@techstuff-dev/foundation-api-utils 2.7.0 → 2.8.0

package/dist/cjs/chunks/{shared-BB1LJXHU.js → shared-l1zCzYJr.js}

@@ -1,7 +1,7 @@
 'use strict';
 
 var toolkit = require('@reduxjs/toolkit');
-var slice = require('./slice-BZ9cHcE8.js');
+var slice = require('./slice-Bu9L_cVR.js');
 var slice$1 = require('./slice-CkWobkWw.js');
 
 // This file exists just so TypeScript has a module at ./store for IDEs/build.
@@ -11,4 +11,4 @@ var slice$1 = require('./slice-CkWobkWw.js');
 const rootReducer = toolkit.combineSlices(slice.cartSlice, slice$1.authSlice, slice.authApi, slice.contentApi, slice.paymentApi, slice.productsApi, slice.ordersApi);
 
 exports.rootReducer = rootReducer;
-//# sourceMappingURL=shared-BB1LJXHU.js.map
+//# sourceMappingURL=shared-l1zCzYJr.js.map

package/dist/cjs/chunks/{shared-BB1LJXHU.js.map → shared-l1zCzYJr.js.map}

@@ -1 +1 @@
-{"version":3,"file":"shared-BB1LJXHU.js","sources":["../../../lib/store/shared.ts"],"sourcesContent":[null],"names":["combineSlices","cartSlice","authSlice","authApi","contentApi","paymentApi","productsApi","ordersApi"],"mappings":";;;;;;AAAA;AACA;AAUA;AAEA;MACa,WAAW,GAAGA,qBAAa,CACtCC,eAAS,EACTC,iBAAS,EACTC,aAAO,EACPC,gBAAU,EACVC,gBAAU,EACVC,iBAAW,EACXC,eAAS;;;;"}
+{"version":3,"file":"shared-l1zCzYJr.js","sources":["../../../lib/store/shared.ts"],"sourcesContent":[null],"names":["combineSlices","cartSlice","authSlice","authApi","contentApi","paymentApi","productsApi","ordersApi"],"mappings":";;;;;;AAAA;AACA;AAUA;AAEA;MACa,WAAW,GAAGA,qBAAa,CACtCC,eAAS,EACTC,iBAAS,EACTC,aAAO,EACPC,gBAAU,EACVC,gBAAU,EACVC,iBAAW,EACXC,eAAS;;;;"}

package/dist/cjs/chunks/{slice-BZ9cHcE8.js → slice-Bu9L_cVR.js}

@@ -5196,7 +5196,19 @@ const APP_ES_SCHEDULE_INDEX$1 = getEnvVar$1('NEXT_PUBLIC_APP_ES_SCHEDULE_INDEX')
 const APP_ES_CHALLENGES_INDEX$1 = getEnvVar$1('NEXT_PUBLIC_APP_ES_CHALLENGES_INDEX');
 const APP_ES_CHALLENGE_DAYS_INDEX$1 = getEnvVar$1('NEXT_PUBLIC_APP_ES_CHALLENGE_DAYS_INDEX');
 // Platform identifier
-const PLATFORM$1 = 'web';
+const PLATFORM$2 = 'web';
+/**
+ * Return the Cognito app client ID the web app is configured to use.
+ * Prefers the passwordless client when set (passwordless sessions present a
+ * refresh token minted by that client); falls back to the regular client.
+ * Used by the shared refresh-token flow so Cognito can match the refresh
+ * token's original app client.
+ */
+function getCognitoAppClientId$2() {
+    return (getEnvVar$1('NEXT_PUBLIC_AWS_COGNITO_PASSWORDLESS_CLIENT_ID') ||
+        getEnvVar$1('NEXT_PUBLIC_AWS_COGNITO_CLIENT_ID') ||
+        undefined);
+}
 
 var webConfig = /*#__PURE__*/Object.freeze({
   __proto__: null,
@@ -5219,7 +5231,8 @@ var webConfig = /*#__PURE__*/Object.freeze({
   APP_ES_SETTINGS_INDEX: APP_ES_SETTINGS_INDEX$1,
   APP_ES_VIDEOS_INDEX: APP_ES_VIDEOS_INDEX$1,
   APP_ES_WORKOUTS_INDEX: APP_ES_WORKOUTS_INDEX$1,
-  PLATFORM: PLATFORM$1
+  PLATFORM: PLATFORM$2,
+  getCognitoAppClientId: getCognitoAppClientId$2
 });
 
