@tstdl/base 0.93.87 → 0.93.90

package/authentication/client/authentication.service.js

@@ -8,7 +8,7 @@ var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 import { Subject, filter, firstValueFrom, race, timer } from 'rxjs';
-import { CancellationToken } from '../../cancellation/token.js';
+import { CancellationSignal, CancellationToken } from '../../cancellation/token.js';
 import { isNode } from '../../environment.js';
 import { BadRequestError } from '../../errors/bad-request.error.js';
 import { ForbiddenError } from '../../errors/forbidden.error.js';
@@ -28,6 +28,9 @@ import { assertDefinedPass, isDefined, isNullOrUndefined, isUndefined } from '..
 import { millisecondsPerSecond } from '../../utils/units.js';
 import { AUTHENTICATION_API_CLIENT, INITIAL_AUTHENTICATION_DATA } from './tokens.js';
 const tokenStorageKey = 'AuthenticationService:token';
+const rawTokenStorageKey = 'AuthenticationService:raw-token';
+const rawRefreshTokenStorageKey = 'AuthenticationService:raw-refresh-token';
+const rawImpersonatorRefreshTokenStorageKey = 'AuthenticationService:raw-impersonator-refresh-token';
 const authenticationDataStorageKey = 'AuthenticationService:authentication-data';
 const impersonatorAuthenticationDataStorageKey = 'AuthenticationService:impersonator-authentication-data';
 const tokenUpdateBusName = 'AuthenticationService:tokenUpdate';
@@ -67,8 +70,9 @@ let AuthenticationClientService = class AuthenticationClientService {
     forceRefreshToken = new CancellationToken();
     lock = inject(Lock, refreshLockResource);
     logger = inject(Logger, 'AuthenticationService');
-    disposeToken = new CancellationToken();
+    disposeToken = inject(CancellationSignal).createChild();
     clockOffset = 0;
+    refreshLoopPromise;
     /**
      * Observable for authentication errors.
      * Emits when a refresh fails.
@@ -76,6 +80,12 @@ let AuthenticationClientService = class AuthenticationClientService {
     error$ = this.errorSubject.asObservable();
     /** Current token */
     token = signal(undefined);
+    /** Current raw token */
+    rawToken = signal(undefined);
+    /** Current raw refresh token */
+    rawRefreshToken = signal(undefined);
+    /** Current raw impersonator refresh token */
+    rawImpersonatorRefreshToken = signal(undefined);
     /** Whether the user is logged in */
     isLoggedIn = computed(() => isDefined(this.token()));
     /** Current session id */
@@ -168,7 +178,7 @@ let AuthenticationClientService = class AuthenticationClientService {
     initialize() {
         this.loadToken();
         this.tokenUpdateBus.messages$.subscribe((token) => this.token.set(token));
-        void this.refreshLoop();
+        this.refreshLoopPromise = this.refreshLoop();
     }
     /** @internal */
     async [Symbol.asyncDispose]() {
@@ -180,6 +190,7 @@ let AuthenticationClientService = class AuthenticationClientService {
      */
     async dispose() {
         this.disposeToken.set();
+        await this.refreshLoopPromise;
         this.errorSubject.complete();
         await this.loggedOutBus.dispose();
         await this.tokenUpdateBus.dispose();
@@ -331,8 +342,33 @@ let AuthenticationClientService = class AuthenticationClientService {
     async checkSecret(secret) {
         return await this.client.checkSecret({ secret });
     }
+    /**
+     * Update raw tokens.
+     * @param token Raw token
+     * @param refreshToken Raw refresh token
+     * @param impersonatorRefreshToken Raw impersonator refresh token
+     */
+    updateRawTokens(token, refreshToken, impersonatorRefreshToken) {
+        if (isDefined(token)) {
+            this.rawToken.set(token);
+        }
+        if (isDefined(refreshToken)) {
+            this.rawRefreshToken.set(refreshToken);
+        }
+        if (isDefined(impersonatorRefreshToken)) {
+            this.rawImpersonatorRefreshToken.set(impersonatorRefreshToken);
+        }
+        if (isDefined(token) || isDefined(refreshToken) || isDefined(impersonatorRefreshToken)) {
+            this.saveToken(this.token(), this.rawToken(), this.rawRefreshToken(), this.rawImpersonatorRefreshToken());
+        }
+    }
     setNewToken(token) {
-        this.saveToken(token);
+        if (isUndefined(token)) {
+            this.rawToken.set(undefined);
+            this.rawRefreshToken.set(undefined);
+            this.rawImpersonatorRefreshToken.set(undefined);
+        }
+        this.saveToken(token, this.rawToken(), this.rawRefreshToken(), this.rawImpersonatorRefreshToken());
         this.token.set(token);
         this.tokenUpdateBus.publishAndForget(token);
     }
@@ -342,30 +378,44 @@ let AuthenticationClientService = class AuthenticationClientService {
         }
         while (this.disposeToken.isUnset) {
