@tstdl/base 0.93.151 → 0.93.153

package/authentication/authentication.api.d.ts

@@ -30,6 +30,7 @@ export declare const authenticationApiDefinition: {
                 readonly tenantId: string | undefined;
                 readonly subject: string;
                 readonly secret: string;
+                readonly remember: boolean;
                 readonly data: undefined;
             }>;
             result: ObjectSchema<TokenPayload<import("type-fest").EmptyObject>>;
@@ -155,6 +156,7 @@ export declare function getAuthenticationApiDefinition<AdditionalTokenPayload ex
                 readonly tenantId: string | undefined;
                 readonly subject: string;
                 readonly secret: string;
+                readonly remember: boolean;
                 readonly data: AuthenticationData;
             }>;
             result: ObjectSchema<TokenPayload<AdditionalTokenPayload>>;
@@ -275,6 +277,7 @@ export declare function getAuthenticationApiEndpointsDefinition<AdditionalTokenP
             readonly tenantId: string | undefined;
             readonly subject: string;
             readonly secret: string;
+            readonly remember: boolean;
             readonly data: AuthenticationData;
         }>;
         result: ObjectSchema<TokenPayload<AdditionalTokenPayload>>;

package/authentication/authentication.api.js

@@ -1,5 +1,5 @@
 import { defineApi } from '../api/types.js';
-import { assign, emptyObjectSchema, explicitObject, literal, never, number, object, optional, string } from '../schema/index.js';
+import { assign, boolean, defaulted, emptyObjectSchema, explicitObject, literal, never, number, object, optional, string } from '../schema/index.js';
 import { SecretCheckResult } from './models/secret-check-result.model.js';
 import { TokenPayloadBase } from './models/token-payload-base.model.js';
 /**
@@ -51,6 +51,7 @@ export function getAuthenticationApiEndpointsDefinition(additionalTokenPayloadSc
                 tenantId: optional(string()),
                 subject: string(),
                 secret: string(),
+                remember: defaulted(boolean(), false),
                 data: authenticationDataSchema,
             }),
             result: tokenResultSchema,

package/authentication/client/authentication.service.d.ts

@@ -127,8 +127,9 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
      * @param subjectInput The subject to login with
      * @param secret The secret to login with
      * @param data Additional authentication data
+     * @param remember Whether to remember the session
      */
-    login(subjectInput: SubjectInput, secret: string, data?: AuthenticationData): Promise<void>;
+    login(subjectInput: SubjectInput, secret: string, data?: AuthenticationData, remember?: boolean): Promise<void>;
     /**
      * Logout from the current session.
      * This will attempt to end the session on the server and then clear local credentials.

package/authentication/client/authentication.service.js

@@ -220,13 +220,14 @@ let AuthenticationClientService = class AuthenticationClientService {
      * @param subjectInput The subject to login with
      * @param secret The secret to login with
      * @param data Additional authentication data
+     * @param remember Whether to remember the session
      */
-    async login(subjectInput, secret, data) {
+    async login(subjectInput, secret, data, remember = false) {
         if (isDefined(data)) {
             this.setAdditionalData(data);
         }
         const [token] = await Promise.all([
-            this.client.login({ tenantId: subjectInput.tenantId, subject: subjectInput.subject, secret, data: this.authenticationData }),
+            this.client.login({ tenantId: subjectInput.tenantId, subject: subjectInput.subject, secret, remember, data: this.authenticationData }),
             this.syncClock(),
         ]);
         this.setNewToken(token);

package/authentication/models/token.model.d.ts

@@ -26,6 +26,8 @@ export type RefreshToken = JwtToken<{
     impersonator?: string;
     /** The id of the session. */
     session: string;
+    /** Whether to remember the session. */
+    remember: boolean;
     /** The secret to use for refreshing the token. */
     secret: string;
 }>;

package/authentication/server/authentication.api-controller.d.ts

@@ -1,3 +1,4 @@
+/** biome-ignore-all lint/nursery/noExcessiveClassesPerFile: <explanation> */
 import type { ApiController, ApiRequestContext, ApiServerResult } from '../../api/types.js';
 import { HttpServerResponse } from '../../http/server/index.js';
 import type { ObjectSchemaOrType, SchemaTestable } from '../../schema/index.js';
@@ -71,7 +72,7 @@ export declare class AuthenticationApiController<AdditionalTokenPayload extends
      * @returns The current server timestamp in seconds.
      */
     timestamp(): ApiServerResult<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>, 'timestamp'>;
-    protected getTokenResponse({ token, jsonToken, refreshToken, omitImpersonatorRefreshToken, impersonatorRefreshToken, impersonatorRefreshTokenExpiration }: TokenResult<AdditionalTokenPayload>): HttpServerResponse;
+    protected getTokenResponse({ token, jsonToken, refreshToken, remember, omitImpersonatorRefreshToken, impersonatorRefreshToken, impersonatorRefreshTokenExpiration }: TokenResult<AdditionalTokenPayload>): HttpServerResponse;
 }
 /**
  * Get an authentication API controller.

