@tstdl/base 0.93.150 → 0.93.152

package/authentication/authentication.api.d.ts

@@ -30,6 +30,7 @@ export declare const authenticationApiDefinition: {
                 readonly tenantId: string | undefined;
                 readonly subject: string;
                 readonly secret: string;
+                readonly remember: boolean;
                 readonly data: undefined;
             }>;
             result: ObjectSchema<TokenPayload<import("type-fest").EmptyObject>>;
@@ -155,6 +156,7 @@ export declare function getAuthenticationApiDefinition<AdditionalTokenPayload ex
                 readonly tenantId: string | undefined;
                 readonly subject: string;
                 readonly secret: string;
+                readonly remember: boolean;
                 readonly data: AuthenticationData;
             }>;
             result: ObjectSchema<TokenPayload<AdditionalTokenPayload>>;
@@ -275,6 +277,7 @@ export declare function getAuthenticationApiEndpointsDefinition<AdditionalTokenP
             readonly tenantId: string | undefined;
             readonly subject: string;
             readonly secret: string;
+            readonly remember: boolean;
             readonly data: AuthenticationData;
         }>;
         result: ObjectSchema<TokenPayload<AdditionalTokenPayload>>;

package/authentication/authentication.api.js

@@ -1,5 +1,5 @@
 import { defineApi } from '../api/types.js';
-import { assign, emptyObjectSchema, explicitObject, literal, never, number, object, optional, string } from '../schema/index.js';
+import { assign, boolean, defaulted, emptyObjectSchema, explicitObject, literal, never, number, object, optional, string } from '../schema/index.js';
 import { SecretCheckResult } from './models/secret-check-result.model.js';
 import { TokenPayloadBase } from './models/token-payload-base.model.js';
 /**
@@ -51,6 +51,7 @@ export function getAuthenticationApiEndpointsDefinition(additionalTokenPayloadSc
                 tenantId: optional(string()),
                 subject: string(),
                 secret: string(),
+                remember: defaulted(boolean(), false),
                 data: authenticationDataSchema,
             }),
             result: tokenResultSchema,

package/authentication/client/authentication.service.d.ts

@@ -1,4 +1,3 @@
-import { type Observable } from 'rxjs';
 import type { AfterResolve } from '../../injector/index.js';
 import { afterResolve } from '../../injector/index.js';
 import type { Record } from '../../types/index.js';
@@ -36,7 +35,7 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
      * Observable for authentication errors.
      * Emits when a refresh fails.
      */
-    readonly error$: Observable<Error>;
+    readonly error$: import("rxjs").Observable<Error>;
     /** Current token */
     readonly token: import("../../signals/api.js").WritableSignal<TokenPayload<AdditionalTokenPayload> | undefined>;
     /** Current raw token */
@@ -58,23 +57,23 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
     /** Whether the user is impersonated */
     readonly impersonated: import("../../signals/api.js").Signal<boolean>;
     /** Current token */
-    readonly token$: Observable<TokenPayload<AdditionalTokenPayload> | undefined>;
+    readonly token$: import("rxjs").Observable<TokenPayload<AdditionalTokenPayload> | undefined>;
     /** Emits when token is available (not undefined) */
-    readonly definedToken$: Observable<Exclude<TokenPayload<AdditionalTokenPayload>, void | undefined>>;
+    readonly definedToken$: import("rxjs").Observable<Exclude<TokenPayload<AdditionalTokenPayload>, void | undefined>>;
     /** Emits when a valid token is available (not undefined and not expired) */
-    readonly validToken$: Observable<Exclude<TokenPayload<AdditionalTokenPayload>, void | undefined>>;
+    readonly validToken$: import("rxjs").Observable<Exclude<TokenPayload<AdditionalTokenPayload>, void | undefined>>;
     /** Current subject */
-    readonly subjectId$: Observable<string | undefined>;
+    readonly subjectId$: import("rxjs").Observable<string | undefined>;
     /** Emits when subject is available */
-    readonly definedSubjectId$: Observable<string>;
+    readonly definedSubjectId$: import("rxjs").Observable<string>;
     /** Current session id */
-    readonly sessionId$: Observable<string | undefined>;
+    readonly sessionId$: import("rxjs").Observable<string | undefined>;
     /** Emits when session id is available */
-    readonly definedSessionId$: Observable<string>;
+    readonly definedSessionId$: import("rxjs").Observable<string>;
     /** Whether the user is logged in */
-    readonly isLoggedIn$: Observable<boolean>;
+    readonly isLoggedIn$: import("rxjs").Observable<boolean>;
     /** Emits when the user logs out */
-    readonly loggedOut$: Observable<void>;
+    readonly loggedOut$: import("rxjs").Observable<void>;
     private get authenticationData();
     private set authenticationData(value);
     private get impersonatorAuthenticationData();
@@ -128,8 +127,9 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
      * @param subjectInput The subject to login with
      * @param secret The secret to login with
      * @param data Additional authentication data
+     * @param remember Whether to remember the session
      */
-    login(subjectInput: SubjectInput, secret: string, data?: AuthenticationData): Promise<void>;
+    login(subjectInput: SubjectInput, secret: string, data?: AuthenticationData, remember?: boolean): Promise<void>;
     /**
      * Logout from the current session.
      * This will attempt to end the session on the server and then clear local credentials.