 /**
@@ -5263,7 +5276,16 @@ const APP_ES_SCHEDULE_INDEX = getEnvVar('APP_ES_SCHEDULE_INDEX');
 const APP_ES_CHALLENGES_INDEX = getEnvVar('APP_ES_CHALLENGES_INDEX');
 const APP_ES_CHALLENGE_DAYS_INDEX = getEnvVar('APP_ES_CHALLENGE_DAYS_INDEX');
 // Platform identifier
-const PLATFORM = 'native';
+const PLATFORM$1 = 'native';
+/**
+ * Return the Cognito app client ID the app is configured to use.
+ * On native the env var is `AWS_COGNITO_CLIENT_ID` (react-native-config).
+ * Used by the shared refresh-token flow so Cognito can match the refresh
+ * token's original app client.
+ */
+function getCognitoAppClientId$1() {
+    return getEnvVar('AWS_COGNITO_CLIENT_ID') || undefined;
+}
 
 var nativeConfig = /*#__PURE__*/Object.freeze({
   __proto__: null,
@@ -5286,7 +5308,8 @@ var nativeConfig = /*#__PURE__*/Object.freeze({
   APP_ES_SETTINGS_INDEX: APP_ES_SETTINGS_INDEX,
   APP_ES_VIDEOS_INDEX: APP_ES_VIDEOS_INDEX,
   APP_ES_WORKOUTS_INDEX: APP_ES_WORKOUTS_INDEX,
-  PLATFORM: PLATFORM
+  PLATFORM: PLATFORM$1,
+  getCognitoAppClientId: getCognitoAppClientId$1
 });
 
 /**
@@ -5328,7 +5351,16 @@ apiConfig.APP_ES_WORKOUTS_INDEX;
 apiConfig.APP_ES_SCHEDULE_INDEX;
 apiConfig.APP_ES_CHALLENGES_INDEX;
 apiConfig.APP_ES_CHALLENGE_DAYS_INDEX;
-apiConfig.PLATFORM;
+const PLATFORM = apiConfig.PLATFORM;
+/**
+ * Platform-specific accessor for the currently-configured Cognito app client ID.
+ * Delegates to native or web config so the refresh-token flow can forward the
+ * clientId to the backend (Cognito refresh tokens are bound to their minting
+ * app client).
+ */
+function getCognitoAppClientId() {
+    return apiConfig.getCognitoAppClientId?.();
+}
 
 /**
  * Mutex to prevent multiple concurrent refresh attempts.
@@ -5384,11 +5416,21 @@ async function attemptTokenRefresh(api) {
         ? `${process.env.NEXT_PUBLIC_API_PREFIX}/auth/refresh-token`
         : `${API_AUTH_PREFIX || ''}/user/refreshtoken`;
     try {
+        // Cognito refresh tokens are bound to the app client that minted them.
+        // We read the client ID from the platform-specific env wrapper and pass it
+        // to the backend so Cognito InitiateAuth is invoked with the matching
+        // ClientId. Without this, pools with multiple app clients (e.g. separate
+        // "Mobile App Client" and "ms-auth server" clients) fail refresh with
+        // "Refresh Token has different Client".
+        const clientId = getCognitoAppClientId();
         const response = await fetch(refreshUrl, {
             method: 'POST',
             headers: { 'Content-Type': 'application/json' },
             credentials: 'include',
-            body: JSON.stringify({ refreshtoken: refreshToken }),
+            body: JSON.stringify({
+                refreshtoken: refreshToken,
+                ...(clientId ? { clientId } : {}),
+            }),
         });
         if (!response.ok) {
             const errorBody = await response.text().catch(() => 'unable to read body');
@@ -5507,6 +5549,24 @@ function getAuthHeaders(getState) {
     return { accessToken, idToken };
 }
 