package/authentication/server/authentication.api-controller.js

@@ -1,3 +1,4 @@
+/** biome-ignore-all lint/nursery/noExcessiveClassesPerFile: <explanation> */
 var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
     var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
     if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
@@ -8,7 +9,7 @@ import { apiController } from '../../api/server/index.js';
 import { HttpServerResponse } from '../../http/server/index.js';
 import { inject } from '../../injector/index.js';
 import { currentTimestampSeconds } from '../../utils/date-time.js';
-import { assertDefinedPass, isDefined } from '../../utils/type-guards.js';
+import { isDefined } from '../../utils/type-guards.js';
 import { authenticationApiDefinition, getAuthenticationApiDefinition } from '../authentication.api.js';
 import { AuthenticationService } from './authentication.service.js';
 import { tryGetAuthorizationTokenStringFromRequest } from './helper.js';
@@ -29,7 +30,7 @@ let AuthenticationApiController = class AuthenticationApiController {
      * @returns The token result.
      */
     async login({ parameters, getAuditor }) {
-        const result = await this.authenticationService.login({ tenantId: parameters.tenantId, subject: parameters.subject }, parameters.secret, parameters.data, await getAuditor());
+        const result = await this.authenticationService.login({ tenantId: parameters.tenantId, subject: parameters.subject }, parameters.secret, parameters.data, await getAuditor(), parameters.remember);
         return this.getTokenResponse(result);
     }
     /**
@@ -140,7 +141,7 @@ let AuthenticationApiController = class AuthenticationApiController {
     timestamp() {
         return currentTimestampSeconds();
     }
-    getTokenResponse({ token, jsonToken, refreshToken, omitImpersonatorRefreshToken, impersonatorRefreshToken, impersonatorRefreshTokenExpiration }) {
+    getTokenResponse({ token, jsonToken, refreshToken, remember, omitImpersonatorRefreshToken, impersonatorRefreshToken, impersonatorRefreshTokenExpiration }) {
         const result = jsonToken.payload;
         const options = {
             headers: {
@@ -151,12 +152,12 @@ let AuthenticationApiController = class AuthenticationApiController {
                 authorization: {
                     value: `Bearer ${token}`,
                     ...cookieBaseOptions,
-                    expires: jsonToken.payload.exp * 1000,
+                    expires: remember ? (jsonToken.payload.exp * 1000) : undefined,
                 },
                 refreshToken: {
                     value: `Bearer ${refreshToken}`,
                     ...cookieBaseOptions,
-                    expires: jsonToken.payload.refreshTokenExp * 1000,
+                    expires: remember ? (jsonToken.payload.refreshTokenExp * 1000) : undefined,
                 },
             },
             body: {
@@ -168,7 +169,7 @@ let AuthenticationApiController = class AuthenticationApiController {
             options.cookies['impersonatorRefreshToken'] = {
                 value: `Bearer ${impersonatorRefreshToken}`,
                 ...cookieBaseOptions,
-                expires: assertDefinedPass(impersonatorRefreshTokenExpiration) * 1000,
+                expires: (remember && isDefined(impersonatorRefreshTokenExpiration)) ? (impersonatorRefreshTokenExpiration * 1000) : undefined,
             };
         }
         if (omitImpersonatorRefreshToken == true) {

package/authentication/server/authentication.audit.d.ts

@@ -2,6 +2,7 @@ import type { SubjectInput } from '../types.js';
 export type AuthenticationAuditEvents = {
     'login-success': {
         sessionId: string;
+        remember: boolean;
     };
     'login-failure': {
         subjectInput: SubjectInput;
@@ -12,6 +13,7 @@ export type AuthenticationAuditEvents = {
     };
     'refresh-success': {
         sessionId: string;
+        remember: boolean;
     };
     'refresh-failure': {
         reason: string;

