@tstdl/base 0.92.158 → 0.92.159

package/authentication/client/authentication.service.d.ts

@@ -27,6 +27,7 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
     private readonly lock;
     private readonly logger;
     private readonly disposeToken;
+    private clockOffset;
     /**
      * Observable for authentication errors.
      * Emits when a refresh fails.
@@ -113,53 +114,64 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
      */
     login(subject: string, secret: string, data?: AuthenticationData): Promise<void>;
     /**
-     * Logout
+     * Logout from the current session.
+     * This will attempt to end the session on the server and then clear local credentials.
      */
     logout(): Promise<void>;
     /**
-     * Force a refresh of the token
+     * Force an immediate refresh of the token.
      * @param data Additional authentication data
      */
     requestRefresh(data?: AuthenticationData): void;
     /**
-     * Refresh the token
+     * Refresh the token.
      * @param data Additional authentication data
      */
     refresh(data?: AuthenticationData): Promise<void>;
     /**
-     * Impersonate a subject
+     * Impersonate a subject.
      * @param subject The subject to impersonate
-     * @param data Additional authentication data
+     * @param data Additional authentication data for the impersonated session
      */
     impersonate(subject: string, data?: AuthenticationData): Promise<void>;
     /**
-     * Unimpersonate
+     * End impersonation and return to the original user session.
      * @param data Additional authentication data. If not provided, the data from before impersonation is used.
      */
     unimpersonate(data?: AuthenticationData): Promise<void>;
+    /**
+     * Change the secret for a subject.
+     * @param subject The subject to change the secret for
+     * @param currentSecret The current secret
+     * @param newSecret The new secret
+     */
     changeSecret(subject: string, currentSecret: string, newSecret: string): Promise<void>;
     /**
-     * Initialize a secret reset
+     * Initialize a secret reset.
      * @param subject The subject to reset the secret for
      * @param data Additional data for secret reset
      */
     initResetSecret(subject: string, data: AdditionalInitSecretResetData): Promise<void>;
     /**
-     * Reset a secret
+     * Reset a secret using a reset token.
      * @param token The secret reset token
      * @param newSecret The new secret
      */
     resetSecret(token: string, newSecret: string): Promise<void>;
     /**
-     * Check a secret for requirements
+     * Check a secret for requirements.
      * @param secret The secret to check
      * @returns The result of the check
      */
     checkSecret(secret: string): Promise<SecretCheckResult>;
-    private saveToken;
-    private loadToken;
     private setNewToken;
     private refreshLoop;
     private refreshLoopIteration;
     private handleRefreshError;
+    private estimatedServerTimestampSeconds;
+    private syncClock;
+    private saveToken;
+    private loadToken;
+    private readFromStorage;
+    private writeToStorage;
 }