             try {
-                // Use a non-blocking lock to ensure only one tab/instance runs the refresh logic at a time.
-                await this.lock.tryUse(undefined, async () => await this.refreshLoopIteration());
-                // Calculate delay until the next refresh check.
-                // The buffer ensures we refresh *before* the token actually expires.
+                const token = this.token();
+                if (isUndefined(token)) {
+                    // Wait for login, dispose, or forced refresh
+                    await firstValueFrom(race([this.definedToken$, this.disposeToken, this.forceRefreshToken]));
+                    continue;
+                }
+                const now = this.estimatedServerTimestampSeconds();
+                const needsRefresh = this.forceRefreshToken.isSet || (now >= (token.exp - refreshBufferSeconds));
+                if (needsRefresh) {
+                    // Only take the lock when we actually intend to refresh.
+                    // Using tryUse(undefined, ...) ensures we try once and don't block if another instance is already refreshing.
+                    await this.lock.tryUse(undefined, async () => {
+                        // Re-check conditions inside the lock to avoid redundant refreshes if another instance just did it.
+                        const currentToken = this.token();
+                        const currentNow = this.estimatedServerTimestampSeconds();
+                        const stillNeedsRefresh = isDefined(currentToken) && (this.forceRefreshToken.isSet || (currentNow >= (currentToken.exp - refreshBufferSeconds)));
+                        if (stillNeedsRefresh) {
+                            this.forceRefreshToken.unset();
+                            await this.refresh();
+                        }
+                    });
+                }
                 const delay = ((this.token()?.exp ?? 0) - this.estimatedServerTimestampSeconds() - refreshBufferSeconds) * millisecondsPerSecond;
-                await firstValueFrom(race([timer(delay), this.disposeToken, this.forceRefreshToken]));
+                // Ensure delay is at least 0 to avoid tight loop, or wait longer if not logged in.
+                // If not logged in after refresh attempt (e.g. session invalidated), we wait for login.
+                if (isUndefined(this.token()) || (delay < 0)) {
+                    await firstValueFrom(race([this.definedToken$, this.disposeToken, this.forceRefreshToken, timer(5000)]));
+                }
+                else {
+                    await firstValueFrom(race([timer(delay), this.disposeToken, this.forceRefreshToken]));
+                }
             }
-            catch {
+            catch (error) {
+                this.logger.error(error);
                 await firstValueFrom(race([timer(5000), this.disposeToken, this.forceRefreshToken]));
             }
         }
     }
-    async refreshLoopIteration() {
-        // Wait for a token to be available or for the service to be disposed.
-        const token = await firstValueFrom(race([this.definedToken$, this.disposeToken]));
-        if (isUndefined(token)) {
-            return;
-        }
-        const needsRefresh = this.estimatedServerTimestampSeconds() >= (token.exp - refreshBufferSeconds);
-        if (this.forceRefreshToken.isSet || needsRefresh) {
-            this.forceRefreshToken.unset();
-            await this.refresh(); // Errors are caught by the outer loop
-        }
-    }
     async handleRefreshError(error) {
         this.logger.error(error);
         this.errorSubject.next(error);
@@ -386,12 +436,21 @@ let AuthenticationClientService = class AuthenticationClientService {
             this.clockOffset = 0;
         }
     }
-    saveToken(token) {
+    saveToken(token, rawToken, rawRefreshToken, rawImpersonatorRefreshToken) {
         this.writeToStorage(tokenStorageKey, token);
+        this.writeToStorage(rawTokenStorageKey, rawToken);
+        this.writeToStorage(rawRefreshTokenStorageKey, rawRefreshToken);
+        this.writeToStorage(rawImpersonatorRefreshTokenStorageKey, rawImpersonatorRefreshToken);
     }
     loadToken() {
         const token = this.readFromStorage(tokenStorageKey);
+        const rawToken = this.readFromStorage(rawTokenStorageKey);
+        const rawRefreshToken = this.readFromStorage(rawRefreshTokenStorageKey);
+        const rawImpersonatorRefreshToken = this.readFromStorage(rawImpersonatorRefreshTokenStorageKey);
         this.token.set(token);
+        this.rawToken.set(rawToken);
+        this.rawRefreshToken.set(rawRefreshToken);
+        this.rawImpersonatorRefreshToken.set(rawImpersonatorRefreshToken);
     }
     readFromStorage(key) {
         try {