package/authentication/server/authentication.service.d.ts

@@ -1,3 +1,4 @@
+/** biome-ignore-all lint/nursery/noExcessiveClassesPerFile: <explanation> */
 import { Auditor } from '../../audit/index.js';
 import { afterResolve, type AfterResolve } from '../../injector/index.js';
 import type { BinaryData, Record } from '../../types/index.js';
@@ -56,9 +57,15 @@ export declare class AuthenticationServiceOptions {
     /**
      * How long a refresh token is valid in milliseconds. Implies session time to live.
      *
-     * @default 5 days
+     * @default 1 hour
      */
     refreshTokenTimeToLive?: number;
+    /**
+     * How long a refresh token is valid in milliseconds if "remember" is checked.
+     *
+     * @default 30 days
+     */
+    rememberRefreshTokenTimeToLive?: number;
     /**
      * How long a secret reset token is valid in milliseconds.
      *
@@ -97,6 +104,7 @@ export type TokenResult<AdditionalTokenPayload extends Record> = {
     token: string;
     jsonToken: Token<AdditionalTokenPayload>;
     refreshToken: string;
+    remember: boolean;
     omitImpersonatorRefreshToken?: boolean;
     impersonatorRefreshToken?: string;
     impersonatorRefreshTokenExpiration?: number;
@@ -161,6 +169,7 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
     private readonly tokenVersion;
     private readonly tokenTimeToLive;
     private readonly refreshTokenTimeToLive;
+    private readonly rememberRefreshTokenTimeToLive;
     private readonly secretResetTokenTimeToLive;
     private derivedTokenSigningSecret;
     private derivedRefreshTokenSigningSecret;
@@ -196,8 +205,9 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
      * @param options Options for getting the token.
      * @returns The token result.
      */
-    getToken(subject: Subject, authenticationData: AuthenticationData, { impersonator }?: {
+    getToken(subject: Subject, authenticationData: AuthenticationData, { impersonator, remember }?: {
         impersonator?: string;
+        remember?: boolean;
     }): Promise<TokenResult<AdditionalTokenPayload>>;
     /**
      * Logs in a subject.
@@ -205,9 +215,10 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
      * @param secret The secret to log in with.
      * @param data Additional authentication data.
      * @param auditor Auditor for auditing.
+     * @param remember Whether to remember the session.
      * @returns Token
      */
-    login(subjectInput: SubjectInput, secret: string, data: AuthenticationData, auditor: Auditor): Promise<TokenResult<AdditionalTokenPayload>>;
+    login(subjectInput: SubjectInput, secret: string, data: AuthenticationData, auditor: Auditor, remember?: boolean): Promise<TokenResult<AdditionalTokenPayload>>;
     /**
      * Ends a session.
      * @param sessionId The id of the session to end.
@@ -366,6 +377,7 @@ export declare class AuthenticationService<AdditionalTokenPayload extends Record
      */
     createRefreshToken(subject: Subject, sessionId: string, expirationTimestamp: number, options?: {
         impersonator?: string;
+        remember?: boolean;
     }): Promise<CreateRefreshTokenResult>;
     defaultResolveSubjects({ tenantId, subject }: {
         tenantId?: string;