package/authentication/client/authentication.service.js

@@ -25,8 +25,10 @@ import { Logger } from '../../logger/index.js';
 import { MessageBus } from '../../message-bus/index.js';
 import { computed, signal, toObservable } from '../../signals/api.js';
 import { currentTimestampSeconds } from '../../utils/date-time.js';
+import { formatError } from '../../utils/format-error.js';
 import { timeout } from '../../utils/timing.js';
-import { assertDefinedPass, isDefined, isNullOrUndefined, isString, isUndefined } from '../../utils/type-guards.js';
+import { assertDefinedPass, isDefined, isNullOrUndefined, isUndefined } from '../../utils/type-guards.js';
+import { millisecondsPerSecond } from '../../utils/units.js';
 import { AUTHENTICATION_API_CLIENT, INITIAL_AUTHENTICATION_DATA } from './tokens.js';
 const tokenStorageKey = 'AuthenticationService:token';
 const authenticationDataStorageKey = 'AuthenticationService:authentication-data';
@@ -35,6 +37,17 @@ const tokenUpdateBusName = 'AuthenticationService:tokenUpdate';
 const loggedOutBusName = 'AuthenticationService:loggedOut';
 const refreshLockResource = 'AuthenticationService:refresh';
 const localStorage = globalThis.localStorage;
+const refreshBufferSeconds = 15;
+const lockTimeout = 10000;
+const logoutTimeout = 150;
+const unrecoverableErrors = [
+    InvalidTokenError,
+    NotFoundError,
+    BadRequestError,
+    ForbiddenError,
+    NotSupportedError,
+    UnauthorizedError,
+];
 /**
  * Handles authentication on client side.
  *
@@ -58,6 +71,7 @@ let AuthenticationClientService = class AuthenticationClientService {
     lock = inject(Lock, refreshLockResource);
     logger = inject(Logger, 'AuthenticationService');
     disposeToken = new CancellationToken();
+    clockOffset = 0;
     /**
      * Observable for authentication errors.
      * Emits when a refresh fails.
@@ -80,7 +94,7 @@ let AuthenticationClientService = class AuthenticationClientService {
     /** Emits when token is available (not undefined) */
     definedToken$ = this.token$.pipe(filter(isDefined));
     /** Emits when a valid token is available (not undefined and not expired) */
-    validToken$ = this.definedToken$.pipe(filter((token) => token.exp > currentTimestampSeconds()));
+    validToken$ = this.definedToken$.pipe(filter((token) => token.exp > this.estimatedServerTimestampSeconds()));
     /** Current subject */
     subject$ = toObservable(this.subject);
     /** Emits when subject is available */
@@ -94,30 +108,16 @@ let AuthenticationClientService = class AuthenticationClientService {
     /** Emits when the user logs out */
     loggedOut$ = this.loggedOutBus.allMessages$;
     get authenticationData() {
-        const data = localStorage?.getItem(authenticationDataStorageKey);
-        return isNullOrUndefined(data) ? undefined : JSON.parse(data);
+        return this.readFromStorage(authenticationDataStorageKey);
     }
     set authenticationData(data) {
-        if (isUndefined(data)) {
-            localStorage?.removeItem(authenticationDataStorageKey);
-        }
-        else {
-            const json = JSON.stringify(data);
-            localStorage?.setItem(authenticationDataStorageKey, json);
-        }
+        this.writeToStorage(authenticationDataStorageKey, data);
     }
     get impersonatorAuthenticationData() {
-        const data = localStorage?.getItem(impersonatorAuthenticationDataStorageKey);
-        return isNullOrUndefined(data) ? undefined : JSON.parse(data);
+        return this.readFromStorage(impersonatorAuthenticationDataStorageKey);
     }
     set impersonatorAuthenticationData(data) {
-        if (isUndefined(data)) {
-            localStorage?.removeItem(impersonatorAuthenticationDataStorageKey);
-        }
-        else {
-            const json = JSON.stringify(data);
-            localStorage?.setItem(impersonatorAuthenticationDataStorageKey, json);
-        }
+        this.writeToStorage(impersonatorAuthenticationDataStorageKey, data);
     }
     /**
      * Get current token or throw if not available
@@ -142,7 +142,7 @@ let AuthenticationClientService = class AuthenticationClientService {
     }
     /** Whether a valid token is available (not undefined and not expired) */
     get hasValidToken() {
-        return (this.token()?.exp ?? 0) > currentTimestampSeconds();
+        return (this.token()?.exp ?? 0) > this.estimatedServerTimestampSeconds();
     }
     constructor(initialAuthenticationData) {
         if (isUndefined(this.authenticationData)) {
@@ -195,26 +195,31 @@ let AuthenticationClientService = class AuthenticationClientService {
         if (isDefined(data)) {
             this.setAdditionalData(data);
         }
-        const token = await this.client.login({ subject, secret, data: this.authenticationData });
+        const [token] = await Promise.all([
+            this.client.login({ subject, secret, data: this.authenticationData }),
+            this.syncClock(),
+        ]);
         this.setNewToken(token);
     }
     /**
-     * Logout
+     * Logout from the current session.
+     * This will attempt to end the session on the server and then clear local credentials.
      */
     async logout() {
         try {
             await Promise.race([
                 this.client.endSession(),
-                timeout(150),
+                timeout(logoutTimeout),
             ]).catch((error) => this.logger.error(error));
         }
         finally {
+            // Always clear the local token, even if the server call fails.
             this.setNewToken(undefined);
             this.loggedOutBus.publishAndForget();
         }
     }
     /**
-     * Force a refresh of the token
+     * Force an immediate refresh of the token.
      * @param data Additional authentication data
      */
     requestRefresh(data) {
@@ -224,7 +229,7 @@ let AuthenticationClientService = class AuthenticationClientService {
         this.forceRefreshToken.set();
     }
     /**
-     * Refresh the token
+     * Refresh the token.
      * @param data Additional authentication data
      */
     async refresh(data) {
@@ -232,7 +237,10 @@ let AuthenticationClientService = class AuthenticationClientService {
             this.setAdditionalData(data);
         }
         try {
-            const token = await this.client.refresh({ data: this.authenticationData });
+            const [token] = await Promise.all([
+                this.client.refresh({ data: this.authenticationData }),
+                this.syncClock(),
+            ]);
             this.setNewToken(token);
         }
         catch (error) {
@@ -241,12 +249,15 @@ let AuthenticationClientService = class AuthenticationClientService {
         }
     }
     /**
-     * Impersonate a subject
+     * Impersonate a subject.
      * @param subject The subject to impersonate
-     * @param data Additional authentication data
+     * @param data Additional authentication data for the impersonated session
      */
     async impersonate(subject, data) {
-        await this.lock.use(10000, true, async () => {
+        if (this.impersonated()) {
+            throw new Error('Already impersonating. Please unimpersonate first.');
+        }
+        await this.lock.use(lockTimeout, true, async () => {
             this.impersonatorAuthenticationData = this.authenticationData;