+/**
+ * Build a per-platform URL for user-scoped data endpoints.
+ *
+ * Native apps call the backend API Gateway directly and must use the canonical
+ * path shape: `/data/user/{sub}/{endpoint}`.
+ *
+ * Web apps route library requests through their own Next.js `/api/user/*`
+ * proxy layer, which then forwards to the same canonical backend path. That
+ * proxy expects the legacy `/user/{endpoint}?sub=X` shape.
+ */
+const userDataPath = (sub, endpoint, query) => {
+    if (PLATFORM === 'native') {
+        const suffix = query ? `?${query}` : '';
+        return `/data/user/${sub}/${endpoint}${suffix}`;
+    }
+    const suffix = query ? `&${query}` : '';
+    return `/user/${endpoint}?sub=${sub}${suffix}`;
+};
 // Create a dynamic baseQuery that resolves URL at request time and unwraps standard responses
 const createAuthBaseQuery = () => {
     const baseUrl = typeof process !== 'undefined' && process.env?.NEXT_PUBLIC_API_AUTH_PREFIX
@@ -5672,14 +5732,14 @@ const authApi = createApi({
         // Dashboard data endpoints
         getStreak: builder.query({
             query: (sub) => ({
-                url: `/user/streak?sub=${sub}`,
+                url: userDataPath(sub, 'streak'),
                 method: 'GET',
             }),
             providesTags: ['Streak'],
         }),
         getWeeklyProgress: builder.query({
             query: (sub) => ({
-                url: `/user/weekly-progress?sub=${sub}`,
+                url: userDataPath(sub, 'weekly-progress'),
                 method: 'GET',
             }),
             providesTags: ['WeeklyProgress'],
@@ -5694,35 +5754,35 @@ const authApi = createApi({
         }),
         getWatchProgress: builder.query({
             query: ({ sub, limit = 1 }) => ({
-                url: `/user/watch-progress?sub=${sub}&limit=${limit}`,
+                url: userDataPath(sub, 'watch-progress', `limit=${limit}`),
                 method: 'GET',
             }),
             providesTags: ['WatchProgress'],
         }),
         getRecommendations: builder.query({
             query: ({ sub, limit = 8 }) => ({
-                url: `/user/recommendations?sub=${sub}&limit=${limit}`,
+                url: userDataPath(sub, 'recommendations', `limit=${limit}`),
                 method: 'GET',
             }),
             providesTags: ['Recommendations'],
         }),
         getActivityStats: builder.query({
             query: ({ sub, period = 'this-month' }) => ({
-                url: `/user/activity-stats?sub=${sub}&period=${period}`,
+                url: userDataPath(sub, 'activity-stats', `period=${period}`),
                 method: 'GET',
             }),
             providesTags: ['ActivityStats'],
         }),
         getActiveChallenges: builder.query({
             query: (sub) => ({
-                url: `/user/active-challenges?sub=${sub}`,
+                url: userDataPath(sub, 'active-challenges'),
                 method: 'GET',
             }),
             providesTags: ['UserData'],
         }),
         getChallengeProgress: builder.query({
             query: ({ sub, challengeId }) => ({
-                url: `/user/challenge-progress/${challengeId}?sub=${sub}`,
+                url: userDataPath(sub, `challenge-progress/${challengeId}`),
                 method: 'GET',
             }),
             providesTags: ['UserData'],
@@ -5730,7 +5790,8 @@ const authApi = createApi({
         // Activity logging — invalidates dashboard caches
         logActivity: builder.mutation({
             query: (data) => ({
-                url: '/activity',
+                // Native hits the backend directly at /data/activity; web proxies via /activity → /data/activity
+                url: PLATFORM === 'native' ? '/data/activity' : '/activity',
                 method: 'POST',
                 body: data,
             }),
@@ -6273,4 +6334,4 @@ exports.useVerifyUserAttributesQuery = useVerifyUserAttributesQuery;
 exports.useVerifyUserQuery = useVerifyUserQuery;
 exports.useVerifyUserResendQuery = useVerifyUserResendQuery;
 exports.withReauth = withReauth;
-//# sourceMappingURL=slice-BZ9cHcE8.js.map
+//# sourceMappingURL=slice-Bu9L_cVR.js.map