package/authentication/client/authentication.service.js

@@ -7,7 +7,7 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
 var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-import { Subject, filter, firstValueFrom, from, map, race, skip, takeUntil, timer } from 'rxjs';
+import { Subject, filter, firstValueFrom, from, race, skip, takeUntil, timer } from 'rxjs';
 import { CancellationSignal } from '../../cancellation/token.js';
 import { BadRequestError } from '../../errors/bad-request.error.js';
 import { ForbiddenError } from '../../errors/forbidden.error.js';
@@ -220,13 +220,14 @@ let AuthenticationClientService = class AuthenticationClientService {
      * @param subjectInput The subject to login with
      * @param secret The secret to login with
      * @param data Additional authentication data
+     * @param remember Whether to remember the session
      */
-    async login(subjectInput, secret, data) {
+    async login(subjectInput, secret, data, remember = false) {
         if (isDefined(data)) {
             this.setAdditionalData(data);
         }
         const [token] = await Promise.all([
-            this.client.login({ tenantId: subjectInput.tenantId, subject: subjectInput.subject, secret, data: this.authenticationData }),
+            this.client.login({ tenantId: subjectInput.tenantId, subject: subjectInput.subject, secret, remember, data: this.authenticationData }),
             this.syncClock(),
         ]);
         this.setNewToken(token);
@@ -398,76 +399,60 @@ let AuthenticationClientService = class AuthenticationClientService {
         if (this.isLoggedIn()) {
             await this.syncClock();
         }
+        // Helper to sleep until the delay passes OR a vital state change occurs
+        const waitForNextAction = async (delayMs, referenceExp) => await firstValueFrom(race([
+            timer(Math.max(10, delayMs)),
+            from(this.disposeSignal),
+            this.token$.pipe(filter((t) => t?.exp !== referenceExp)),
+            this.forceRefreshRequested$.pipe(filter(Boolean), 
+            // Skip the current value if already true to prevent infinite tight loops
+            skip(this.forceRefreshRequested() ? 1 : 0)),
+        ]), { defaultValue: undefined });
         while (this.disposeSignal.isUnset) {
-            const iterationToken = this.token();
+            const token = this.token();
+            // 1. Wait for login/token if none is present
+            if (isUndefined(token)) {
+                await firstValueFrom(race([this.definedToken$, from(this.disposeSignal)]), { defaultValue: undefined });
+                continue;
+            }
             try {
-                const token = iterationToken;
-                if (isUndefined(token)) {
-                    // Wait for login or dispose.
-                    // We ignore forceRefreshToken here because we can't refresh without a token.
-                    await firstValueFrom(race([this.definedToken$, from(this.disposeSignal)]), { defaultValue: undefined });
-                    continue;
-                }
                 const now = this.estimatedServerTimestampSeconds();
-                const forceRefresh = this.forceRefreshRequested();
-                const refreshBufferSeconds = calculateRefreshBufferSeconds(token);
-                const needsRefresh = forceRefresh || (now >= (token.exp - refreshBufferSeconds));
+                const buffer = calculateRefreshBufferSeconds(token);
+                const needsRefresh = this.forceRefreshRequested() || (now >= token.exp - buffer);
+                // 2. Handle token refresh
                 if (needsRefresh) {
                     const lockResult = await this.lock.tryUse(undefined, async () => {
                         const currentToken = this.token();
+                        if (isUndefined(currentToken)) {
+                            return;
+                        }
+                        // Passive Sync: Verify if refresh is still needed once lock is acquired
                         const currentNow = this.estimatedServerTimestampSeconds();
-                        const currentRefreshBufferSeconds = isDefined(currentToken) ? calculateRefreshBufferSeconds(currentToken) : 0;
-                        // Passive Sync: Check if another tab refreshed the token while we were waiting for the lock (or trying to get it)
-                        const stillNeedsRefresh = isDefined(currentToken) && (this.forceRefreshRequested() || (currentNow >= (currentToken.exp - currentRefreshBufferSeconds)));
+                        const currentBuffer = calculateRefreshBufferSeconds(currentToken);
+                        const stillNeedsRefresh = this.forceRefreshRequested() || (currentNow >= currentToken.exp - currentBuffer);
                         if (stillNeedsRefresh) {
                             await this.refresh();
                         }
-                        if (this.forceRefreshRequested() && (this.token()?.jti != currentToken?.jti)) {
-                            this.forceRefreshRequested.set(false);
-                        }
+                        this.forceRefreshRequested.set(false);
                     });
+                    // If lock is held by another instance/tab, wait briefly for it to finish (passive sync)
                     if (!lockResult.success) {
-                        // Lock held by another instance, wait 5 seconds or until token changes (Passive Sync)
-                        const changeReason = await firstValueFrom(race([
-                            timer(5000).pipe(map(() => 'timer')),
-                            this.token$.pipe(filter((t) => t?.jti != token.jti), map(() => 'token')),
-                            from(this.disposeSignal),
-                        ]), { defaultValue: undefined });
-                        if (changeReason == 'token') {
+                        await waitForNextAction(5000, token.exp);
+                        // If another tab successfully refreshed, the expiration will have changed
+                        if (this.token()?.exp !== token.exp) {
                             this.forceRefreshRequested.set(false);
                         }
-                        continue;
                     }
+                    continue; // Re-evaluate the loop with the newly refreshed (or synced) token
                 }
-                const currentToken = this.token();
-                if (isUndefined(currentToken)) {
-                    continue;
-                }
-                const currentRefreshBufferSeconds = calculateRefreshBufferSeconds(currentToken);
-                const delay = clamp((currentToken.exp - this.estimatedServerTimestampSeconds() - currentRefreshBufferSeconds) * millisecondsPerSecond, minRefreshDelay, maxRefreshDelay);
-                const wakeUpSignals = [
-                    from(this.disposeSignal),
-                    this.token$.pipe(filter((t) => t?.jti != currentToken.jti)),
-                ];
-                if (!forceRefresh) {
-                    wakeUpSignals.push(this.forceRefreshRequested$.pipe(filter((requested) => requested)));
-                }
-                if (delay > 0) {
-                    await firstValueFrom(race([timer(delay), ...wakeUpSignals]), { defaultValue: undefined });
-                }
-                else {
-                    await firstValueFrom(race([timer(2500), ...wakeUpSignals]), { defaultValue: undefined });
-                }
+                // 3. Calculate delay and sleep until the next scheduled refresh window
+                const timeUntilRefreshMs = (token.exp - this.estimatedServerTimestampSeconds() - buffer) * millisecondsPerSecond;
+                const delay = clamp(timeUntilRefreshMs, minRefreshDelay, maxRefreshDelay);
+                await waitForNextAction(delay, token.exp);
             }
             catch (error) {
                 this.logger.error(error);
-                const currentToken = this.token();
-                await firstValueFrom(race([
-                    timer(2500),
-                    from(this.disposeSignal),
-                    this.token$.pipe(filter((t) => t?.jti != currentToken?.jti)),
-                    this.forceRefreshRequested$.pipe(filter((requested) => requested), skip(this.forceRefreshRequested() ? 1 : 0)),
-                ]), { defaultValue: undefined });
+                await waitForNextAction(2500, token.exp);
             }
         }
     }