             this.authenticationData = data;
             try {
@@ -254,17 +265,20 @@ let AuthenticationClientService = class AuthenticationClientService {
                 this.setNewToken(token);
             }
             catch (error) {
+                // Rollback authentication data on failure
+                this.authenticationData = this.impersonatorAuthenticationData;
+                this.impersonatorAuthenticationData = undefined;
                 await this.handleRefreshError(error);
                 throw error;
             }
         });
     }
     /**
-     * Unimpersonate
+     * End impersonation and return to the original user session.
      * @param data Additional authentication data. If not provided, the data from before impersonation is used.
      */
     async unimpersonate(data) {
-        await this.lock.use(10000, true, async () => {
+        await this.lock.use(lockTimeout, true, async () => {
             const newData = data ?? this.impersonatorAuthenticationData;
             try {
                 const token = await this.client.unimpersonate({ data: newData });
@@ -278,11 +292,17 @@ let AuthenticationClientService = class AuthenticationClientService {
             }
         });
     }
+    /**
+     * Change the secret for a subject.
+     * @param subject The subject to change the secret for
+     * @param currentSecret The current secret
+     * @param newSecret The new secret
+     */
     async changeSecret(subject, currentSecret, newSecret) {
         await this.client.changeSecret({ subject, currentSecret, newSecret });
     }
     /**
-     * Initialize a secret reset
+     * Initialize a secret reset.
      * @param subject The subject to reset the secret for
      * @param data Additional data for secret reset
      */
@@ -290,7 +310,7 @@ let AuthenticationClientService = class AuthenticationClientService {
         await this.client.initSecretReset({ subject, data });
     }
     /**
-     * Reset a secret
+     * Reset a secret using a reset token.
      * @param token The secret reset token
      * @param newSecret The new secret
      */
@@ -298,39 +318,30 @@ let AuthenticationClientService = class AuthenticationClientService {
         await this.client.resetSecret({ token, newSecret });
     }
     /**
-     * Check a secret for requirements
+     * Check a secret for requirements.
      * @param secret The secret to check
      * @returns The result of the check
      */
     async checkSecret(secret) {
         return await this.client.checkSecret({ secret });
     }
-    saveToken(token) {
-        if (isNullOrUndefined(token)) {
-            localStorage?.removeItem(tokenStorageKey);
-        }
-        else {
-            const serialized = JSON.stringify(token);
-            localStorage?.setItem(tokenStorageKey, serialized);
-        }
-    }
-    loadToken() {
-        const existingSerializedToken = localStorage?.getItem(tokenStorageKey);
-        const token = isString(existingSerializedToken)
-            ? JSON.parse(existingSerializedToken)
-            : undefined;
-        this.token.set(token);
-    }
     setNewToken(token) {
         this.saveToken(token);
         this.token.set(token);
         this.tokenUpdateBus.publishAndForget(token);
     }
     async refreshLoop() {
+        if (this.isLoggedIn()) {
+            await this.syncClock();
+        }
         while (this.disposeToken.isUnset) {
             try {
+                // Use a non-blocking lock to ensure only one tab/instance runs the refresh logic at a time.
                 await this.lock.use(0, false, async () => await this.refreshLoopIteration());
-                await firstValueFrom(race([timer(2500), this.disposeToken, this.forceRefreshToken]));
+                // Calculate delay until the next refresh check.
+                // The buffer ensures we refresh *before* the token actually expires.
+                const delay = ((this.token()?.exp ?? 0) - this.estimatedServerTimestampSeconds() - refreshBufferSeconds) * millisecondsPerSecond;
+                await firstValueFrom(race([timer(delay), this.disposeToken, this.forceRefreshToken]));
             }
             catch {
                 await firstValueFrom(race([timer(5000), this.disposeToken, this.forceRefreshToken]));
@@ -338,22 +349,71 @@ let AuthenticationClientService = class AuthenticationClientService {
         }
     }
     async refreshLoopIteration() {
+        // Wait for a token to be available or for the service to be disposed.
         const token = await firstValueFrom(race([this.definedToken$, this.disposeToken]));
         if (isUndefined(token)) {
             return;
         }
-        if (this.forceRefreshToken.isSet || (currentTimestampSeconds() >= (token.exp - 60))) {
+        const needsRefresh = this.estimatedServerTimestampSeconds() >= (token.exp - refreshBufferSeconds);
+        if (this.forceRefreshToken.isSet || needsRefresh) {
             this.forceRefreshToken.unset();
-            await this.refresh();
+            await this.refresh(); // Errors are caught by the outer loop
         }
     }
     async handleRefreshError(error) {
         this.logger.error(error);
         this.errorSubject.next(error);
-        if ((error instanceof InvalidTokenError) || (error instanceof NotFoundError) || (error instanceof BadRequestError) || (error instanceof ForbiddenError) || (error instanceof NotSupportedError) || (error instanceof UnauthorizedError)) {
+        if (unrecoverableErrors.some((errorType) => error instanceof errorType)) {
             await this.logout();
         }
     }
+    estimatedServerTimestampSeconds() {
+        return currentTimestampSeconds() + this.clockOffset;
+    }
+    async syncClock() {
+        try {
+            const serverTimestamp = await this.client.timestamp();
+            this.clockOffset = serverTimestamp - currentTimestampSeconds();
+        }
+        catch (error) {
+            this.logger.warn(`Failed to synchronize clock with server: ${formatError(error)}`);
+            this.clockOffset = 0;
+        }
+    }
+    saveToken(token) {
+        this.writeToStorage(tokenStorageKey, token);
+    }
+    loadToken() {
+        const token = this.readFromStorage(tokenStorageKey);
+        this.token.set(token);
+    }
+    readFromStorage(key) {
+        try {
+            const serialized = localStorage?.getItem(key);
+            if (isNullOrUndefined(serialized)) {
+                return undefined;
+            }
+            return JSON.parse(serialized);
+        }
+        catch (error) {
+            this.logger.warn(`Failed to read and parse from localStorage key "${key}": ${formatError(error)}`);
+            return undefined;
+        }
+    }
+    writeToStorage(key, value) {
+        try {
+            if (isUndefined(value)) {
+                localStorage?.removeItem(key);
+            }
+            else {
+                const serialized = JSON.stringify(value);
+                localStorage?.setItem(key, serialized);
+            }
+        }
+        catch (error) {
+            this.logger.warn(`Failed to write to localStorage key "${key}": ${formatError(error)}`);
+        }
+    }
 };
 AuthenticationClientService = __decorate([
     Singleton(),