package/authentication/client/http-client.middleware.d.ts

@@ -7,3 +7,9 @@ import type { AuthenticationClientService } from './authentication.service.js';
  * @returns A http client middleware.
  */
 export declare function waitForAuthenticationCredentialsMiddleware(authenticationServiceOrProvider: ValueOrAsyncProvider<AuthenticationClientService>): HttpClientMiddleware;
+/**
+ * A http client middleware that adds authentication tokens to outgoing requests and extracts them from incoming responses.
+ * @param authenticationServiceOrProvider The authentication service or a provider for it.
+ * @returns A http client middleware.
+ */
+export declare function authenticationMiddleware(authenticationServiceOrProvider: ValueOrAsyncProvider<AuthenticationClientService>): HttpClientMiddleware;

package/authentication/client/http-client.middleware.js

@@ -1,4 +1,5 @@
 import { firstValueFrom, timeout } from 'rxjs';
+import { isDefined } from '../../utils/type-guards.js';
 import { cacheValueOrAsyncProvider } from '../../utils/value-or-provider.js';
 import { dontWaitForValidToken } from '../authentication.api.js';
 /**
@@ -20,3 +21,38 @@ export function waitForAuthenticationCredentialsMiddleware(authenticationService
     }
     return waitForAuthenticationCredentialsMiddleware;
 }
+/**
+ * A http client middleware that adds authentication tokens to outgoing requests and extracts them from incoming responses.
+ * @param authenticationServiceOrProvider The authentication service or a provider for it.
+ * @returns A http client middleware.
+ */
+export function authenticationMiddleware(authenticationServiceOrProvider) {
+    const getAuthenticationService = cacheValueOrAsyncProvider(authenticationServiceOrProvider);
+    async function authenticationMiddleware(context, next) {
+        const { request } = context;
+        const authenticationService = await getAuthenticationService();
+        const rawToken = authenticationService.rawToken();
+        const rawRefreshToken = authenticationService.rawRefreshToken();
+        const rawImpersonatorRefreshToken = authenticationService.rawImpersonatorRefreshToken();
+        if (isDefined(rawToken)) {
+            request.headers.setIfMissing('Authorization', rawToken);
+        }
+        if (isDefined(rawRefreshToken)) {
+            request.headers.setIfMissing('X-Refresh-Token', rawRefreshToken);
+        }
+        if (isDefined(rawImpersonatorRefreshToken)) {
+            request.headers.setIfMissing('X-Impersonator-Refresh-Token', rawImpersonatorRefreshToken);
+        }
+        await next();
+        if (isDefined(context.response)) {
+            const { response } = context;
+            const responseToken = response.headers.tryGetSingle('X-Authorization');
+            const responseRefreshToken = response.headers.tryGetSingle('X-Refresh-Token');
+            const responseImpersonatorRefreshToken = response.headers.tryGetSingle('X-Impersonator-Refresh-Token');
+            if (isDefined(responseToken) || isDefined(responseRefreshToken) || isDefined(responseImpersonatorRefreshToken)) {
+                authenticationService.updateRawTokens(responseToken, responseRefreshToken, responseImpersonatorRefreshToken);
+            }
+        }
+    }
+    return authenticationMiddleware;
+}