package/authentication/models/token.model.d.ts

@@ -26,6 +26,8 @@ export type RefreshToken = JwtToken<{
     impersonator?: string;
     /** The id of the session. */
     session: string;
+    /** Whether to remember the session. */
+    remember: boolean;
     /** The secret to use for refreshing the token. */
     secret: string;
 }>;

package/authentication/server/authentication.api-controller.d.ts

@@ -1,3 +1,4 @@
+/** biome-ignore-all lint/nursery/noExcessiveClassesPerFile: <explanation> */
 import type { ApiController, ApiRequestContext, ApiServerResult } from '../../api/types.js';
 import { HttpServerResponse } from '../../http/server/index.js';
 import type { ObjectSchemaOrType, SchemaTestable } from '../../schema/index.js';
@@ -71,7 +72,7 @@ export declare class AuthenticationApiController<AdditionalTokenPayload extends
      * @returns The current server timestamp in seconds.
      */
     timestamp(): ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'timestamp'>;
-    protected getTokenResponse({ token, jsonToken, refreshToken, omitImpersonatorRefreshToken, impersonatorRefreshToken, impersonatorRefreshTokenExpiration }: TokenResult<AdditionalTokenPayload>): HttpServerResponse;
+    protected getTokenResponse({ token, jsonToken, refreshToken, remember, omitImpersonatorRefreshToken, impersonatorRefreshToken, impersonatorRefreshTokenExpiration }: TokenResult<AdditionalTokenPayload>): HttpServerResponse;
 }
 /**
  * Get an authentication API controller.

package/authentication/server/authentication.api-controller.js

@@ -1,3 +1,4 @@
+/** biome-ignore-all lint/nursery/noExcessiveClassesPerFile: <explanation> */
 var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
     var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
     if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
@@ -8,7 +9,7 @@ import { apiController } from '../../api/server/index.js';
 import { HttpServerResponse } from '../../http/server/index.js';
 import { inject } from '../../injector/index.js';
 import { currentTimestampSeconds } from '../../utils/date-time.js';
-import { assertDefinedPass, isDefined } from '../../utils/type-guards.js';
+import { isDefined } from '../../utils/type-guards.js';
 import { authenticationApiDefinition, getAuthenticationApiDefinition } from '../authentication.api.js';
 import { AuthenticationService } from './authentication.service.js';
 import { tryGetAuthorizationTokenStringFromRequest } from './helper.js';
@@ -29,7 +30,7 @@ let AuthenticationApiController = class AuthenticationApiController {
      * @returns The token result.
      */
     async login({ parameters, getAuditor }) {
-        const result = await this.authenticationService.login({ tenantId: parameters.tenantId, subject: parameters.subject }, parameters.secret, parameters.data, await getAuditor());
+        const result = await this.authenticationService.login({ tenantId: parameters.tenantId, subject: parameters.subject }, parameters.secret, parameters.data, await getAuditor(), parameters.remember);
         return this.getTokenResponse(result);
     }
     /**
@@ -140,7 +141,7 @@ let AuthenticationApiController = class AuthenticationApiController {
     timestamp() {
         return currentTimestampSeconds();
     }
-    getTokenResponse({ token, jsonToken, refreshToken, omitImpersonatorRefreshToken, impersonatorRefreshToken, impersonatorRefreshTokenExpiration }) {
+    getTokenResponse({ token, jsonToken, refreshToken, remember, omitImpersonatorRefreshToken, impersonatorRefreshToken, impersonatorRefreshTokenExpiration }) {
         const result = jsonToken.payload;
         const options = {
             headers: {
@@ -151,12 +152,12 @@ let AuthenticationApiController = class AuthenticationApiController {
                 authorization: {
                     value: `Bearer ${token}`,
                     ...cookieBaseOptions,
-                    expires: jsonToken.payload.exp * 1000,
+                    expires: remember ? (jsonToken.payload.exp * 1000) : undefined,
                 },
                 refreshToken: {
                     value: `Bearer ${refreshToken}`,
                     ...cookieBaseOptions,
-                    expires: jsonToken.payload.refreshTokenExp * 1000,
+                    expires: remember ? (jsonToken.payload.refreshTokenExp * 1000) : undefined,
                 },
             },
             body: {
@@ -168,7 +169,7 @@ let AuthenticationApiController = class AuthenticationApiController {
             options.cookies['impersonatorRefreshToken'] = {
                 value: `Bearer ${impersonatorRefreshToken}`,
                 ...cookieBaseOptions,
-                expires: assertDefinedPass(impersonatorRefreshTokenExpiration) * 1000,
+                expires: (remember && isDefined(impersonatorRefreshTokenExpiration)) ? (impersonatorRefreshTokenExpiration * 1000) : undefined,
             };
         }
         if (omitImpersonatorRefreshToken == true) {

