@startsimpli/auth 0.4.26 → 0.4.28

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@startsimpli/auth",
-  "version": "0.4.26",
+  "version": "0.4.28",
   "description": "Shared authentication package for StartSimpli Next.js apps",
   "main": "./src/index.ts",
   "types": "./src/index.ts",

package/src/__tests__/auth-client.test.ts

@@ -123,3 +123,55 @@ describe('AuthClient.login', () => {
     expect(session.accessToken).toBe(VALID_TOKEN);
   });
 });
+
+// Regression coverage for startsim-768w.2.3: a dead / wrong-audience refresh
+// cookie must end the session ONCE (clear + signal expiry, so the app bounces
+// to login) rather than spin in a refresh loop — while a transient backend
+// flake (5xx / network) must NOT log the user out. This session-dead-vs-transient
+// split in performTokenRefresh is the loop-prevention; pin it so a refactor
+// can't reintroduce either the auth loop or premature logout.
+describe('AuthClient.refreshToken — session-dead vs transient (768w.2.3)', () => {
+  beforeEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  function clientWithSession(onSessionExpired: () => void) {
+    const client = new AuthClient({ apiBaseUrl: 'http://localhost:8001', onSessionExpired });
+    (client as any).session = {
+      user: { id: 'u', email: 'e@x.com', firstName: '', lastName: '', isEmailVerified: false, createdAt: '', updatedAt: '' },
+      accessToken: VALID_TOKEN,
+      expiresAt: Date.now() + 3600000,
+    };
+    return client;
+  }
+
+  it('clears the session + signals expiry on a 401 refresh (dead/wrong-aud cookie → no loop)', async () => {
+    const onSessionExpired = vi.fn();
+    const client = clientWithSession(onSessionExpired);
+    vi.stubGlobal('fetch', vi.fn().mockResolvedValueOnce({ status: 401, ok: false }));
+
+    await expect(client.refreshToken()).rejects.toThrow(/session expired/i);
+    expect(onSessionExpired).toHaveBeenCalledTimes(1);
+    expect((client as any).session).toBeFalsy();
+  });
+
+  it('does NOT clear the session on a 5xx refresh (transient backend flake → retry, no logout)', async () => {
+    const onSessionExpired = vi.fn();
+    const client = clientWithSession(onSessionExpired);
+    vi.stubGlobal('fetch', vi.fn().mockResolvedValueOnce({ status: 503, ok: false }));
+
+    await expect(client.refreshToken()).rejects.toThrow(/transient/i);
+    expect(onSessionExpired).not.toHaveBeenCalled();
+    expect((client as any).session).toBeTruthy();
+  });
+
+  it('does NOT clear the session on a network error (unreachable backend)', async () => {
+    const onSessionExpired = vi.fn();
+    const client = clientWithSession(onSessionExpired);
+    vi.stubGlobal('fetch', vi.fn().mockRejectedValueOnce(new Error('ECONNREFUSED')));
+
+    await expect(client.refreshToken()).rejects.toThrow(/transient/i);
+    expect(onSessionExpired).not.toHaveBeenCalled();
+    expect((client as any).session).toBeTruthy();
+  });
+});

package/src/__tests__/login-app-hint.test.ts

@@ -0,0 +1,35 @@
+/**
+ * loginAppHint() reads the signin target (?app=<slug>) from the URL so the
+ * login token POST can carry it — central auth scopes the minted token's
+ * audience by it (startsim-qxv2.5).
+ */
+import { describe, it, expect, afterEach } from 'vitest';
+import { loginAppHint } from '../client/functions';
+
+function setUrl(search: string) {
+  window.history.pushState({}, '', `/signin${search}`);
+}
+
+describe('loginAppHint', () => {
+  afterEach(() => setUrl(''));
+
+  it('returns the app slug from ?app=', () => {
+    setUrl('?app=foundry&return_to=https%3A%2F%2Ffoundry.startsimpli.com%2F');
+    expect(loginAppHint()).toBe('foundry');
+  });
+
+  it('returns the tenant slug for a tenant-app signin', () => {
+    setUrl('?app=mcr');
+    expect(loginAppHint()).toBe('mcr');
+  });
+
+  it('returns undefined when no app param is present', () => {
+    setUrl('?return_to=https%3A%2F%2Fexample.com');
+    expect(loginAppHint()).toBeUndefined();
+  });
+
+  it('treats a blank app as absent', () => {
+    setUrl('?app=');
+    expect(loginAppHint()).toBeUndefined();
+  });
+});

