@tstdl/base 0.93.188 → 0.93.190

package/ai/genkit/multi-region.plugin.js

@@ -15,8 +15,9 @@ export function vertexAiMultiLocation(options) {
     const tokenLimitThreshold = options.tokenLimitThreshold ?? defaultTokenLimitThreshold;
     const locationConfigs = options.locations.map((location) => {
         const circuitBreakerNamespace = `genkit:vertex-ai:location`;
+        const tokenLimitCircuitBreakerNamespace = `genkit:vertex-ai:location-token-limit`;
         const resource = location;
-        const tokenLimitResource = `${location}:token-limit`;
+        const tokenLimitResource = location;
         return {
             location,
             resource,
@@ -26,7 +27,7 @@ export function vertexAiMultiLocation(options) {
                 resetTimeout: 30 * millisecondsPerSecond,
                 ...options.circuitBreakerConfig,
             }),
-            tokenLimitCircuitBreaker: options.circuitBreakerProvider.provide(circuitBreakerNamespace, {
+            tokenLimitCircuitBreaker: options.circuitBreakerProvider.provide(tokenLimitCircuitBreakerNamespace, {
                 threshold: 1,
                 resetTimeout: 15 * millisecondsPerMinute,
                 ...options.tokenLimitCircuitBreakerConfig,

package/authentication/client/authentication.service.d.ts

@@ -27,6 +27,7 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
     private readonly logger;
     private readonly disposeSignal;
     private readonly forceRefreshRequested;
+    private readonly totpStatusReloadNotifier;
     private readonly forceRefreshSubject;
     private clockOffset;
     private initialized;
@@ -193,6 +194,10 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
      * @param newPassword The new password
      */
     resetPassword(token: string, newPassword: string): Promise<void>;
+    /**
+     * Reload TOTP status.
+     */
+    reloadTotpStatus(): void;
     /**
      * Initiate TOTP enrollment.
      * @returns The secret and URI for enrollment.