package/authentication/server/authentication.service.js

@@ -1,3 +1,4 @@
+/** biome-ignore-all lint/nursery/noExcessiveClassesPerFile: <explanation> */
 var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
     var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
     if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
@@ -27,7 +28,7 @@ import { createJwtTokenString } from '../../utils/jwt.js';
 import { isUuid } from '../../utils/patterns.js';
 import { getRandomBytes, getRandomString } from '../../utils/random.js';
 import { isBinaryData, isDefined, isString, isUndefined } from '../../utils/type-guards.js';
-import { millisecondsPerDay, millisecondsPerMinute } from '../../utils/units.js';
+import { millisecondsPerDay, millisecondsPerHour, millisecondsPerMinute } from '../../utils/units.js';
 import { AuthenticationCredentials, AuthenticationSession, Subject, User } from '../models/index.js';
 import { AuthenticationAncillaryService, GetTokenPayloadContextAction } from './authentication-ancillary.service.js';
 import { AuthenticationSecretRequirementsValidator } from './authentication-secret-requirements.validator.js';
@@ -54,9 +55,15 @@ export class AuthenticationServiceOptions {
     /**
      * How long a refresh token is valid in milliseconds. Implies session time to live.
      *
-     * @default 5 days
+     * @default 1 hour
      */
     refreshTokenTimeToLive;
+    /**
+     * How long a refresh token is valid in milliseconds if "remember" is checked.
+     *
+     * @default 30 days
+     */
+    rememberRefreshTokenTimeToLive;
     /**
      * How long a secret reset token is valid in milliseconds.
      *
@@ -119,7 +126,8 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
     };
     tokenVersion = this.#options.version ?? 1;
     tokenTimeToLive = this.#options.tokenTimeToLive ?? (5 * millisecondsPerMinute);
-    refreshTokenTimeToLive = this.#options.refreshTokenTimeToLive ?? (5 * millisecondsPerDay);
+    refreshTokenTimeToLive = this.#options.refreshTokenTimeToLive ?? (1 * millisecondsPerHour);
+    rememberRefreshTokenTimeToLive = this.#options.rememberRefreshTokenTimeToLive ?? (30 * millisecondsPerDay);
     secretResetTokenTimeToLive = this.#options.secretResetTokenTimeToLive ?? (10 * millisecondsPerMinute);
     derivedTokenSigningSecret;
     derivedRefreshTokenSigningSecret;
@@ -201,9 +209,10 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
      * @param options Options for getting the token.
      * @returns The token result.
      */
-    async getToken(subject, authenticationData, { impersonator } = {}) {
+    async getToken(subject, authenticationData, { impersonator, remember = false } = {}) {
         const now = currentTimestamp();
-        const end = now + this.refreshTokenTimeToLive;
+        const ttl = remember ? this.rememberRefreshTokenTimeToLive : this.refreshTokenTimeToLive;
+        const end = now + ttl;
         return await this.#sessionRepository.transaction(async (tx) => {
             const session = await this.#sessionRepository.withTransaction(tx).insert({
                 tenantId: subject.tenantId,
@@ -216,14 +225,14 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
             });
             const tokenPayload = await this.#authenticationAncillaryService?.getTokenPayload(subject, authenticationData, { action: GetTokenPayloadContextAction.GetToken });
             const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject, impersonator, sessionId: session.id, refreshTokenExpiration: end, timestamp: now });
-            const refreshToken = await this.createRefreshToken(subject, session.id, end, { impersonator });
+            const refreshToken = await this.createRefreshToken(subject, session.id, end, { impersonator, remember });
             await this.#sessionRepository.withTransaction(tx).update(session.id, {
                 end,
                 refreshTokenHashVersion: 1,
                 refreshTokenSalt: refreshToken.salt,
                 refreshTokenHash: refreshToken.hash,
             });
-            return { token, jsonToken, refreshToken: refreshToken.token };
+            return { token, jsonToken, refreshToken: refreshToken.token, remember };
         });
     }
     /**
@@ -232,9 +241,10 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
      * @param secret The secret to log in with.
      * @param data Additional authentication data.
      * @param auditor Auditor for auditing.
+     * @param remember Whether to remember the session.
      * @returns Token
      */
-    async login(subjectInput, secret, data, auditor) {
+    async login(subjectInput, secret, data, auditor, remember = false) {
         const authAuditor = auditor.fork(AuthenticationService_1.name);
         const authenticationResult = await this.authenticate(subjectInput, secret);
         if (!authenticationResult.success) {
@@ -249,7 +259,7 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
             throw new InvalidCredentialsError();
         }
         await this.hooks.beforeLogin.trigger({ subject: authenticationResult.subject });
-        const token = await this.getToken(authenticationResult.subject, data);
+        const token = await this.getToken(authenticationResult.subject, data, { remember });
         await this.hooks.afterLogin.trigger({ subject: authenticationResult.subject });
         const sessionId = token.jsonToken.payload.session;
         await authAuditor.info('login-success', {
@@ -259,7 +269,7 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
             targetId: authenticationResult.subject.id,
             targetType: 'User',
             network: { sessionId },
-            details: { sessionId },
+            details: { sessionId, remember },
         });
         return token;
     }
@@ -361,11 +371,13 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
             }
             const now = currentTimestamp();
             const impersonator = (options.omitImpersonator == true) ? undefined : validatedRefreshToken.payload.impersonator;
-            const newEnd = now + this.refreshTokenTimeToLive;
+            const remember = validatedRefreshToken.payload.remember;
+            const ttl = remember ? this.rememberRefreshTokenTimeToLive : this.refreshTokenTimeToLive;
+            const newEnd = now + ttl;
             const subject = await this.#subjectRepository.loadByQuery({ tenantId: session.tenantId, id: session.subjectId });
             const tokenPayload = await this.#authenticationAncillaryService?.getTokenPayload(subject, authenticationData, { action: GetTokenPayloadContextAction.Refresh });
             const { token, jsonToken } = await this.createToken({ additionalTokenPayload: tokenPayload, subject, sessionId, refreshTokenExpiration: newEnd, impersonator, timestamp: now });
-            const newRefreshToken = await this.createRefreshToken(subject, sessionId, newEnd, { impersonator });
+            const newRefreshToken = await this.createRefreshToken(subject, sessionId, newEnd, { impersonator, remember });
             await this.#sessionRepository.update(sessionId, {
                 end: newEnd,
                 refreshTokenHashVersion: 1,
@@ -378,9 +390,9 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
                 actorType: ActorType.Subject,
                 targetId: session.subjectId,
                 targetType: 'User',
-                details: { sessionId },
+                details: { sessionId, remember },
             });
-            return { token, jsonToken, refreshToken: newRefreshToken.token, omitImpersonatorRefreshToken: options.omitImpersonator };
+            return { token, jsonToken, refreshToken: newRefreshToken.token, remember, omitImpersonatorRefreshToken: options.omitImpersonator };
         }
         catch (error) {
             await authAuditor.warn('refresh-failure', {
@@ -715,6 +727,7 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
                 tenant: subject.tenantId,
                 impersonator: options?.impersonator,
                 session: sessionId,
+                remember: options?.remember ?? false,
                 secret,
             },
         };

