npm - @startsimpli/auth - Versions diffs - 0.4.7 → 0.4.8 - Mend

@startsimpli/auth 0.4.7 → 0.4.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json +1 -1
package/src/__tests__/auth-fetch.test.ts +0 -15
package/src/__tests__/auth-functions.test.ts +69 -7
package/src/client/functions.ts +26 -37

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@startsimpli/auth",
-  "version": "0.4.7",
+  "version": "0.4.8",
   "description": "Shared authentication package for StartSimpli Next.js apps",
   "main": "./src/index.ts",
   "types": "./src/index.ts",

package/src/__tests__/auth-fetch.test.ts CHANGED Viewed

@@ -39,21 +39,6 @@ function makeJwt(payload: object): string {
 const VALID_TOKEN = makeJwt({ exp: Math.floor(Date.now() / 1000) + 3600, userId: '1' });
 const REFRESHED_TOKEN = makeJwt({ exp: Math.floor(Date.now() / 1000) + 7200, userId: '1' });
-// Stub the CSRF token helper so refreshAccessToken() doesn't fail
-vi.mock('../utils/cookies', () => ({
-  getCsrfToken: () => 'test-csrf',
-  setCsrfToken: vi.fn(),
-}));
-// Stub fetchCsrfToken (called inside refreshAccessToken)
-vi.mock('../client/functions', async (importOriginal) => {
-  const original = await importOriginal<typeof import('../client/functions')>();
-  return {
-    ...original,
-    fetchCsrfToken: vi.fn().mockResolvedValue(undefined),
-  };
-});
 describe('authFetch — concurrent 401 refresh atomicity (uhxu)', () => {
   beforeEach(() => {
     vi.clearAllMocks();

package/src/__tests__/auth-functions.test.ts CHANGED Viewed

@@ -72,6 +72,7 @@ const {
   setAccessToken,
   getAccessToken,
   setOnSessionExpired,
+  notifySessionExpired,
   setRememberMe,
 } = await import('../client/functions');
@@ -212,6 +213,46 @@ describe('authFetch session expiration on unrecoverable 401', () => {
   });
 });
+describe('notifySessionExpired cooldown', () => {
+  beforeEach(() => {
+    setOnSessionExpired(null);
+  });
+  afterEach(() => {
+    setOnSessionExpired(null);
+  });
+  it('fires the registered callback at most once per cooldown window', () => {
+    const onExpired = vi.fn();
+    setOnSessionExpired(onExpired);
+    notifySessionExpired();
+    notifySessionExpired();
+    notifySessionExpired();
+    notifySessionExpired();
+    notifySessionExpired();
+    expect(onExpired).toHaveBeenCalledTimes(1);
+  });
+  it('no-ops when no callback is registered', () => {
+    expect(() => notifySessionExpired()).not.toThrow();
+  });
+  it('resets the cooldown when a new callback is registered', () => {
+    const first = vi.fn();
+    setOnSessionExpired(first);
+    notifySessionExpired();
+    expect(first).toHaveBeenCalledTimes(1);
+    // re-register: cooldown resets, so next notify should fire the new callback
+    const second = vi.fn();
+    setOnSessionExpired(second);
+    notifySessionExpired();
+    expect(second).toHaveBeenCalledTimes(1);
+  });
+});
 describe('signOut cookie cleanup', () => {
   beforeEach(() => {
     vi.clearAllMocks();
@@ -258,20 +299,41 @@ describe('refreshAccessToken clears session on failure', () => {
   });
   it('clears token when refresh endpoint returns non-ok', async () => {
-    mockFetch.mockImplementation((url: string) => {
-      if (typeof url === 'string' && url.includes('/csrf/')) {
-        return Promise.resolve({ ok: true });
-      }
-      return Promise.resolve({
+    mockFetch.mockImplementation(() =>
+      Promise.resolve({
         ok: false,
         status: 401,
         json: async () => ({ detail: 'Token expired' }),
-      });
-    });
+      })
+    );
     const result = await refreshAccessToken();
     expect(result).toBeNull();
     expect(getAccessToken()).toBeNull();
   });
+  it('does not fetch the CSRF endpoint or send X-CSRFToken', async () => {
+    mockFetch.mockImplementation(() =>
+      Promise.resolve({
+        ok: true,
+        status: 200,
+        json: async () => ({ access: VALID_TOKEN }),
+      })
+    );
+    await refreshAccessToken();
+    const csrfCall = mockFetch.mock.calls.find(
+      (c: unknown[]) => typeof c[0] === 'string' && (c[0] as string).includes('/csrf/')
+    );
+    expect(csrfCall).toBeUndefined();
+    const refreshCall = mockFetch.mock.calls.find(
+      (c: unknown[]) => typeof c[0] === 'string' && (c[0] as string).includes('/auth/token/refresh/')
+    );
+    expect(refreshCall).toBeDefined();
+    const headers = refreshCall![1]?.headers;
+    expect(headers['X-CSRFToken']).toBeUndefined();
+  });
 });