package/authentication/client/authentication.service.js

@@ -7,7 +7,7 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
 var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-import { Subject, filter, firstValueFrom, from, race, takeUntil, tap, timer } from 'rxjs';
+import { Subject, filter, firstValueFrom, from, race, takeUntil, timer } from 'rxjs';
 import { CancellationSignal } from '../../cancellation/token.js';
 import { BadRequestError } from '../../errors/bad-request.error.js';
 import { ForbiddenError } from '../../errors/forbidden.error.js';
@@ -22,7 +22,7 @@ import { Lock } from '../../lock/index.js';
 import { Logger } from '../../logger/index.js';
 import { MessageBus } from '../../message-bus/index.js';
 import { computed, signal, toObservable } from '../../signals/api.js';
-import { deriveAsync } from '../../signals/index.js';
+import { createNotifier, deriveAsync } from '../../signals/index.js';
 import { currentTimestampSeconds } from '../../utils/date-time.js';
 import { clamp } from '../../utils/math.js';
 import { timeout } from '../../utils/timing.js';
@@ -74,6 +74,7 @@ let AuthenticationClientService = class AuthenticationClientService {
     logger = inject(Logger, 'AuthenticationService');
     disposeSignal = inject(CancellationSignal).fork();
     forceRefreshRequested = signal(false);
+    totpStatusReloadNotifier = createNotifier();
     forceRefreshSubject = new Subject();
     clockOffset = 0;
     initialized = false;
@@ -107,6 +108,7 @@ let AuthenticationClientService = class AuthenticationClientService {
     /** Whether the user is impersonated */
     impersonated = computed(() => isDefined(this.impersonator()));
     totpStatus = deriveAsync(async () => {
+        this.totpStatusReloadNotifier.listen();
         const token = this.token();
         if (isUndefined(token)) {
             return undefined;
@@ -403,6 +405,12 @@ let AuthenticationClientService = class AuthenticationClientService {
     async resetPassword(token, newPassword) {
         await this.client.resetPassword({ token, newPassword });
     }
+    /**
+     * Reload TOTP status.
+     */
+    reloadTotpStatus() {
+        this.totpStatusReloadNotifier.notify();
+    }
     /**
      * Initiate TOTP enrollment.
      * @returns The secret and URI for enrollment.
@@ -416,7 +424,9 @@ let AuthenticationClientService = class AuthenticationClientService {
      * @returns The recovery codes.
      */
     async completeEnrollTotp(token) {
-        return await this.client.completeEnrollTotp({ token });
+        const result = await this.client.completeEnrollTotp({ token });
+        this.reloadTotpStatus();
+        return result;
     }
     /**
      * Disable TOTP.
@@ -424,6 +434,7 @@ let AuthenticationClientService = class AuthenticationClientService {
      */
     async disableTotp(token) {
         await this.client.disableTotp({ token });
+        this.reloadTotpStatus();
     }
     /**
      * Disable TOTP using a recovery code.
@@ -431,6 +442,7 @@ let AuthenticationClientService = class AuthenticationClientService {
      */
     async disableTotpWithRecoveryCode(recoveryCode) {
         await this.client.disableTotpWithRecoveryCode({ recoveryCode });
+        this.reloadTotpStatus();
     }
     /**
      * Regenerate recovery codes.
@@ -439,7 +451,9 @@ let AuthenticationClientService = class AuthenticationClientService {
      * @returns The new recovery codes.
      */
     async regenerateRecoveryCodes(token, options) {
-        return await this.client.regenerateRecoveryCodes({ token, ...options });
+        const result = await this.client.regenerateRecoveryCodes({ token, ...options });
+        this.reloadTotpStatus();
+        return result;
     }
     /**
      * Get TOTP activation status.
@@ -500,29 +514,23 @@ let AuthenticationClientService = class AuthenticationClientService {
         this.tokenUpdateBus.publishAndForget(token);
     }
     async refreshLoop() {
-        this.logger.trace('[refreshLoop] Starting refresh loop...');
         if (this.isLoggedIn()) {
-            this.logger.trace('[refreshLoop] User is logged in, syncing clock...');
             await this.syncClock();
         }
         // Helper to sleep until the delay passes OR a vital state change occurs
-        const waitForNextAction = async (delayMs) => {
-            this.logger.trace(`[waitForNextAction] Waiting ${delayMs}ms for next action...`);
-            return await firstValueFrom(race([
-                timer(Math.max(10, delayMs)).pipe(tap(() => this.logger.trace('[waitForNextAction] Timer expired'))),
-                from(this.disposeSignal).pipe(tap(() => this.logger.trace('[waitForNextAction] Dispose signal received'))),
-                this.tokenUpdateBus.allMessages$.pipe(tap(() => this.logger.trace('[waitForNextAction] Token update message received'))),
-                this.forceRefreshSubject.pipe(tap(() => this.logger.trace('[waitForNextAction] Force refresh requested'))),
-            ]), { defaultValue: undefined });
-        };
+        const waitForNextAction = async (delayMs) => await firstValueFrom(race([
+            timer(Math.max(10, delayMs)),
+            from(this.disposeSignal),
+            this.tokenUpdateBus.allMessages$,
+            this.forceRefreshSubject,
+        ]), { defaultValue: undefined });
         while (this.disposeSignal.isUnset) {
             const token = this.token();
             // 1. Wait for login/token if none is present
             if (isUndefined(token)) {
-                this.logger.trace('[refreshLoop] No token found, waiting for login...');
                 await firstValueFrom(race([
-                    this.definedToken$.pipe(tap(() => this.logger.trace('[refreshLoop] Token became defined'))),