package/authentication/server/authentication.audit.d.ts

@@ -2,6 +2,7 @@ import type { SubjectInput } from '../types.js';
 export type AuthenticationAuditEvents = {
     'login-success': {
         sessionId: string;
+        remember: boolean;
     };
     'login-failure': {
         subjectInput: SubjectInput;
@@ -12,6 +13,7 @@ export type AuthenticationAuditEvents = {
     };
     'refresh-success': {
         sessionId: string;
+        remember: boolean;
     };
     'refresh-failure': {
         reason: string;

package/authentication/server/authentication.service.d.ts

@@ -1,3 +1,4 @@
+/** biome-ignore-all lint/nursery/noExcessiveClassesPerFile: <explanation> */
 import { Auditor } from '../../audit/index.js';
 import { afterResolve, type AfterResolve } from '../../injector/index.js';
 import type { BinaryData, Record } from '../../types/index.js';
@@ -59,6 +60,12 @@ export declare class AuthenticationServiceOptions {
      * @default 5 days
      */
     refreshTokenTimeToLive?: number;
+    /**
+     * How long a refresh token is valid in milliseconds if "remember" is checked.
+     *
+     * @default 30 days
+     */
+    rememberRefreshTokenTimeToLive?: number;
     /**
      * How long a secret reset token is valid in milliseconds.
      *
@@ -97,6 +104,7 @@ export type TokenResult<AdditionalTokenPayload extends Record> = {
     token: string;
     jsonToken: Token<AdditionalTokenPayload>;
     refreshToken: string;
+    remember: boolean;
     omitImpersonatorRefreshToken?: boolean;
     impersonatorRefreshToken?: string;
     impersonatorRefreshTokenExpiration?: number;
@@ -161,6 +169,7 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
     private readonly tokenVersion;
     private readonly tokenTimeToLive;
     private readonly refreshTokenTimeToLive;
+    private readonly rememberRefreshTokenTimeToLive;
     private readonly secretResetTokenTimeToLive;
     private derivedTokenSigningSecret;
     private derivedRefreshTokenSigningSecret;
@@ -196,8 +205,9 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
      * @param options Options for getting the token.
      * @returns The token result.
      */
-    getToken(subject: Subject, authenticationData: AuthenticationData, { impersonator }?: {
+    getToken(subject: Subject, authenticationData: AuthenticationData, { impersonator, remember }?: {
         impersonator?: string;
+        remember?: boolean;
     }): Promise<TokenResult<AdditionalTokenPayload>>;
     /**
      * Logs in a subject.
@@ -205,9 +215,10 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
      * @param secret The secret to log in with.
      * @param data Additional authentication data.
      * @param auditor Auditor for auditing.
+     * @param remember Whether to remember the session.
      * @returns Token
      */
-    login(subjectInput: SubjectInput, secret: string, data: AuthenticationData, auditor: Auditor): Promise<TokenResult<AdditionalTokenPayload>>;
+    login(subjectInput: SubjectInput, secret: string, data: AuthenticationData, auditor: Auditor, remember?: boolean): Promise<TokenResult<AdditionalTokenPayload>>;
     /**
      * Ends a session.
      * @param sessionId The id of the session to end.
@@ -366,6 +377,7 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
      */
     createRefreshToken(subject: Subject, sessionId: string, expirationTimestamp: number, options?: {
         impersonator?: string;
+        remember?: boolean;
     }): Promise<CreateRefreshTokenResult>;
     defaultResolveSubjects({ tenantId, subject }: {
         tenantId?: string;