package/authentication/tests/remember.api.test.d.ts

@@ -0,0 +1 @@
+export {};

package/authentication/tests/remember.api.test.js

@@ -0,0 +1,109 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from 'vitest';
+import { Auditor } from '../../audit/index.js';
+import { HttpHeaders } from '../../http/index.js';
+import { HttpServerResponse } from '../../http/server/index.js';
+import { clearTenantData, setupIntegrationTest } from '../../testing/index.js';
+import { toArray } from '../../utils/array/array.js';
+import { AuthenticationApiController } from '../server/authentication.api-controller.js';
+import { AuthenticationService } from '../server/authentication.service.js';
+import { SubjectService } from '../server/subject.service.js';
+import { DefaultAuthenticationAncillaryService } from './authentication.test-ancillary-service.js';
+describe('AuthenticationApiController Remember Functionality', () => {
+    let injector;
+    let database;
+    let controller;
+    let authenticationService;
+    let subjectService;
+    let auditor;
+    const schema = 'authentication';
+    const tenantId = crypto.randomUUID();
+    beforeAll(async () => {
+        ({ injector, database } = await setupIntegrationTest({
+            modules: { authentication: true, audit: true, keyValueStore: true },
+            authenticationAncillaryService: DefaultAuthenticationAncillaryService,
+        }));
+        authenticationService = await injector.resolveAsync(AuthenticationService);
+        subjectService = await injector.resolveAsync(SubjectService);
+        auditor = injector.resolve(Auditor);
+        controller = injector.resolve(AuthenticationApiController);
+    });
+    afterAll(async () => {
+        await injector?.dispose();
+    });
+    beforeEach(async () => {
+        await clearTenantData(database, schema, ['credentials', 'session', 'user', 'service_account', 'system_account', 'subject'], tenantId);
+    });
+    test('login with remember: true should have Expires in cookies', async () => {
+        const user = await subjectService.createUser({ tenantId, email: 'api-rem@example.com', firstName: 'A', lastName: 'L' });
+        await authenticationService.setCredentials(user, 'Pass-R3m3mb3r-2026!');
+        const context = {
+            parameters: { tenantId, subject: user.id, secret: 'Pass-R3m3mb3r-2026!', remember: true, data: undefined },
+            getAuditor: async () => auditor,
+        };
+        const response = await controller.login(context);
+        expect(response).toBeInstanceOf(HttpServerResponse);
+        const setCookieHeaders = toArray(response.headers.tryGet('Set-Cookie') ?? []);
+        expect(setCookieHeaders).toHaveLength(2); // authorization and refreshToken
+        for (const cookie of setCookieHeaders) {
+            expect(cookie).toMatch(/Expires=/);
+        }
+    });
+    test('login with remember: false should NOT have Expires in cookies', async () => {
+        const user = await subjectService.createUser({ tenantId, email: 'api-no-rem@example.com', firstName: 'A', lastName: 'L' });
+        await authenticationService.setCredentials(user, 'Pass-R3m3mb3r-2026!');
+        const context = {
+            parameters: { tenantId, subject: user.id, secret: 'Pass-R3m3mb3r-2026!', remember: false, data: undefined },
+            getAuditor: async () => auditor,
+        };
+        const response = await controller.login(context);
+        const setCookieHeaders = toArray(response.headers.tryGet('Set-Cookie') ?? []);
+        for (const cookie of setCookieHeaders) {
+            expect(cookie).not.toMatch(/Expires=/);
+            expect(cookie).not.toMatch(/Max-Age=/);
+        }
+    });
+    test('refresh should propagate remember status to cookies', async () => {
+        const user = await subjectService.createUser({ tenantId, email: 'api-refresh-rem@example.com', firstName: 'A', lastName: 'L' });
+        await authenticationService.setCredentials(user, 'Pass-R3m3mb3r-2026!');
+        // 1. Login with remember: true
+        const loginResult = await authenticationService.login({ tenantId, subject: user.id }, 'Pass-R3m3mb3r-2026!', undefined, auditor, true);
+        // 2. Refresh
+        const context = {
+            request: {
+                headers: new HttpHeaders({
+                    'X-Refresh-Token': `Bearer ${loginResult.refreshToken}`
+                }),
+                cookies: {
+                    tryGet: () => undefined
+                }
+            },
+            parameters: { data: undefined },
+            getAuditor: async () => auditor,
+        };
+        const response = await controller.refresh(context);
+        const setCookieHeaders = toArray(response.headers.tryGet('Set-Cookie') ?? []);
+        for (const cookie of setCookieHeaders) {
+            expect(cookie).toMatch(/Expires=/);
+        }
+        // 3. Login with remember: false
+        const loginResultNoRem = await authenticationService.login({ tenantId, subject: user.id }, 'Pass-R3m3mb3r-2026!', undefined, auditor, false);
+        // 4. Refresh
+        const contextNoRem = {
+            request: {
+                headers: new HttpHeaders({
+                    'X-Refresh-Token': `Bearer ${loginResultNoRem.refreshToken}`
+                }),
+                cookies: {
+                    tryGet: () => undefined
+                }
+            },
+            parameters: { data: undefined },
+            getAuditor: async () => auditor,
+        };
+        const responseNoRem = await controller.refresh(contextNoRem);
+        const setCookieHeadersNoRem = toArray(responseNoRem.headers.tryGet('Set-Cookie') ?? []);
+        for (const cookie of setCookieHeadersNoRem) {
+            expect(cookie).not.toMatch(/Expires=/);
+        }
+    });
+});