package/src/client/auth-client.ts

@@ -11,7 +11,7 @@ import type {
   AuthUser,
 } from '../types';
 import { isTokenExpired, getTokenExpiresAt, shouldRefreshToken } from '../utils';
-import { extractApiError, setAccessToken as setModuleAccessToken } from './functions';
+import { extractApiError, loginAppHint, setAccessToken as setModuleAccessToken } from './functions';
 import { deleteCookie } from '../utils/cookies';
 import type { AuthBackend, RegisterPayload } from './backend';
 
@@ -45,7 +45,7 @@ function hasLoggedOutFlag(): boolean {
 export class AuthClient implements AuthBackend {
   private config: Required<AuthConfig>;
   private session: Session | null = null;
-  private refreshTimer: NodeJS.Timeout | null = null;
+  private refreshTimer: ReturnType<typeof setTimeout> | null = null;
   private isRefreshing = false;
   private refreshPromise: Promise<string> | null = null;
 
@@ -68,11 +68,12 @@ export class AuthClient implements AuthBackend {
    * Login with email and password
    */
   async login(email: string, password: string): Promise<Session> {
+    const app = loginAppHint(); // scope the token audience to the login target (qxv2.5)
     const response = await fetch(`${this.config.apiBaseUrl}/api/v1/auth/token/`, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       credentials: 'include', // Include cookies for refresh token
-      body: JSON.stringify({ email, password }),
+      body: JSON.stringify({ email, password, ...(app ? { app } : {}) }),
     });
 
     if (!response.ok) {

package/src/client/functions.ts

@@ -59,6 +59,19 @@ export function notifySessionExpired(): void {
   _onSessionExpired();
 }
 
+/**
+ * The app/target the user is signing in FOR, read from the signin URL
+ * (?app=<slug>). Central auth uses it to scope the minted token's audience:
+ * a central/platform login (app=foundry) yields a first-party token; a tenant
+ * login (app=<tenant>) yields the tenant audience. Browser-only (undefined
+ * off-browser, e.g. SSR). (startsim-qxv2.5)
+ */
+export function loginAppHint(): string | undefined {
+  if (typeof window === 'undefined') return undefined;
+  const app = new URLSearchParams(window.location.search).get('app');
+  return app?.trim() || undefined;
+}
+
 // --- Endpoint paths (Django backend defaults) ---
 
 const API_BASE = '/api/v1';

package/src/client/token-auth-core.ts

@@ -20,6 +20,7 @@
 import type { AuthUser, Session } from '../types';
 import { getTokenExpiresAt } from '../utils/token';
 import { extractApiError } from '../utils/api-error';
+import { loginAppHint } from './functions';
 
 /** Persistence for the refresh token. Web uses cookies (and never needs this);
  *  native provides a SecureStore-backed implementation. */
@@ -89,10 +90,11 @@ export class TokenAuthClient {
   }
 
   async login(email: string, password: string): Promise<Session> {
+    const app = loginAppHint(); // scope the token audience to the login target (qxv2.5)
     const response = await this.fetchImpl(`${this.apiBaseUrl}/api/v1/auth/token/`, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json', 'X-Auth-Mode': 'token' },
-      body: JSON.stringify({ email, password }),
+      body: JSON.stringify({ email, password, ...(app ? { app } : {}) }),
     });
 
     if (!response.ok) {