package/authentication/client/module.js

@@ -3,7 +3,7 @@ import { getCurrentInjector } from '../../injector/inject.js';
 import { Injector } from '../../injector/injector.js';
 import { isDefined } from '../../utils/type-guards.js';
 import { AuthenticationClientService } from './authentication.service.js';
-import { waitForAuthenticationCredentialsMiddleware } from './http-client.middleware.js';
+import { authenticationMiddleware, waitForAuthenticationCredentialsMiddleware } from './http-client.middleware.js';
 import { AUTHENTICATION_API_CLIENT, INITIAL_AUTHENTICATION_DATA } from './tokens.js';
 /**
  * Configures authentication client services.
@@ -17,12 +17,18 @@ export function configureAuthenticationClient(config, injector = getCurrentInjec
     if (isDefined(config.initialAuthenticationData)) {
         (injector ?? Injector).register(INITIAL_AUTHENTICATION_DATA, { useValue: config.initialAuthenticationData });
     }
-    if (isDefined(config.registerMiddleware)) {
+    if (config.registerMiddleware == true) {
         (injector ?? Injector).register(HTTP_CLIENT_MIDDLEWARE, {
             useFactory(_, context) {
                 const authenticationService = context.resolve(AuthenticationClientService, undefined, { forwardRef: true, forwardRefTypeHint: 'object' });
                 return waitForAuthenticationCredentialsMiddleware(authenticationService);
             },
         }, { multi: true });
+        (injector ?? Injector).register(HTTP_CLIENT_MIDDLEWARE, {
+            useFactory(_, context) {
+                const authenticationService = context.resolve(AuthenticationClientService, undefined, { forwardRef: true, forwardRefTypeHint: 'object' });
+                return authenticationMiddleware(authenticationService);
+            },
+        }, { multi: true });
     }
 }

package/authentication/models/service-account.model.d.ts

@@ -1,6 +1,6 @@
-import { TenantEntity } from '../../orm/entity.js';
 import { Subject } from './subject.model.js';
-export declare class ServiceAccount extends TenantEntity {
+export declare class ServiceAccount extends Subject {
+    displayName: string;
     description: string;
     /** Who owns this service account? If null, it is a tenant-wide service account. */
     parent: Subject | null;

package/authentication/models/service-account.model.js

@@ -7,15 +7,19 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
 var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-import { TenantEntity } from '../../orm/entity.js';
-import { Table, TenantReference, UuidProperty } from '../../orm/index.js';
+import { ChildEntity, Table, TenantReference, UuidProperty } from '../../orm/index.js';
 import { StringProperty } from '../../schema/index.js';
-import { Subject } from './subject.model.js';
-let ServiceAccount = class ServiceAccount extends TenantEntity {
+import { Subject, SubjectType } from './subject.model.js';
+let ServiceAccount = class ServiceAccount extends Subject {
+    displayName;
     description;
     /** Who owns this service account? If null, it is a tenant-wide service account. */
     parent;
 };
+__decorate([
+    StringProperty(),
+    __metadata("design:type", String)
+], ServiceAccount.prototype, "displayName", void 0);
 __decorate([
     StringProperty(),
     __metadata("design:type", String)
@@ -26,6 +30,7 @@ __decorate([
     __metadata("design:type", Object)
 ], ServiceAccount.prototype, "parent", void 0);
 ServiceAccount = __decorate([
-    Table('service_account', { schema: 'authentication' })
+    Table('service_account', { schema: 'authentication' }),
+    ChildEntity(SubjectType.ServiceAccount)
 ], ServiceAccount);
 export { ServiceAccount };