package/authentication/tests/remember.service.test.d.ts

@@ -0,0 +1 @@
+export {};

package/authentication/tests/remember.service.test.js

@@ -0,0 +1,76 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from 'vitest';
+import { Auditor } from '../../audit/index.js';
+import { clearTenantData, setupIntegrationTest } from '../../testing/index.js';
+import { AuthenticationService } from '../server/authentication.service.js';
+import { getRefreshTokenFromString } from '../server/helper.js';
+import { SubjectService } from '../server/subject.service.js';
+import { DefaultAuthenticationAncillaryService } from './authentication.test-ancillary-service.js';
+describe('AuthenticationService Remember Functionality', () => {
+    let injector;
+    let database;
+    let authenticationService;
+    let subjectService;
+    let auditor;
+    const schema = 'authentication';
+    const tenantId = crypto.randomUUID();
+    beforeAll(async () => {
+        ({ injector, database } = await setupIntegrationTest({
+            modules: { authentication: true },
+            authenticationAncillaryService: DefaultAuthenticationAncillaryService,
+        }));
+        authenticationService = await injector.resolveAsync(AuthenticationService);
+        subjectService = await injector.resolveAsync(SubjectService);
+        auditor = injector.resolve(Auditor);
+    });
+    afterAll(async () => {
+        await injector?.dispose();
+    });
+    beforeEach(async () => {
+        await clearTenantData(database, schema, ['credentials', 'session', 'user', 'service_account', 'system_account', 'subject'], tenantId);
+    });
+    test('RefreshToken should contain remember flag', async () => {
+        const user = await subjectService.createUser({
+            tenantId,
+            email: 'remember@example.com',
+            firstName: 'Rem',
+            lastName: 'Ember',
+        });
+        const tokenResult = await authenticationService.getToken(user, undefined, { remember: true });
+        const refreshToken = await getRefreshTokenFromString(tokenResult.refreshToken, authenticationService.derivedRefreshTokenSigningSecret);
+        expect(refreshToken.payload).toHaveProperty('remember', true);
+        expect(tokenResult.remember).toBe(true);
+    });
+    test('RefreshToken should respect remember flag for expiration', async () => {
+        const user = await subjectService.createUser({ tenantId, email: 'ttl@example.com', firstName: 'T', lastName: 'L' });
+        const normalResult = await authenticationService.getToken(user, undefined, { remember: false });
+        const rememberResult = await authenticationService.getToken(user, undefined, { remember: true });
+        const normalToken = await getRefreshTokenFromString(normalResult.refreshToken, authenticationService.derivedRefreshTokenSigningSecret);
+        const rememberToken = await getRefreshTokenFromString(rememberResult.refreshToken, authenticationService.derivedRefreshTokenSigningSecret);
+        expect(rememberToken.payload.exp).toBeGreaterThan(normalToken.payload.exp);
+    });
+    test('login should pass remember flag to getToken', async () => {
+        const user = await subjectService.createUser({ tenantId, email: 'login-rem@example.com', firstName: 'L', lastName: 'R' });
+        await authenticationService.setCredentials(user, 'Strong-Password-2026!');
+        const result = await authenticationService.login({ tenantId, subject: user.id }, 'Strong-Password-2026!', undefined, auditor, true);
+        expect(result.remember).toBe(true);
+        const refreshToken = await getRefreshTokenFromString(result.refreshToken, authenticationService.derivedRefreshTokenSigningSecret);
+        expect(refreshToken.payload.remember).toBe(true);
+    });
+    test('refresh should propagate remember flag', async () => {
+        const user = await subjectService.createUser({ tenantId, email: 'refresh-rem@example.com', firstName: 'R', lastName: 'R' });
+        await authenticationService.setCredentials(user, 'Strong-Password-2026!');
+        const loginResult = await authenticationService.login({ tenantId, subject: user.id }, 'Strong-Password-2026!', undefined, auditor, true);
+        expect(loginResult.remember).toBe(true);
+        const refreshResult = await authenticationService.refresh(loginResult.refreshToken, undefined, {}, auditor);
+        expect(refreshResult.remember).toBe(true);
+        const newRefreshToken = await getRefreshTokenFromString(refreshResult.refreshToken, authenticationService.derivedRefreshTokenSigningSecret);
+        expect(newRefreshToken.payload.remember).toBe(true);
+        // Verify it also works when not remembered
+        const loginResultNoRem = await authenticationService.login({ tenantId, subject: user.id }, 'Strong-Password-2026!', undefined, auditor, false);
+        expect(loginResultNoRem.remember).toBe(false);
+        const refreshResultNoRem = await authenticationService.refresh(loginResultNoRem.refreshToken, undefined, {}, auditor);
+        expect(refreshResultNoRem.remember).toBe(false);
+        const newRefreshTokenNoRem = await getRefreshTokenFromString(refreshResultNoRem.refreshToken, authenticationService.derivedRefreshTokenSigningSecret);
+        expect(newRefreshTokenNoRem.payload.remember).toBe(false);
+    });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tstdl/base",
-  "version": "0.93.151",
+  "version": "0.93.153",
   "author": "Patrick Hein",
   "publishConfig": {
     "access": "public"