package/authentication/server/authentication.api-controller.d.ts

@@ -69,7 +69,7 @@ export declare class AuthenticationApiController<AdditionalTokenPayload extends
     checkSecret({ parameters }: ApiRequestContext<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'checkSecret'>): Promise<ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'checkSecret'>>;
     /**
      * Get the current server timestamp.
-     * @returns The current server timestamp.
+     * @returns The current server timestamp in seconds.
      */
     timestamp(): ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'timestamp'>;
     protected getTokenResponse({ token, jsonToken, refreshToken, omitImpersonatorRefreshToken, impersonatorRefreshToken, impersonatorRefreshTokenExpiration }: TokenResult<AdditionalTokenPayload>): HttpServerResponse;

package/authentication/server/authentication.api-controller.js

@@ -9,7 +9,7 @@ var __metadata = (this && this.__metadata) || function (k, v) {
 };
 import { apiController } from '../../api/server/index.js';
 import { HttpServerResponse } from '../../http/server/index.js';
-import { currentTimestamp } from '../../utils/date-time.js';
+import { currentTimestampSeconds } from '../../utils/date-time.js';
 import { assertDefinedPass, isDefined } from '../../utils/type-guards.js';
 import { authenticationApiDefinition, getAuthenticationApiDefinition } from '../authentication.api.js';
 import { AuthenticationService } from './authentication.service.js';
@@ -138,10 +138,10 @@ let AuthenticationApiController = class AuthenticationApiController {
     }
     /**
      * Get the current server timestamp.
-     * @returns The current server timestamp.
+     * @returns The current server timestamp in seconds.
      */
     timestamp() {
-        return currentTimestamp();
+        return currentTimestampSeconds();
     }
     getTokenResponse({ token, jsonToken, refreshToken, omitImpersonatorRefreshToken, impersonatorRefreshToken, impersonatorRefreshTokenExpiration }) {
         const result = jsonToken.payload;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tstdl/base",
-  "version": "0.92.158",
+  "version": "0.92.159",
   "author": "Patrick Hein",
   "publishConfig": {
     "access": "public"