package/src/client/functions.ts CHANGED Viewed

@@ -2,11 +2,16 @@
  * Functional auth API for Django backend
  *
  * Stateless functions for authentication flows: sign in, register, OAuth, token refresh, etc.
- * Uses fetch (browser/Node) and getCsrfToken from shared utils.
- * No Next.js dependency.
+ * Uses fetch (browser/Node). No Next.js dependency.
+ *
+ * CSRF note: the Django auth endpoints (signin, register, token/refresh, logout,
+ * OAuth) are all @csrf_exempt or JWT-authenticated. The frontend does not send
+ * X-CSRFToken headers and does not fetch /auth/csrf/ — any CSRF plumbing here
+ * would be dead weight (and previously caused refresh to fail whenever the CSRF
+ * endpoint was flaky).
  */
-import { getCsrfToken, deleteCookie } from '../utils/cookies';
+import { deleteCookie } from '../utils/cookies';
 import { decodeToken } from '../utils/token';
 // --- Types ---
@@ -28,10 +33,27 @@ export interface AuthUser {
 export type OnSessionExpiredCallback = () => void;
 let _onSessionExpired: OnSessionExpiredCallback | null = null;
+let _sessionExpiredFiredAt = 0;
+const SESSION_EXPIRED_COOLDOWN_MS = 5000;
 /** Register a callback for unrecoverable 401s (typically set by AuthProvider). */
 export function setOnSessionExpired(cb: OnSessionExpiredCallback | null): void {
   _onSessionExpired = cb;
+  if (cb !== null) _sessionExpiredFiredAt = 0;
+}
+/**
+ * Fire the registered session-expired callback at most once per cooldown window.
+ * Exposed so non-authFetch callers (e.g. the @startsimpli/api FetchWrapper) can
+ * route 401-after-refresh through the same sink that authFetch uses, instead of
+ * each caller wiring up its own redirect.
+ */
+export function notifySessionExpired(): void {
+  if (!_onSessionExpired) return;
+  const now = Date.now();
+  if (now - _sessionExpiredFiredAt < SESSION_EXPIRED_COOLDOWN_MS) return;
+  _sessionExpiredFiredAt = now;
+  _onSessionExpired();
 }
 // --- Endpoint paths (Django backend defaults) ---
@@ -431,43 +453,12 @@ export async function completeGoogleOAuth(code: string, state: string) {
   return parsed;
 }
-async function fetchCsrfToken(): Promise<void> {
-  if (getCsrfToken()) return;
-  const maxAttempts = 3;
-  let lastError: unknown;
-  for (let attempt = 0; attempt < maxAttempts; attempt++) {
-    try {
-      await fetch(resolveAuthUrl(`${API_BASE}/auth/csrf/`), {
-        credentials: 'include',
-        cache: 'no-store',
-      });
-      if (getCsrfToken()) return;
-    } catch (err) {
-      lastError = err;
-    }
-    if (attempt < maxAttempts - 1) {
-      await new Promise(r => setTimeout(r, 500));
-    }
-  }
-  throw new Error(
-    `[auth] CSRF token fetch failed after ${maxAttempts} attempts: ${lastError instanceof Error ? lastError.message : String(lastError ?? 'no token set')}`
-  );
-}
 export async function refreshAccessToken(): Promise<string | null> {
-  await fetchCsrfToken();
-  const csrfToken = getCsrfToken();
-  if (!csrfToken) {
-    console.warn('[auth] No CSRF token available — cannot refresh. Clearing session.');
-    setAccessToken(null);
-    return null;
-  }
   const response = await fetchWithTimeout(resolveAuthUrl(AUTH_PATHS.TOKEN_REFRESH), {
     method: 'POST',
     headers: {
       'Content-Type': 'application/json',
-      'X-CSRFToken': csrfToken,
     },
     credentials: 'include',
   });
@@ -512,7 +503,6 @@ export async function getMe(): Promise<AuthUser | null> {
 }
 export async function signOut(): Promise<void> {
-  const csrfToken = getCsrfToken();
   const token = getAccessToken();
   try {
@@ -520,7 +510,6 @@ export async function signOut(): Promise<void> {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',
-        ...(csrfToken ? { 'X-CSRFToken': csrfToken } : {}),
         ...(token ? { Authorization: `Bearer ${token}` } : {}),
       },
       credentials: 'include',
@@ -583,7 +572,7 @@ export async function authFetch(
     if (!refreshed || retryResponse.status === 401) {
       // Refresh failed or retried request still unauthorized — session is dead.
       setAccessToken(null);
-      _onSessionExpired?.();
+      notifySessionExpired();
     }
     return retryResponse;