package/serializer/handlers/error.d.ts

@@ -1,4 +1,6 @@
-type ErrorData = Pick<Error, 'name' | 'message' | 'stack'>;
+type ErrorData = Pick<Error, 'name' | 'message' | 'stack'> & {
+    cause?: ErrorData;
+};
 export declare function serializeError(error: Error): ErrorData;
 export declare function deserializeError(data: ErrorData): Error;
 export {};

package/serializer/handlers/error.js

@@ -1,9 +1,19 @@
+import { formatError } from '../../errors/format.js';
+import { isDefined, isError, isString } from '../../utils/type-guards.js';
 export function serializeError(error) {
-    return { name: error.name, message: error.message, stack: error.stack };
+    const cause = isError(error.cause)
+        ? serializeError(error.cause)
+        : isString(error.cause)
+            ? { name: 'Error', message: error.cause, stack: undefined }
+            : isDefined(error.cause)
+                ? { name: 'Error', message: formatError(error.cause), stack: undefined }
+                : undefined;
+    return { name: error.name, message: error.message, stack: error.stack, cause };
 }
 export function deserializeError(data) {
     const error = new Error(data.message);
     error.name = data.name;
     error.stack = data.stack;
+    error.cause = isDefined(data.cause) ? deserializeError(data.cause) : undefined;
     return error;
 }

package/task-queue/index.d.ts

@@ -2,4 +2,5 @@ export * from './enqueue-batch.js';
 export * from './provider.js';
 export * from './task-context.js';
 export * from './task-queue.js';
+export * from './task.error.js';
 export * from './types.js';

package/task-queue/index.js

@@ -2,4 +2,5 @@ export * from './enqueue-batch.js';
 export * from './provider.js';
 export * from './task-context.js';
 export * from './task-queue.js';
+export * from './task.error.js';
 export * from './types.js';

package/task-queue/postgres/task-queue.d.ts

@@ -103,7 +103,7 @@ export declare class PostgresTaskQueue<Definitions extends TaskDefinitionMap = T
         results?: TasksResults<Tasks>;
         transaction?: Transaction;
     }): Promise<void>;
-    fail(task: Task<Definitions>, error: unknown, options?: {
+    fail(task: Task<Definitions>, caughtError: unknown, options?: {
         fatal?: boolean;
         transaction?: Transaction;
     }): Promise<void>;

package/task-queue/postgres/task-queue.js

@@ -74,6 +74,7 @@ import { cancelableTimeout } from '../../utils/timing.js';
 import { isArray, isDefined, isNotNull, isNull, isNumber, isString, isUndefined } from '../../utils/type-guards.js';
 import { millisecondsPerMinute, millisecondsPerSecond } from '../../utils/units.js';
 import { defaultQueueConfig, queueableOrWaitableStatuses, queueableStatuses, TaskDependencyType, TaskQueue, TaskStatus, terminalStatuses } from '../task-queue.js';
+import { ensureTaskError } from '../task.error.js';
 import { PostgresTaskQueueModuleConfig } from './module.js';
 import { taskArchive as taskArchiveTable, taskDependency as taskDependencyTable, taskDependencyType, taskStatus, task as taskTable } from './schemas.js';
 import { PostgresTask, PostgresTaskArchive } from './task.model.js';
@@ -849,7 +850,8 @@ let PostgresTaskQueue = class PostgresTaskQueue extends TaskQueue {
             }
         });
     }
-    async fail(task, error, options) {
+    async fail(task, caughtError, options) {
+        const error = ensureTaskError(caughtError);
         const isRetryable = (options?.fatal != true) && (task.tries < this.maxTries);
         const nextStatus = isRetryable ? TaskStatus.Retrying : TaskStatus.Dead;
         const delay = isRetryable
@@ -883,7 +885,7 @@ let PostgresTaskQueue = class PostgresTaskQueue extends TaskQueue {
         }
         await this.#repository.useTransaction(options?.transaction, async (tx) => {
             const rows = tasks.map((task, index) => {
-                const error = errors[index];
+                const error = ensureTaskError(errors[index]);
                 const isRetryable = (task.tries < this.maxTries);
                 const nextStatus = isRetryable ? TaskStatus.Retrying : TaskStatus.Dead;
                 const delay = isRetryable