-                    from(this.disposeSignal).pipe(tap(() => this.logger.trace('[refreshLoop] Dispose signal received'))),
+                    this.tokenUpdateBus.allMessages$.pipe(filter(isDefined)),
+                    from(this.disposeSignal),
                 ]), { defaultValue: undefined });
                 continue;
             }
@@ -530,16 +538,12 @@ let AuthenticationClientService = class AuthenticationClientService {
                 const now = this.estimatedServerTimestampSeconds();
                 const buffer = calculateRefreshBufferSeconds(token);
                 const needsRefresh = this.forceRefreshRequested() || (now >= token.exp - buffer);
-                this.logger.trace(`[refreshLoop] Checking token refresh status: now=${now}, exp=${token.exp}, buffer=${buffer}, needsRefresh=${needsRefresh}, force=${this.forceRefreshRequested()}`);
                 // 2. Handle token refresh
                 if (needsRefresh) {
-                    this.logger.trace('[refreshLoop] Attempting to acquire refresh lock...');
                     const lockResult = await this.lock.tryUse(undefined, async () => {
-                        this.logger.trace('[refreshLoop] Refresh lock acquired, evaluating if refresh is still needed...');
                         this.loadToken();
                         const currentToken = this.token();
                         if (isUndefined(currentToken)) {
-                            this.logger.trace('[refreshLoop] Token became undefined while waiting for lock, skipping refresh.');
                             return;
                         }
                         // Passive Sync: Verify if refresh is still needed once lock is acquired
@@ -547,24 +551,13 @@ let AuthenticationClientService = class AuthenticationClientService {
                         const currentBuffer = calculateRefreshBufferSeconds(currentToken);
                         const stillNeedsRefresh = this.forceRefreshRequested() || (currentNow >= currentToken.exp - currentBuffer);
                         if (stillNeedsRefresh) {
-                            this.logger.trace('[refreshLoop] Refresh is still needed, performing refresh...');
                             await this.refresh();
                             this.forceRefreshRequested.set(false);
-                            this.logger.trace('[refreshLoop] Refresh completed successfully.');
-                        }
-                        else {
-                            this.logger.trace('[refreshLoop] Token already refreshed by another instance, skipping.');
                         }
                     });
                     // If lock is held by another instance/tab, wait briefly for it to finish (passive sync)
                     if (!lockResult.success) {
-                        this.logger.trace('[refreshLoop] Refresh lock held by another instance, waiting 5000ms for passive sync...');
                         await waitForNextAction(5000);
-                        // If another tab successfully refreshed, the expiration will have changed
-                        if (this.token()?.exp !== token.exp) {
-                            this.logger.trace('[refreshLoop] Token refreshed by another instance (expiration changed), clearing force refresh flag.');
-                            this.forceRefreshRequested.set(false);
-                        }
                     }
                     // Protection against tight loops (e.g. if server clock is ahead and sync failed)
                     const newToken = this.token();
@@ -573,11 +566,10 @@ let AuthenticationClientService = class AuthenticationClientService {
                         const newBuffer = calculateRefreshBufferSeconds(newToken);
                         const stillNeedsRefresh = this.forceRefreshRequested() || (newNow >= newToken.exp - newBuffer);
                         if (stillNeedsRefresh) {
-                            this.logger.warn('[refreshLoop] Token still needs refresh after attempt. Waiting briefly to avoid tight loop.');
+                            this.logger.warn('Token still needs refresh after attempt. Waiting briefly to avoid tight loop.');
                             await waitForNextAction(refreshLoopTightLoopDelay);
                         }
                     }
-                    this.logger.trace('[refreshLoop] Completing refresh evaluation cycle, waiting 100ms...');
                     await waitForNextAction(100);
                     continue; // Re-evaluate the loop with the newly refreshed (or synced) token
                 }
@@ -585,19 +577,15 @@ let AuthenticationClientService = class AuthenticationClientService {
                 const timeUntilRefreshMs = (token.exp - this.estimatedServerTimestampSeconds() - buffer) * millisecondsPerSecond;
                 let delay = clamp(timeUntilRefreshMs, minRefreshDelay, maxRefreshDelay);
                 if (Number.isNaN(delay)) {
-                    this.logger.trace(`[refreshLoop] Calculated delay is NaN, using minRefreshDelay (${minRefreshDelay}ms)`);
                     delay = minRefreshDelay;
                 }
-                this.logger.trace(`[refreshLoop] Scheduling next refresh in ${delay}ms...`);
                 await waitForNextAction(delay);
             }
             catch (error) {
                 this.logger.error(error);
-                this.logger.trace(`[refreshLoop] Refresh loop encountered error, waiting ${refreshLoopTightLoopDelay}ms before retry...`);
                 await waitForNextAction(refreshLoopTightLoopDelay);
             }
         }
-        this.logger.trace('[refreshLoop] Refresh loop exited (dispose signal set).');
     }
     async handleRefreshError(error) {
         this.logger.error(error);

