
   const lastFromName = rest.length ? rest.join(' ') : undefined;
-  const response = await fetch(resolveAuthUrl(AUTH_PATHS.REGISTER), {
+  const response = await fetchWithTimeout(resolveAuthUrl(AUTH_PATHS.REGISTER), {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
     credentials: 'include',
@@ -175,9 +221,7 @@ export async function registerAccount(payload: {
   const data = await response.json().catch(() => ({}));
   if (!response.ok) {
-    const d = data as Record<string, unknown>;
-    const message = (d?.detail || d?.error || 'Registration failed') as string;
-    throw new Error(message);
+    throw new Error(extractApiError(data as Record<string, unknown>, 'Registration failed'));
   }
   const parsed = parseAuthResponse(data);
@@ -209,7 +253,7 @@ export async function resetPassword(payload: {
   passwordConfirm: string;
   email?: string;
 }): Promise<void> {
-  const response = await fetch(resolveAuthUrl(AUTH_PATHS.RESET_PASSWORD), {
+  const response = await fetchWithTimeout(resolveAuthUrl(AUTH_PATHS.RESET_PASSWORD), {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
     body: JSON.stringify({
@@ -229,7 +273,7 @@ export async function resetPassword(payload: {
 }
 export async function verifyEmail(token: string): Promise<void> {
-  const response = await fetch(resolveAuthUrl(AUTH_PATHS.VERIFY_EMAIL), {
+  const response = await fetchWithTimeout(resolveAuthUrl(AUTH_PATHS.VERIFY_EMAIL), {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
     body: JSON.stringify({ token }),
@@ -282,7 +326,7 @@ export async function initiateGoogleOAuth(redirectUri: string): Promise<any> {
 }
 export async function completeGoogleOAuth(code: string, state: string) {
-  const response = await fetch(
+  const response = await fetchWithTimeout(
     resolveAuthUrl(
       `${AUTH_PATHS.OAUTH_GOOGLE_CALLBACK}?code=${encodeURIComponent(code)}&state=${encodeURIComponent(state)}`
     ),
@@ -305,11 +349,24 @@ export async function completeGoogleOAuth(code: string, state: string) {
   return parsed;
 }
+async function fetchCsrfToken(): Promise<void> {
+  if (getCsrfToken()) return;
+  try {
+    await fetch(resolveAuthUrl(`${API_BASE}/auth/csrf/`), {
+      credentials: 'include',
+      cache: 'no-store',
+    });
+  } catch (err) {
+    console.warn('[auth] CSRF token fetch failed — token refresh will fail:', err)
+  }
+}
 export async function refreshAccessToken(): Promise<string | null> {
+  await fetchCsrfToken();
   const csrfToken = getCsrfToken();
   if (!csrfToken) return null;
-  const response = await fetch(resolveAuthUrl(AUTH_PATHS.TOKEN_REFRESH), {
+  const response = await fetchWithTimeout(resolveAuthUrl(AUTH_PATHS.TOKEN_REFRESH), {
     method: 'POST',
     headers: {
       'Content-Type': 'application/json',
@@ -375,6 +432,18 @@ export async function signOut(): Promise<void> {
   }
 }
+// Singleton refresh promise — ensures concurrent 401s share one refresh call
+let _refreshPromise: Promise<string | null> | null = null;
+function _refreshOnce(): Promise<string | null> {
+  if (!_refreshPromise) {
+    _refreshPromise = refreshAccessToken().finally(() => {
+      _refreshPromise = null;
+    });
+  }
+  return _refreshPromise;
+}
 export async function authFetch(
   input: RequestInfo | URL,
   init: RequestInit = {}
@@ -395,7 +464,7 @@ export async function authFetch(
   });
   if (response.status === 401) {
-    const refreshed = await refreshAccessToken();
+    const refreshed = await _refreshOnce();
     if (refreshed) {
       const retryHeaders = new Headers(init.headers || {});
       retryHeaders.set('Authorization', `Bearer ${refreshed}`);