package/task-queue/task.error.d.ts

@@ -0,0 +1,7 @@
+import { CustomError, type CustomErrorOptions } from '../errors/custom.error.js';
+import type { TypedOmit } from '../types/types.js';
+export declare class TaskError extends CustomError {
+    static readonly errorName = "TaskError";
+    constructor(message: string, options?: TypedOmit<CustomErrorOptions, 'message' | 'cause'>);
+}
+export declare function ensureTaskError(error: unknown): Error;

package/task-queue/task.error.js

@@ -0,0 +1,18 @@
+import { CustomError } from '../errors/custom.error.js';
+import { formatError } from '../errors/format.js';
+import { isString } from '../utils/type-guards.js';
+export class TaskError extends CustomError {
+    static errorName = 'TaskError';
+    constructor(message, options) {
+        super({ message, ...options });
+    }
+}
+export function ensureTaskError(error) {
+    if (error instanceof Error) {
+        return error;
+    }
+    if (isString(error)) {
+        return new TaskError(error, undefined);
+    }
+    return new TaskError(`A task error occurred: ${formatError(error)}`);
+}

package/testing/README.md

@@ -80,37 +80,48 @@ The `setupIntegrationTest` utility (found in `source/testing/integration-setup.t
 4.  **Schema Isolation**: Automatically creates and uses PostgreSQL schemas for isolation.
 5.  **Modules**: Optional configuration for `taskQueue`, `authentication`, `objectStorage`, `notification`, etc.
 
-Integration tests typically require an injection context to resolve services and repositories. You can use the `testInInjector` (or `itInInjector`) helper to automatically wrap your test body.
+### Injection Context: `testInInjector`
+
+Integration tests may require an injection context to resolve services and repositories. You can use the `testInInjector` (or `itInInjector`) helper to automatically wrap your test body.
 
 > [!IMPORTANT]
-> `testInInjector` is designed for test files where a **single injector** is shared across all tests (typically initialized in `beforeAll`). It accepts a `ValueOrProvider<Injector>`, allowing you to pass a getter function (e.g., `() => injector`) if the injector variable is initialized late.
+> `testInInjector` is **only required** for code that uses `inject()` or `injectRepository()` outside of a class constructor/initializer (e.g. ad-hoc repository injection in a test body).
 >
-> If your tests require a fresh injector per test case (e.g. `setupIntegrationTest` in `beforeEach`), you can still use `testInInjector` by passing a provider.
+> If you resolve your services in `beforeAll` or `beforeEach`, calling their methods usually does **not** require `testInInjector`.
+
+> [!TIP]
+> **Performance & Reusability**: For most integration tests, resolve services once in `beforeAll` and reuse the variables in your tests.
 
 ```typescript
-import { beforeAll, describe, expect } from 'vitest';
+import { beforeAll, describe, expect, test } from 'vitest';
 import { setupIntegrationTest, testInInjector } from '#/testing/index.js';
 import { MyService } from '../my-service.js';
 
 describe('MyService Integration', () => {
-  let injector;
+  let injector: Injector;
+  let myService: MyService;
 
   beforeAll(async () => {
-    // Setup with database and specific modules
     ({ injector } = await setupIntegrationTest({
       modules: { taskQueue: true },
-      orm: { schema: 'test_my_service' },
     }));
+
+    // Resolve reused services once
+    myService = injector.resolve(MyService);
   });
 
-  testInInjector('should process data through the database', injector, async () => {
-    const service = injector.resolve(MyService);
-    const result = await service.process();
+  // Calling methods on resolved services does NOT require testInInjector
+  test('should process data', async () => {
+    const result = await myService.process();
     expect(result.success).toBe(true);
   });
 
-  // Using a provider function to defer resolution of the 'injector' variable when using `beforeEach` for injector setup
-  testInInjector('should process data through the database', () => injector, async () => { ... });
+  // testInInjector is ONLY needed if you use inject() directly in the test body
+  testInInjector('should work with ad-hoc injection', () => injector, async () => {
+      const repo = injectRepository(SomeEntity);
+      // ...
+    },
+  );
 });
 ```