package/authentication/server/authentication.service.js

@@ -1,3 +1,4 @@
+/** biome-ignore-all lint/nursery/noExcessiveClassesPerFile: <explanation> */
 var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
     var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
     if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
@@ -57,6 +58,12 @@ export class AuthenticationServiceOptions {
      * @default 5 days
      */
     refreshTokenTimeToLive;
+    /**
+     * How long a refresh token is valid in milliseconds if "remember" is checked.
+     *
+     * @default 30 days
+     */
+    rememberRefreshTokenTimeToLive;
     /**
      * How long a secret reset token is valid in milliseconds.
      *
@@ -120,6 +127,7 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
     tokenVersion = this.#options.version ?? 1;
     tokenTimeToLive = this.#options.tokenTimeToLive ?? (5 * millisecondsPerMinute);
     refreshTokenTimeToLive = this.#options.refreshTokenTimeToLive ?? (5 * millisecondsPerDay);
+    rememberRefreshTokenTimeToLive = this.#options.rememberRefreshTokenTimeToLive ?? (30 * millisecondsPerDay);
     secretResetTokenTimeToLive = this.#options.secretResetTokenTimeToLive ?? (10 * millisecondsPerMinute);
     derivedTokenSigningSecret;
     derivedRefreshTokenSigningSecret;
@@ -201,9 +209,10 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
      * @param options Options for getting the token.
      * @returns The token result.
      */
-    async getToken(subject, authenticationData, { impersonator } = {}) {
+    async getToken(subject, authenticationData, { impersonator, remember = false } = {}) {
         const now = currentTimestamp();
-        const end = now + this.refreshTokenTimeToLive;
+        const ttl = remember ? this.rememberRefreshTokenTimeToLive : this.refreshTokenTimeToLive;
+        const end = now + ttl;
         return await this.#sessionRepository.transaction(async (tx) => {
             const session = await this.#sessionRepository.withTransaction(tx).insert({
                 tenantId: subject.tenantId,
@@ -216,14 +225,14 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
             });
             const tokenPayload = await this.#authenticationAncillaryService?.getTokenPayload(subject, authenticationData, { action: GetTokenPayloadContextAction.GetToken });
             const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject, impersonator, sessionId: session.id, refreshTokenExpiration: end, timestamp: now });
-            const refreshToken = await this.createRefreshToken(subject, session.id, end, { impersonator });
+            const refreshToken = await this.createRefreshToken(subject, session.id, end, { impersonator, remember });
             await this.#sessionRepository.withTransaction(tx).update(session.id, {
                 end,
                 refreshTokenHashVersion: 1,
                 refreshTokenSalt: refreshToken.salt,
                 refreshTokenHash: refreshToken.hash,
             });
-            return { token, jsonToken, refreshToken: refreshToken.token };
+            return { token, jsonToken, refreshToken: refreshToken.token, remember };
         });
     }
     /**
@@ -232,9 +241,10 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
      * @param secret The secret to log in with.
      * @param data Additional authentication data.
      * @param auditor Auditor for auditing.
+     * @param remember Whether to remember the session.
      * @returns Token
      */
-    async login(subjectInput, secret, data, auditor) {
+    async login(subjectInput, secret, data, auditor, remember = false) {
         const authAuditor = auditor.fork(AuthenticationService_1.name);
         const authenticationResult = await this.authenticate(subjectInput, secret);
         if (!authenticationResult.success) {
@@ -249,7 +259,7 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
             throw new InvalidCredentialsError();
         }
         await this.hooks.beforeLogin.trigger({ subject: authenticationResult.subject });
-        const token = await this.getToken(authenticationResult.subject, data);
+        const token = await this.getToken(authenticationResult.subject, data, { remember });
         await this.hooks.afterLogin.trigger({ subject: authenticationResult.subject });
         const sessionId = token.jsonToken.payload.session;
         await authAuditor.info('login-success', {
@@ -259,7 +269,7 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
             targetId: authenticationResult.subject.id,
             targetType: 'User',
             network: { sessionId },
-            details: { sessionId },
+            details: { sessionId, remember },
         });
         return token;
     }
@@ -361,11 +371,13 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
             }
             const now = currentTimestamp();
             const impersonator = (options.omitImpersonator == true) ? undefined : validatedRefreshToken.payload.impersonator;
-            const newEnd = now + this.refreshTokenTimeToLive;
+            const remember = validatedRefreshToken.payload.remember;
+            const ttl = remember ? this.rememberRefreshTokenTimeToLive : this.refreshTokenTimeToLive;
+            const newEnd = now + ttl;
             const subject = await this.#subjectRepository.loadByQuery({ tenantId: session.tenantId, id: session.subjectId });
             const tokenPayload = await this.#authenticationAncillaryService?.getTokenPayload(subject, authenticationData, { action: GetTokenPayloadContextAction.Refresh });
             const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject, sessionId, refreshTokenExpiration: newEnd, impersonator, timestamp: now });
-            const newRefreshToken = await this.createRefreshToken(subject, sessionId, newEnd, { impersonator });
+            const newRefreshToken = await this.createRefreshToken(subject, sessionId, newEnd, { impersonator, remember });
             await this.#sessionRepository.update(sessionId, {
                 end: newEnd,
                 refreshTokenHashVersion: 1,
@@ -378,9 +390,9 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
                 actorType: ActorType.Subject,
                 targetId: session.subjectId,
                 targetType: 'User',
-                details: { sessionId },
+                details: { sessionId, remember },
             });
-            return { token, jsonToken, refreshToken: newRefreshToken.token, omitImpersonatorRefreshToken: options.omitImpersonator };
+            return { token, jsonToken, refreshToken: newRefreshToken.token, remember, omitImpersonatorRefreshToken: options.omitImpersonator };
         }
         catch (error) {
             await authAuditor.warn('refresh-failure', {
@@ -715,6 +727,7 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
                 tenant: subject.tenantId,
                 impersonator: options?.impersonator,
                 session: sessionId,
+                remember: options?.remember ?? false,
                 secret,
             },
         };

package/authentication/tests/remember.api.test.d.ts

@@ -0,0 +1 @@
+export {};

