npm - @tstdl/base - Versions diffs - 0.93.174 → 0.93.175 - Mend

@tstdl/base 0.93.174 → 0.93.175

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/authentication/client/authentication.service.js CHANGED Viewed

@@ -421,6 +421,7 @@ let AuthenticationClientService = class AuthenticationClientService {
                 // 2. Handle token refresh
                 if (needsRefresh) {
                     const lockResult = await this.lock.tryUse(undefined, async () => {
+                        this.loadToken();
                         const currentToken = this.token();
                         if (isUndefined(currentToken)) {
                             return;
@@ -442,6 +443,18 @@ let AuthenticationClientService = class AuthenticationClientService {
                             this.forceRefreshRequested.set(false);
                         }
                     }
+                    // Protection against tight loops (e.g. if server clock is ahead and sync failed)
+                    const newToken = this.token();
+                    if (isDefined(newToken)) {
+                        const newNow = this.estimatedServerTimestampSeconds();
+                        const newBuffer = calculateRefreshBufferSeconds(newToken);
+                        const stillNeedsRefresh = this.forceRefreshRequested() || (newNow >= newToken.exp - newBuffer);
+                        if (stillNeedsRefresh) {
+                            this.logger.warn('Token still needs refresh after attempt. Waiting for minRefreshDelay to avoid tight loop.');
+                            await waitForNextAction(minRefreshDelay, newToken.exp);
+                        }
+                    }
+                    await waitForNextAction(100, newToken?.exp);
                     continue; // Re-evaluate the loop with the newly refreshed (or synced) token
                 }
                 // 3. Calculate delay and sleep until the next scheduled refresh window

package/authentication/server/authentication.service.d.ts CHANGED Viewed

@@ -57,7 +57,7 @@ export declare class AuthenticationServiceOptions {
     /**
      * How long a refresh token is valid in milliseconds. Implies session time to live.
      *
-     * @default 1 hour
+     * @default 6 hours
      */
     refreshTokenTimeToLive?: number;
     /**

package/authentication/server/authentication.service.js CHANGED Viewed

@@ -55,7 +55,7 @@ export class AuthenticationServiceOptions {
     /**
      * How long a refresh token is valid in milliseconds. Implies session time to live.
      *
-     * @default 1 hour
+     * @default 6 hours
      */
     refreshTokenTimeToLive;
     /**
@@ -126,7 +126,7 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
     };
     tokenVersion = this.#options.version ?? 1;
     tokenTimeToLive = this.#options.tokenTimeToLive ?? (5 * millisecondsPerMinute);
-    refreshTokenTimeToLive = this.#options.refreshTokenTimeToLive ?? (1 * millisecondsPerHour);
+    refreshTokenTimeToLive = this.#options.refreshTokenTimeToLive ?? (6 * millisecondsPerHour);
     rememberRefreshTokenTimeToLive = this.#options.rememberRefreshTokenTimeToLive ?? (30 * millisecondsPerDay);
     secretResetTokenTimeToLive = this.#options.secretResetTokenTimeToLive ?? (10 * millisecondsPerMinute);
     derivedTokenSigningSecret;

package/authentication/tests/authentication.client-service-refresh.test.js CHANGED Viewed

@@ -130,4 +130,23 @@ describe('AuthenticationClientService Refresh Loop Reproduction', () => {
         await service.refresh();
         expect(mockApiClient.timestamp).toHaveBeenCalled();
     });
+    test('Cross-tab Sync: should not refresh if another tab already did (simulated via localStorage update)', async () => {
+        const now = Math.floor(Date.now() / 1000);
+        const initialToken = { iat: now - 3600, exp: now + 5, jti: 'initial' }; // Expiring soon
+        globalThis.localStorage.setItem('AuthenticationService:token', JSON.stringify(initialToken));
+        // 1. Mock lock behavior to simulate another tab refreshing while we wait for the lock
+        mockLock.tryUse.mockImplementation(async (_timeout, callback) => {
+            // Simulate another tab refreshing and updating localStorage
+            const newToken = { iat: now, exp: now + 3600, jti: 'refreshed-by-other-tab' };
+            globalThis.localStorage.setItem('AuthenticationService:token', JSON.stringify(newToken));
+            const result = await callback({ lost: false });
+            return { success: true, result };
+        });
+        service = injector.resolve(AuthenticationClientService);
+        // Wait for loop to run
+        await timeout(100);
+        // Should NOT have called refresh because loadToken() inside the lock updated the token
+        expect(mockApiClient.refresh).not.toHaveBeenCalled();
+        expect(service.token()?.jti).toBe('refreshed-by-other-tab');
+    });
 });

package/authentication/tests/authentication.refresh-busy-loop.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/authentication/tests/authentication.refresh-busy-loop.test.js ADDED Viewed