package/authentication/models/subject.model.d.ts

@@ -1,16 +1,31 @@
 import { type EnumType } from '../../enumeration/enumeration.js';
 import { TenantEntity } from '../../orm/entity.js';
-import { type Uuid } from '../../orm/index.js';
+import type { Timestamp } from '../../orm/types.js';
 export declare const SubjectType: {
     readonly System: "system";
     readonly User: "user";
     readonly ServiceAccount: "service-account";
 };
 export type SubjectType = EnumType<typeof SubjectType>;
+/**
+ * Status of a subject.
+ */
+export declare const SubjectStatus: {
+    /** Subject is active and can perform actions. */
+    readonly Active: "active";
+    /** Subject is inactive and cannot perform actions. Usually set by the user or a default state. */
+    readonly Inactive: "inactive";
+    /** Subject is suspended and cannot perform actions. Usually set by an administrator for security or policy reasons. */
+    readonly Suspended: "suspended";
+    /** Subject is pending approval from an administrator. */
+    readonly PendingApproval: "pending-approval";
+    /** Subject has been invited but has not yet accepted or completed setup. */
+    readonly Invited: "invited";
+};
+export type SubjectStatus = EnumType<typeof SubjectStatus>;
 export declare class Subject extends TenantEntity {
     type: SubjectType;
-    displayName: string;
-    systemAccountId: Uuid | null;
-    userId: Uuid | null;
-    serviceAccountId: Uuid | null;
+    status: SubjectStatus;
+    lastActivityTimestamp: Timestamp | null;
 }
+export declare function getSubjectDisplayName(subject: Subject): string;