package/authentication/tests/remember.api.test.js

@@ -0,0 +1,109 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from 'vitest';
+import { Auditor } from '../../audit/index.js';
+import { HttpHeaders } from '../../http/index.js';
+import { HttpServerResponse } from '../../http/server/index.js';
+import { clearTenantData, setupIntegrationTest } from '../../testing/index.js';
+import { toArray } from '../../utils/array/array.js';
+import { AuthenticationApiController } from '../server/authentication.api-controller.js';
+import { AuthenticationService } from '../server/authentication.service.js';
+import { SubjectService } from '../server/subject.service.js';
+import { DefaultAuthenticationAncillaryService } from './authentication.test-ancillary-service.js';
+describe('AuthenticationApiController Remember Functionality', () => {
+    let injector;
+    let database;
+    let controller;
+    let authenticationService;
+    let subjectService;
+    let auditor;
+    const schema = 'authentication';
+    const tenantId = crypto.randomUUID();
+    beforeAll(async () => {
+        ({ injector, database } = await setupIntegrationTest({
+            modules: { authentication: true, audit: true, keyValueStore: true },
+            authenticationAncillaryService: DefaultAuthenticationAncillaryService,
+        }));
+        authenticationService = await injector.resolveAsync(AuthenticationService);
+        subjectService = await injector.resolveAsync(SubjectService);
+        auditor = injector.resolve(Auditor);
+        controller = injector.resolve(AuthenticationApiController);
+    });
+    afterAll(async () => {
+        await injector?.dispose();
+    });
+    beforeEach(async () => {
+        await clearTenantData(database, schema, ['credentials', 'session', 'user', 'service_account', 'system_account', 'subject'], tenantId);
+    });
+    test('login with remember: true should have Expires in cookies', async () => {
+        const user = await subjectService.createUser({ tenantId, email: 'api-rem@example.com', firstName: 'A', lastName: 'L' });
+        await authenticationService.setCredentials(user, 'Pass-R3m3mb3r-2026!');
+        const context = {
+            parameters: { tenantId, subject: user.id, secret: 'Pass-R3m3mb3r-2026!', remember: true, data: undefined },
+            getAuditor: async () => auditor,
+        };
+        const response = await controller.login(context);
+        expect(response).toBeInstanceOf(HttpServerResponse);
+        const setCookieHeaders = toArray(response.headers.tryGet('Set-Cookie') ?? []);
+        expect(setCookieHeaders).toHaveLength(2); // authorization and refreshToken
+        for (const cookie of setCookieHeaders) {
+            expect(cookie).toMatch(/Expires=/);
+        }
+    });
+    test('login with remember: false should NOT have Expires in cookies', async () => {
+        const user = await subjectService.createUser({ tenantId, email: 'api-no-rem@example.com', firstName: 'A', lastName: 'L' });
+        await authenticationService.setCredentials(user, 'Pass-R3m3mb3r-2026!');
+        const context = {
+            parameters: { tenantId, subject: user.id, secret: 'Pass-R3m3mb3r-2026!', remember: false, data: undefined },
+            getAuditor: async () => auditor,
+        };
+        const response = await controller.login(context);
+        const setCookieHeaders = toArray(response.headers.tryGet('Set-Cookie') ?? []);
+        for (const cookie of setCookieHeaders) {
+            expect(cookie).not.toMatch(/Expires=/);
+            expect(cookie).not.toMatch(/Max-Age=/);
+        }
+    });
+    test('refresh should propagate remember status to cookies', async () => {
+        const user = await subjectService.createUser({ tenantId, email: 'api-refresh-rem@example.com', firstName: 'A', lastName: 'L' });
+        await authenticationService.setCredentials(user, 'Pass-R3m3mb3r-2026!');
+        // 1. Login with remember: true
+        const loginResult = await authenticationService.login({ tenantId, subject: user.id }, 'Pass-R3m3mb3r-2026!', undefined, auditor, true);
+        // 2. Refresh
+        const context = {
+            request: {
+                headers: new HttpHeaders({
+                    'X-Refresh-Token': `Bearer ${loginResult.refreshToken}`
+                }),
+                cookies: {
+                    tryGet: () => undefined
+                }
+            },
+            parameters: { data: undefined },
+            getAuditor: async () => auditor,
+        };
+        const response = await controller.refresh(context);
+        const setCookieHeaders = toArray(response.headers.tryGet('Set-Cookie') ?? []);
+        for (const cookie of setCookieHeaders) {
+            expect(cookie).toMatch(/Expires=/);
+        }
+        // 3. Login with remember: false
+        const loginResultNoRem = await authenticationService.login({ tenantId, subject: user.id }, 'Pass-R3m3mb3r-2026!', undefined, auditor, false);
+        // 4. Refresh
+        const contextNoRem = {
+            request: {
+                headers: new HttpHeaders({
+                    'X-Refresh-Token': `Bearer ${loginResultNoRem.refreshToken}`
+                }),
+                cookies: {
+                    tryGet: () => undefined
+                }
+            },
+            parameters: { data: undefined },
+            getAuditor: async () => auditor,
+        };
+        const responseNoRem = await controller.refresh(contextNoRem);
+        const setCookieHeadersNoRem = toArray(responseNoRem.headers.tryGet('Set-Cookie') ?? []);
+        for (const cookie of setCookieHeadersNoRem) {
+            expect(cookie).not.toMatch(/Expires=/);
+        }
+    });
+});

package/authentication/tests/remember.service.test.d.ts

@@ -0,0 +1 @@
+export {};