@@ -0,0 +1,84 @@
+import { afterEach, beforeEach, describe, expect, test, vi } from 'vitest';
+import { AuthenticationClientService } from '../../authentication/client/authentication.service.js';
+import { AUTHENTICATION_API_CLIENT } from '../../authentication/client/tokens.js';
+import { CancellationSignal, CancellationToken } from '../../cancellation/token.js';
+import { Injector } from '../../injector/index.js';
+import { Lock } from '../../lock/index.js';
+import { Logger } from '../../logger/index.js';
+import { MessageBus } from '../../message-bus/index.js';
+import { configureDefaultSignalsImplementation } from '../../signals/implementation/configure.js';
+import { timeout } from '../../utils/timing.js';
+import { Subject } from 'rxjs';
+describe('AuthenticationClientService Refresh Busy Loop Prevention', () => {
+    let injector;
+    let service;
+    let mockApiClient;
+    let mockLock;
+    let mockMessageBus;
+    let mockLogger;
+    let disposeToken;
+    beforeEach(() => {
+        const storage = new Map();
+        globalThis.localStorage = {
+            getItem: vi.fn((key) => storage.get(key) ?? null),
+            setItem: vi.fn((key, value) => storage.set(key, value)),
+            removeItem: vi.fn((key) => storage.delete(key)),
+            clear: vi.fn(() => storage.clear()),
+        };
+        configureDefaultSignalsImplementation();
+        injector = new Injector('Test');
+        mockApiClient = {
+            login: vi.fn(),
+            refresh: vi.fn(),
+            timestamp: vi.fn().mockResolvedValue(1000), // Fixed timestamp
+            endSession: vi.fn().mockResolvedValue(undefined),
+        };
+        mockLock = {
+            tryUse: vi.fn(async (_timeout, callback) => {
+                const result = await callback({ lost: false });
+                return { success: true, result };
+            }),
+            use: vi.fn(async (_timeout, callback) => {
+                return await callback({ lost: false });
+            }),
+        };
+        mockMessageBus = {
+            publishAndForget: vi.fn(),
+            messages$: new Subject(),
+            dispose: vi.fn(),
+        };
+        mockLogger = {
+            error: vi.fn(),
+            warn: vi.fn(),
+            info: vi.fn(),
+            debug: vi.fn(),
+        };
+        injector.register(AUTHENTICATION_API_CLIENT, { useValue: mockApiClient });
+        injector.register(Lock, { useValue: mockLock });
+        injector.register(MessageBus, { useValue: mockMessageBus });
+        injector.register(Logger, { useValue: mockLogger });
+        disposeToken = new CancellationToken();
+        injector.register(CancellationSignal, { useValue: disposeToken.signal });
+    });
+    afterEach(async () => {
+        disposeToken.set();
+        await injector.dispose();
+    });
+    test('should not busy loop when refresh fails to produce a valid token', async () => {
+        // 1. Mock a token that is ALWAYS expired
+        // Server time is 1000. Token expires at 500.
+        const expiredToken = { iat: 0, exp: 500, jti: 'expired', session: 's', tenant: 't', subject: 'sub' };
+        globalThis.localStorage.setItem('AuthenticationService:token', JSON.stringify(expiredToken));
+        // refresh() will return the SAME expired token
+        mockApiClient.refresh.mockResolvedValue(expiredToken);
+        // 2. Start service
+        service = injector.resolve(AuthenticationClientService);
+        // 3. Wait a bit
+        // With 100ms mandatory yield + minRefreshDelay (1 min) protection, it should only try once or twice in 500ms
+        // WITHOUT protection, it would try thousands of times.
+        await timeout(500);
+        // It should have tried to refresh
+        expect(mockApiClient.refresh.mock.calls.length).toBeLessThan(5);
+        expect(mockLogger.warn).toHaveBeenCalledWith(expect.stringContaining('Token still needs refresh after attempt'));
+    });
+});

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@tstdl/base",
-  "version": "0.93.174",
+  "version": "0.93.175",
   "author": "Patrick Hein",
   "publishConfig": {
     "access": "public"