package/authentication/client/http-client.middleware.js

@@ -1,7 +1,6 @@
 import { firstValueFrom, race, timeout as rxjsTimeout } from 'rxjs';
 import { HttpError } from '../../http/index.js';
 import { supportsCookies } from '../../supports.js';
-import { timeout } from '../../utils/timing.js';
 import { isDefined } from '../../utils/type-guards.js';
 import { cacheValueOrAsyncProvider } from '../../utils/value-or-provider.js';
 import { dontWaitForValidToken } from '../authentication.api.js';
@@ -19,15 +18,13 @@ export function waitForAuthenticationMiddleware(authenticationServiceOrProvider)
             while (!authenticationService.hasValidToken && authenticationService.isLoggedIn()) {
                 const race$ = race([
                     authenticationService.validToken$,
+                    authenticationService.loggedOut$,
                     request.cancellationSignal,
                 ]);
                 await firstValueFrom(race$.pipe(rxjsTimeout(30000))).catch(() => undefined);
-                if (request.cancellationSignal.isSet) {
+                if (request.cancellationSignal.isSet || !authenticationService.isLoggedIn()) {
                     break;
                 }
-                if (!authenticationService.hasValidToken && authenticationService.isLoggedIn()) {
-                    await timeout(100);
-                }
             }
         }
         await next();

package/authentication/models/totp-results.model.d.ts

@@ -8,4 +8,5 @@ export declare class TotpRecoveryCodesResult {
 }
 export declare class TotpStatusResult {
     active: boolean;
+    remainingRecoveryCodes: number | null;
 }

package/authentication/models/totp-results.model.js

@@ -8,7 +8,7 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
 var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-import { Array, BooleanProperty, StringProperty } from '../../schema/index.js';
+import { Array, BooleanProperty, NumberProperty, StringProperty } from '../../schema/index.js';
 export class TotpEnrollmentInitResult {
     secret;
     uri;
@@ -30,8 +30,13 @@ __decorate([
 ], TotpRecoveryCodesResult.prototype, "recoveryCodes", void 0);
 export class TotpStatusResult {
     active;
+    remainingRecoveryCodes;
 }
 __decorate([
     BooleanProperty(),
     __metadata("design:type", Boolean)
 ], TotpStatusResult.prototype, "active", void 0);
+__decorate([
+    NumberProperty({ nullable: true }),
+    __metadata("design:type", Object)
+], TotpStatusResult.prototype, "remainingRecoveryCodes", void 0);

package/authentication/server/authentication.service.js

@@ -864,8 +864,13 @@ let AuthenticationService = AuthenticationService_1 = class AuthenticationServic
     }
     async getTotpStatus(tenantId, subjectId) {
         const totp = await this.tryGetTotp(tenantId, subjectId);
+        const active = totp?.status == TotpStatus.Active;
+        const remainingRecoveryCodes = active
+            ? await this.#totpRecoveryCodeRepository.countByQuery({ tenantId, totpId: totp.id, usedTimestamp: null })
+            : null;
         return {
-            active: totp?.status == TotpStatus.Active,
+            active,
+            remainingRecoveryCodes,
         };
     }
     async initEnrollTotp(tenantId, subjectId, auditor) {