package/authentication/tests/remember.service.test.js

@@ -0,0 +1,76 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from 'vitest';
+import { Auditor } from '../../audit/index.js';
+import { clearTenantData, setupIntegrationTest } from '../../testing/index.js';
+import { AuthenticationService } from '../server/authentication.service.js';
+import { getRefreshTokenFromString } from '../server/helper.js';
+import { SubjectService } from '../server/subject.service.js';
+import { DefaultAuthenticationAncillaryService } from './authentication.test-ancillary-service.js';
+describe('AuthenticationService Remember Functionality', () => {
+    let injector;
+    let database;
+    let authenticationService;
+    let subjectService;
+    let auditor;
+    const schema = 'authentication';
+    const tenantId = crypto.randomUUID();
+    beforeAll(async () => {
+        ({ injector, database } = await setupIntegrationTest({
+            modules: { authentication: true },
+            authenticationAncillaryService: DefaultAuthenticationAncillaryService,
+        }));
+        authenticationService = await injector.resolveAsync(AuthenticationService);
+        subjectService = await injector.resolveAsync(SubjectService);
+        auditor = injector.resolve(Auditor);
+    });
+    afterAll(async () => {
+        await injector?.dispose();
+    });
+    beforeEach(async () => {
+        await clearTenantData(database, schema, ['credentials', 'session', 'user', 'service_account', 'system_account', 'subject'], tenantId);
+    });
+    test('RefreshToken should contain remember flag', async () => {
+        const user = await subjectService.createUser({
+            tenantId,
+            email: 'remember@example.com',
+            firstName: 'Rem',
+            lastName: 'Ember',
+        });
+        const tokenResult = await authenticationService.getToken(user, undefined, { remember: true });
+        const refreshToken = await getRefreshTokenFromString(tokenResult.refreshToken, authenticationService.derivedRefreshTokenSigningSecret);
+        expect(refreshToken.payload).toHaveProperty('remember', true);
+        expect(tokenResult.remember).toBe(true);
+    });
+    test('RefreshToken should respect remember flag for expiration', async () => {
+        const user = await subjectService.createUser({ tenantId, email: 'ttl@example.com', firstName: 'T', lastName: 'L' });
+        const normalResult = await authenticationService.getToken(user, undefined, { remember: false });
+        const rememberResult = await authenticationService.getToken(user, undefined, { remember: true });
+        const normalToken = await getRefreshTokenFromString(normalResult.refreshToken, authenticationService.derivedRefreshTokenSigningSecret);
+        const rememberToken = await getRefreshTokenFromString(rememberResult.refreshToken, authenticationService.derivedRefreshTokenSigningSecret);
+        expect(rememberToken.payload.exp).toBeGreaterThan(normalToken.payload.exp);
+    });
+    test('login should pass remember flag to getToken', async () => {
+        const user = await subjectService.createUser({ tenantId, email: 'login-rem@example.com', firstName: 'L', lastName: 'R' });
+        await authenticationService.setCredentials(user, 'Strong-Password-2026!');
+        const result = await authenticationService.login({ tenantId, subject: user.id }, 'Strong-Password-2026!', undefined, auditor, true);
+        expect(result.remember).toBe(true);
+        const refreshToken = await getRefreshTokenFromString(result.refreshToken, authenticationService.derivedRefreshTokenSigningSecret);
+        expect(refreshToken.payload.remember).toBe(true);
+    });
+    test('refresh should propagate remember flag', async () => {
+        const user = await subjectService.createUser({ tenantId, email: 'refresh-rem@example.com', firstName: 'R', lastName: 'R' });
+        await authenticationService.setCredentials(user, 'Strong-Password-2026!');
+        const loginResult = await authenticationService.login({ tenantId, subject: user.id }, 'Strong-Password-2026!', undefined, auditor, true);
+        expect(loginResult.remember).toBe(true);
+        const refreshResult = await authenticationService.refresh(loginResult.refreshToken, undefined, {}, auditor);
+        expect(refreshResult.remember).toBe(true);
+        const newRefreshToken = await getRefreshTokenFromString(refreshResult.refreshToken, authenticationService.derivedRefreshTokenSigningSecret);
+        expect(newRefreshToken.payload.remember).toBe(true);
+        // Verify it also works when not remembered
+        const loginResultNoRem = await authenticationService.login({ tenantId, subject: user.id }, 'Strong-Password-2026!', undefined, auditor, false);
+        expect(loginResultNoRem.remember).toBe(false);
+        const refreshResultNoRem = await authenticationService.refresh(loginResultNoRem.refreshToken, undefined, {}, auditor);
+        expect(refreshResultNoRem.remember).toBe(false);
+        const newRefreshTokenNoRem = await getRefreshTokenFromString(refreshResultNoRem.refreshToken, authenticationService.derivedRefreshTokenSigningSecret);
+        expect(newRefreshTokenNoRem.payload.remember).toBe(false);
+    });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tstdl/base",
-  "version": "0.93.150",
+  "version": "0.93.152",
   "author": "Patrick Hein",
   "publishConfig": {
     "access": "public"