package/authentication/models/subject.model.js

@@ -8,54 +8,59 @@ var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 import { defineEnum } from '../../enumeration/enumeration.js';
+import { formatPersonName } from '../../formats/formats.js';
 import { TenantEntity } from '../../orm/entity.js';
-import { Check, exclusiveNotNull, Table, TenantReference, Unique, UuidProperty } from '../../orm/index.js';
-import { Enumeration, StringProperty } from '../../schema/index.js';
-import { ServiceAccount } from './service-account.model.js';
-import { SystemAccount } from './system-account.model.js';
-import { User } from './user.model.js';
+import { Inheritance, Table, Unique } from '../../orm/index.js';
+import { TimestampProperty } from '../../orm/schemas/timestamp.js';
+import { Enumeration } from '../../schema/index.js';
+import { match } from 'ts-pattern';
 export const SubjectType = defineEnum('SubjectType', {
     System: 'system',
     User: 'user',
     ServiceAccount: 'service-account',
 });
+/**
+ * Status of a subject.
+ */
+export const SubjectStatus = defineEnum('SubjectStatus', {
+    /** Subject is active and can perform actions. */
+    Active: 'active',
+    /** Subject is inactive and cannot perform actions. Usually set by the user or a default state. */
+    Inactive: 'inactive',
+    /** Subject is suspended and cannot perform actions. Usually set by an administrator for security or policy reasons. */
+    Suspended: 'suspended',
+    /** Subject is pending approval from an administrator. */
+    PendingApproval: 'pending-approval',
+    /** Subject has been invited but has not yet accepted or completed setup. */
+    Invited: 'invited',
+});
 let Subject = class Subject extends TenantEntity {
     type;
-    displayName;
-    systemAccountId;
-    userId;
-    serviceAccountId;
+    status;
+    lastActivityTimestamp;
 };
 __decorate([
     Enumeration(SubjectType),
     __metadata("design:type", String)
 ], Subject.prototype, "type", void 0);
 __decorate([
-    StringProperty(),
+    Enumeration(SubjectStatus),
     __metadata("design:type", String)
-], Subject.prototype, "displayName", void 0);
-__decorate([
-    TenantReference(() => SystemAccount),
-    UuidProperty({ nullable: true }),
-    __metadata("design:type", Object)
-], Subject.prototype, "systemAccountId", void 0);
-__decorate([
-    TenantReference(() => User),
-    UuidProperty({ nullable: true }),
-    __metadata("design:type", Object)
-], Subject.prototype, "userId", void 0);
+], Subject.prototype, "status", void 0);
 __decorate([
-    TenantReference(() => ServiceAccount),
-    UuidProperty({ nullable: true }),
+    TimestampProperty({ nullable: true }),
     __metadata("design:type", Object)
-], Subject.prototype, "serviceAccountId", void 0);
+], Subject.prototype, "lastActivityTimestamp", void 0);
 Subject = __decorate([
     Table('subject', { schema: 'authentication' }),
+    Inheritance({ strategy: 'joined', discriminatorColumn: 'type' }),
     Unique(['id']) // for external systems that might not support composite identities
-    ,
-    Unique(['tenantId', 'systemAccountId']),
-    Unique(['tenantId', 'userId']),
-    Unique(['tenantId', 'serviceAccountId']),
-    Check('authentication_subject_reference_check', (table) => exclusiveNotNull(table.systemAccountId, table.userId, table.serviceAccountId))
 ], Subject);
 export { Subject };
+export function getSubjectDisplayName(subject) {
+    return match(subject.type)
+        .with(SubjectType.User, () => formatPersonName(subject))
+        .with(SubjectType.System, () => subject.displayName)
+        .with(SubjectType.ServiceAccount, () => subject.displayName)
+        .exhaustive();
+}

package/authentication/models/system-account.model.d.ts

@@ -1,5 +1,6 @@
-import { TenantEntity } from '../../orm/entity.js';
-export declare class SystemAccount extends TenantEntity {
+import { Subject } from './subject.model.js';
+export declare class SystemAccount extends Subject {
     /** Programmatic name: 'cleanup-task', 'ai-agent' */
     identifier: string;
+    displayName: string;
 }

package/authentication/models/system-account.model.js

@@ -7,19 +7,25 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
 var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-import { TenantEntity } from '../../orm/entity.js';
-import { Table, Unique } from '../../orm/index.js';
+import { ChildEntity, Table, Unique } from '../../orm/index.js';
 import { StringProperty } from '../../schema/index.js';
-let SystemAccount = class SystemAccount extends TenantEntity {
+import { Subject, SubjectType } from './subject.model.js';
+let SystemAccount = class SystemAccount extends Subject {
     /** Programmatic name: 'cleanup-task', 'ai-agent' */
     identifier;
+    displayName;
 };
 __decorate([
-    Unique(),
     StringProperty(),
     __metadata("design:type", String)
 ], SystemAccount.prototype, "identifier", void 0);
+__decorate([
+    StringProperty(),
+    __metadata("design:type", String)
+], SystemAccount.prototype, "displayName", void 0);
 SystemAccount = __decorate([
-    Table('system_account', { schema: 'authentication' })
+    Table('system_account', { schema: 'authentication' }),
+    ChildEntity(SubjectType.System),
+    Unique(['tenantId', 'identifier'])
 ], SystemAccount);
 export { SystemAccount };