package/cryptography/totp.d.ts

@@ -75,10 +75,11 @@ export declare function generateTotpUri(encodedSecret: string, accountName: stri
 /**
  * Generates a set of random recovery codes.
  * @param count The number of codes to generate. Defaults to 10.
- * @param length The length of each code. Defaults to 8.
+ * @param length The length of each code. Defaults to 12.
  * @returns An array of generated recovery codes.
  */
 export declare function generateTotpRecoveryCodes(count?: number, length?: number): string[];
+export declare function generateTotpRecoveryCode(length?: number): string;
 /**
  * Hashes a recovery code.
  * @param code The recovery code to hash.

package/cryptography/totp.js

@@ -1,5 +1,6 @@
 /** biome-ignore-all lint/suspicious/noBitwiseOperators: ok */
 import { Alphabet } from '../utils/alphabet.js';
+import { createArray } from '../utils/array/array.js';
 import { encodeBase32 } from '../utils/base32.js';
 import { currentTimestampSeconds } from '../utils/date-time.js';
 import { encodeUtf8 } from '../utils/encoding.js';
@@ -88,15 +89,21 @@ export function generateTotpUri(encodedSecret, accountName, issuer, options) {
 /**
  * Generates a set of random recovery codes.
  * @param count The number of codes to generate. Defaults to 10.
- * @param length The length of each code. Defaults to 8.
+ * @param length The length of each code. Defaults to 12.
  * @returns An array of generated recovery codes.
  */
-export function generateTotpRecoveryCodes(count = 10, length = 8) {
-    const codes = [];
-    for (let i = 0; i < count; i++) {
-        codes.push(getRandomString(length, Alphabet.Base32));
+export function generateTotpRecoveryCodes(count = 10, length = 12) {
+    return createArray(count, () => generateTotpRecoveryCode(length));
+}
+export function generateTotpRecoveryCode(length = 12) {
+    const code = getRandomString(length, Alphabet.Base32);
+    if (length % 4 == 0) {
+        return code.match(/.{1,4}/g).join('-');
+    }
+    if (length % 6 == 0) {
+        return code.match(/.{1,6}/g).join('-');
     }
-    return codes;
+    return code;
 }
 /**
  * Hashes a recovery code.
@@ -106,7 +113,8 @@ export function generateTotpRecoveryCodes(count = 10, length = 8) {
  */
 export async function hashTotpRecoveryCode(code, options) {
     const { length, algorithm } = options;
-    const keyMaterial = encodeUtf8(code);
+    const normalizedCode = code.replace(/[-\s]/g, '').toUpperCase();
+    const keyMaterial = encodeUtf8(normalizedCode);
     const key = await importKey('raw-secret', keyMaterial, algorithm, false, ['deriveBits']);
     return await deriveBytes(algorithm, key, length);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tstdl/base",
-  "version": "0.93.188",
+  "version": "0.93.190",
   "author": "Patrick Hein",
   "publishConfig": {
     "access": "public"

package/signals/notifier.js

@@ -1,13 +1,16 @@
 import { computed, signal } from './api.js';
 export function createNotifier() {
     const sourceSignal = signal(0);
-    const notifier = {
+    return {
         listen: sourceSignal.asReadonly(),
-        notify: () => sourceSignal.update((v) => v + 1),
-        computed: (computation, options) => computed(() => {
-            notifier.listen();
-            return computation();
-        }, options)
+        notify() {
+            sourceSignal.update((v) => v + 1);
+        },
+        computed(computation, options) {
+            return computed(() => {
+                sourceSignal();
+                return computation();
+            }, options);
+        },
     };
-    return notifier;
 }