package/schema/converters/open-api-converter.js

@@ -1,7 +1,7 @@
 import { NotSupportedError } from '../../errors/not-supported.error.js';
 import { filterUndefinedObjectProperties, fromEntries, hasOwnProperty, objectEntries } from '../../utils/object/object.js';
 import { isDefined, isNotNull, isNumber, isString } from '../../utils/type-guards.js';
-import { ArraySchema, BooleanSchema, DateSchema, DefaultSchema, EnumerationSchema, LiteralSchema, nullable, NullableSchema, NumberSchema, ObjectSchema, OptionalSchema, StringSchema, TransformSchema, Uint8ArraySchema, UnionSchema } from '../schemas/index.js';
+import { AnySchema, ArraySchema, BooleanSchema, DateSchema, DefaultSchema, EnumerationSchema, LiteralSchema, NullableSchema, NumberSchema, ObjectSchema, OptionalSchema, StringSchema, TransformSchema, Uint8ArraySchema, UnionSchema, UnknownSchema } from '../schemas/index.js';
 import { schemaTestableToSchema } from '../testable.js';
 export function convertToOpenApiSchema(testable) {
     const schema = schemaTestableToSchema(testable);
@@ -17,7 +17,7 @@ export function convertToOpenApiSchema(testable) {
 function convertToOpenApiSchemaBase(schema) {
     if (schema instanceof ObjectSchema) {
         const entries = objectEntries(schema.properties);
-        const convertedEntries = entries.map(([property, propertySchema]) => [property, convertToOpenApiSchema(stripOptional(propertySchema))]);
+        const convertedEntries = entries.map(([property, propertySchema]) => [property, convertToOpenApiSchema(propertySchema)]);
         const required = entries
             .filter(([, propertySchema]) => !(propertySchema instanceof OptionalSchema) && !((propertySchema instanceof NullableSchema) && (propertySchema.schema instanceof OptionalSchema)))
             .map(([property]) => property);
@@ -29,13 +29,13 @@ function convertToOpenApiSchemaBase(schema) {
             maxProperties: isNumber(schema.maximumPropertiesCount) ? schema.maximumPropertiesCount : undefined,
         });
     }
-    if (schema instanceof DefaultSchema) { // You'd need to import DefaultedSchema
+    if (schema instanceof DefaultSchema) {
         return {
             ...convertToOpenApiSchema(schema.schema),
             default: schema.defaultValue,
         };
     }
-    if (schema instanceof TransformSchema) { // You'd need to import TransformSchema
+    if (schema instanceof TransformSchema) {
         return convertToOpenApiSchema(schema.schema);
     }
     if (schema instanceof StringSchema) {
@@ -114,19 +114,16 @@ function convertToOpenApiSchemaBase(schema) {
             nullable: true,
         };
     }
+    if (schema instanceof OptionalSchema) {
+        return convertToOpenApiSchema(schema.schema);
+    }
     if (schema instanceof UnionSchema) {
         return {
             anyOf: schema.schemas.map((innerSchema) => convertToOpenApiSchema(innerSchema)),
         };
     }
-    throw new NotSupportedError(`Schema "${schema.name}" not supported.`);
-}
-function stripOptional(schema) {
-    if ((schema instanceof OptionalSchema)) {
-        return schema.schema;
-    }
-    if ((schema instanceof NullableSchema) && (schema.schema instanceof OptionalSchema)) {
-        return nullable(schema.schema.schema);
+    if ((schema instanceof AnySchema) || (schema instanceof UnknownSchema)) {
+        return {};
     }
-    return schema;
+    throw new NotSupportedError(`Schema "${schema.name}" not supported.`);
 }

package/testing/README.md

@@ -80,37 +80,48 @@ The `setupIntegrationTest` utility (found in `source/testing/integration-setup.t
 4.  **Schema Isolation**: Automatically creates and uses PostgreSQL schemas for isolation.
 5.  **Modules**: Optional configuration for `taskQueue`, `authentication`, `objectStorage`, `notification`, etc.
 
-Integration tests typically require an injection context to resolve services and repositories. You can use the `testInInjector` (or `itInInjector`) helper to automatically wrap your test body.
+### Injection Context: `testInInjector`
+
+Integration tests may require an injection context to resolve services and repositories. You can use the `testInInjector` (or `itInInjector`) helper to automatically wrap your test body.
 
 > [!IMPORTANT]
-> `testInInjector` is designed for test files where a **single injector** is shared across all tests (typically initialized in `beforeAll`). It accepts a `ValueOrProvider<Injector>`, allowing you to pass a getter function (e.g., `() => injector`) if the injector variable is initialized late.
+> `testInInjector` is **only required** for code that uses `inject()` or `injectRepository()` outside of a class constructor/initializer (e.g. ad-hoc repository injection in a test body).
 >
-> If your tests require a fresh injector per test case (e.g. `setupIntegrationTest` in `beforeEach`), you can still use `testInInjector` by passing a provider.
+> If you resolve your services in `beforeAll` or `beforeEach`, calling their methods usually does **not** require `testInInjector`.
+
+> [!TIP]
+> **Performance & Reusability**: For most integration tests, resolve services once in `beforeAll` and reuse the variables in your tests.
 
 ```typescript
-import { beforeAll, describe, expect } from 'vitest';
+import { beforeAll, describe, expect, test } from 'vitest';
 import { setupIntegrationTest, testInInjector } from '#/testing/index.js';
 import { MyService } from '../my-service.js';
 
 describe('MyService Integration', () => {
-  let injector;
+  let injector: Injector;
+  let myService: MyService;
 
   beforeAll(async () => {
-    // Setup with database and specific modules
     ({ injector } = await setupIntegrationTest({
       modules: { taskQueue: true },
-      orm: { schema: 'test_my_service' },
     }));
+
+    // Resolve reused services once
+    myService = injector.resolve(MyService);
   });
 
-  testInInjector('should process data through the database', injector, async () => {
-    const service = injector.resolve(MyService);
-    const result = await service.process();
+  // Calling methods on resolved services does NOT require testInInjector
+  test('should process data', async () => {
+    const result = await myService.process();
     expect(result.success).toBe(true);
   });
 
-  // Using a provider function to defer resolution of the 'injector' variable when using `beforeEach` for injector setup
-  testInInjector('should process data through the database', () => injector, async () => { ... });
+  // testInInjector is ONLY needed if you use inject() directly in the test body
+  testInInjector('should work with ad-hoc injection', () => injector, async () => {
+      const repo = injectRepository(SomeEntity);
+      // ...
+    },
+  );
 });
 ```