@techstuff-dev/foundation-api-utils 2.7.1 → 2.8.0

package/dist/cjs/chunks/{shared-CNZnVs2B.js → shared-l1zCzYJr.js}

@@ -1,7 +1,7 @@
 'use strict';
 
 var toolkit = require('@reduxjs/toolkit');
-var slice = require('./slice-2_5ax6TZ.js');
+var slice = require('./slice-Bu9L_cVR.js');
 var slice$1 = require('./slice-CkWobkWw.js');
 
 // This file exists just so TypeScript has a module at ./store for IDEs/build.
@@ -11,4 +11,4 @@ var slice$1 = require('./slice-CkWobkWw.js');
 const rootReducer = toolkit.combineSlices(slice.cartSlice, slice$1.authSlice, slice.authApi, slice.contentApi, slice.paymentApi, slice.productsApi, slice.ordersApi);
 
 exports.rootReducer = rootReducer;
-//# sourceMappingURL=shared-CNZnVs2B.js.map
+//# sourceMappingURL=shared-l1zCzYJr.js.map

package/dist/cjs/chunks/{shared-CNZnVs2B.js.map → shared-l1zCzYJr.js.map}

@@ -1 +1 @@
-{"version":3,"file":"shared-CNZnVs2B.js","sources":["../../../lib/store/shared.ts"],"sourcesContent":[null],"names":["combineSlices","cartSlice","authSlice","authApi","contentApi","paymentApi","productsApi","ordersApi"],"mappings":";;;;;;AAAA;AACA;AAUA;AAEA;MACa,WAAW,GAAGA,qBAAa,CACtCC,eAAS,EACTC,iBAAS,EACTC,aAAO,EACPC,gBAAU,EACVC,gBAAU,EACVC,iBAAW,EACXC,eAAS;;;;"}
+{"version":3,"file":"shared-l1zCzYJr.js","sources":["../../../lib/store/shared.ts"],"sourcesContent":[null],"names":["combineSlices","cartSlice","authSlice","authApi","contentApi","paymentApi","productsApi","ordersApi"],"mappings":";;;;;;AAAA;AACA;AAUA;AAEA;MACa,WAAW,GAAGA,qBAAa,CACtCC,eAAS,EACTC,iBAAS,EACTC,aAAO,EACPC,gBAAU,EACVC,gBAAU,EACVC,iBAAW,EACXC,eAAS;;;;"}

package/dist/cjs/chunks/{slice-2_5ax6TZ.js → slice-Bu9L_cVR.js}

@@ -5197,6 +5197,18 @@ const APP_ES_CHALLENGES_INDEX$1 = getEnvVar$1('NEXT_PUBLIC_APP_ES_CHALLENGES_IND
 const APP_ES_CHALLENGE_DAYS_INDEX$1 = getEnvVar$1('NEXT_PUBLIC_APP_ES_CHALLENGE_DAYS_INDEX');
 // Platform identifier
 const PLATFORM$2 = 'web';
+/**
+ * Return the Cognito app client ID the web app is configured to use.
+ * Prefers the passwordless client when set (passwordless sessions present a
+ * refresh token minted by that client); falls back to the regular client.
+ * Used by the shared refresh-token flow so Cognito can match the refresh
+ * token's original app client.
+ */
+function getCognitoAppClientId$2() {
+    return (getEnvVar$1('NEXT_PUBLIC_AWS_COGNITO_PASSWORDLESS_CLIENT_ID') ||
+        getEnvVar$1('NEXT_PUBLIC_AWS_COGNITO_CLIENT_ID') ||
+        undefined);
+}
 
 var webConfig = /*#__PURE__*/Object.freeze({
   __proto__: null,
@@ -5219,7 +5231,8 @@ var webConfig = /*#__PURE__*/Object.freeze({
   APP_ES_SETTINGS_INDEX: APP_ES_SETTINGS_INDEX$1,
   APP_ES_VIDEOS_INDEX: APP_ES_VIDEOS_INDEX$1,
   APP_ES_WORKOUTS_INDEX: APP_ES_WORKOUTS_INDEX$1,
-  PLATFORM: PLATFORM$2
+  PLATFORM: PLATFORM$2,
+  getCognitoAppClientId: getCognitoAppClientId$2
 });
 
 /**
@@ -5264,6 +5277,15 @@ const APP_ES_CHALLENGES_INDEX = getEnvVar('APP_ES_CHALLENGES_INDEX');
 const APP_ES_CHALLENGE_DAYS_INDEX = getEnvVar('APP_ES_CHALLENGE_DAYS_INDEX');
 // Platform identifier
 const PLATFORM$1 = 'native';
+/**
+ * Return the Cognito app client ID the app is configured to use.
+ * On native the env var is `AWS_COGNITO_CLIENT_ID` (react-native-config).
+ * Used by the shared refresh-token flow so Cognito can match the refresh
+ * token's original app client.
+ */
+function getCognitoAppClientId$1() {
+    return getEnvVar('AWS_COGNITO_CLIENT_ID') || undefined;
+}
 
 var nativeConfig = /*#__PURE__*/Object.freeze({
   __proto__: null,
@@ -5286,7 +5308,8 @@ var nativeConfig = /*#__PURE__*/Object.freeze({
   APP_ES_SETTINGS_INDEX: APP_ES_SETTINGS_INDEX,
   APP_ES_VIDEOS_INDEX: APP_ES_VIDEOS_INDEX,
   APP_ES_WORKOUTS_INDEX: APP_ES_WORKOUTS_INDEX,
-  PLATFORM: PLATFORM$1
+  PLATFORM: PLATFORM$1,
+  getCognitoAppClientId: getCognitoAppClientId$1
 });
 
 /**
@@ -5329,6 +5352,15 @@ apiConfig.APP_ES_SCHEDULE_INDEX;
 apiConfig.APP_ES_CHALLENGES_INDEX;
 apiConfig.APP_ES_CHALLENGE_DAYS_INDEX;
 const PLATFORM = apiConfig.PLATFORM;
+/**
+ * Platform-specific accessor for the currently-configured Cognito app client ID.
+ * Delegates to native or web config so the refresh-token flow can forward the
+ * clientId to the backend (Cognito refresh tokens are bound to their minting
+ * app client).
+ */
+function getCognitoAppClientId() {
+    return apiConfig.getCognitoAppClientId?.();
+}
 
 /**
  * Mutex to prevent multiple concurrent refresh attempts.
@@ -5384,11 +5416,21 @@ async function attemptTokenRefresh(api) {
         ? `${process.env.NEXT_PUBLIC_API_PREFIX}/auth/refresh-token`
         : `${API_AUTH_PREFIX || ''}/user/refreshtoken`;
     try {
+        // Cognito refresh tokens are bound to the app client that minted them.
+        // We read the client ID from the platform-specific env wrapper and pass it
+        // to the backend so Cognito InitiateAuth is invoked with the matching
+        // ClientId. Without this, pools with multiple app clients (e.g. separate
+        // "Mobile App Client" and "ms-auth server" clients) fail refresh with
+        // "Refresh Token has different Client".
+        const clientId = getCognitoAppClientId();
         const response = await fetch(refreshUrl, {
             method: 'POST',
             headers: { 'Content-Type': 'application/json' },
             credentials: 'include',
-            body: JSON.stringify({ refreshtoken: refreshToken }),
+            body: JSON.stringify({
+                refreshtoken: refreshToken,
+                ...(clientId ? { clientId } : {}),
+            }),
         });
         if (!response.ok) {
             const errorBody = await response.text().catch(() => 'unable to read body');
@@ -6292,4 +6334,4 @@ exports.useVerifyUserAttributesQuery = useVerifyUserAttributesQuery;
 exports.useVerifyUserQuery = useVerifyUserQuery;
 exports.useVerifyUserResendQuery = useVerifyUserResendQuery;
 exports.withReauth = withReauth;
-//# sourceMappingURL=slice-2_5ax6TZ.js.map
+//# sourceMappingURL=slice-Bu9L_cVR.js.map