package/authentication/models/user.model.d.ts

@@ -1,14 +1,5 @@
-import { type EnumType } from '../../enumeration/enumeration.js';
-import { TenantEntity } from '../../orm/entity.js';
-export declare const UserStatus: {
-    readonly Active: "active";
-    readonly Suspended: "suspended";
-    readonly PendingApproval: "pending-approval";
-    readonly Invited: "invited";
-};
-export type UserStatus = EnumType<typeof UserStatus>;
-export declare class User extends TenantEntity {
-    status: UserStatus;
+import { Subject } from './subject.model.js';
+export declare class User extends Subject {
     email: string;
     firstName: string;
     lastName: string;

package/authentication/models/user.model.js

@@ -7,27 +7,15 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
 var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-import { defineEnum } from '../../enumeration/enumeration.js';
-import { TenantEntity } from '../../orm/entity.js';
-import { Table, Unique } from '../../orm/index.js';
-import { Enumeration, StringProperty } from '../../schema/index.js';
+import { ChildEntity, Table, Unique } from '../../orm/index.js';
+import { StringProperty } from '../../schema/index.js';
 import { mailPattern } from '../../utils/patterns.js';
-export const UserStatus = defineEnum('UserStatus', {
-    Active: 'active',
-    Suspended: 'suspended',
-    PendingApproval: 'pending-approval',
-    Invited: 'invited',
-});
-let User = class User extends TenantEntity {
-    status;
+import { Subject, SubjectType } from './subject.model.js';
+let User = class User extends Subject {
     email;
     firstName;
     lastName;
 };
-__decorate([
-    Enumeration(UserStatus),
-    __metadata("design:type", String)
-], User.prototype, "status", void 0);
 __decorate([
     StringProperty({ pattern: mailPattern }),
     __metadata("design:type", String)
@@ -42,6 +30,7 @@ __decorate([
 ], User.prototype, "lastName", void 0);
 User = __decorate([
     Table('user', { schema: 'authentication' }),
+    ChildEntity(SubjectType.User),
     Unique(['tenantId', 'email'])
 ], User);
 export { User };

package/authentication/server/authentication-api-request-token.provider.d.ts

@@ -1,11 +1,9 @@
 import type { ApiRequestData } from '../../api/index.js';
 import { ApiRequestTokenProvider } from '../../api/server/api-request-token.provider.js';
-import { AuthenticationService } from './authentication.service.js';
 /**
  * Provides the info for an API request from the authorization header.
  */
 export declare class AuthenticationApiRequestTokenProvider extends ApiRequestTokenProvider {
     private readonly authenticationService;
-    constructor(authenticationService: AuthenticationService);
     tryGetToken<T>(data: ApiRequestData): Promise<T | null>;
 }

package/authentication/server/authentication-api-request-token.provider.js

@@ -4,11 +4,8 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
     else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
     return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
-var __metadata = (this && this.__metadata) || function (k, v) {
-    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
-};
 import { ApiRequestTokenProvider } from '../../api/server/api-request-token.provider.js';
-import { Singleton } from '../../injector/decorators.js';
+import { inject, Singleton } from '../../injector/index.js';
 import { isUndefined } from '../../utils/type-guards.js';
 import { AuthenticationService } from './authentication.service.js';
 import { tryGetAuthorizationTokenStringFromRequest } from './helper.js';
@@ -16,11 +13,7 @@ import { tryGetAuthorizationTokenStringFromRequest } from './helper.js';
  * Provides the info for an API request from the authorization header.
  */
 let AuthenticationApiRequestTokenProvider = class AuthenticationApiRequestTokenProvider extends ApiRequestTokenProvider {
-    authenticationService;
-    constructor(authenticationService) {
-        super();
-        this.authenticationService = authenticationService;
-    }
+    authenticationService = inject(AuthenticationService);
     async tryGetToken(data) {
         const tokenString = tryGetAuthorizationTokenStringFromRequest(data.request);
         if (isUndefined(tokenString)) {
@@ -30,7 +23,6 @@ let AuthenticationApiRequestTokenProvider = class AuthenticationApiRequestTokenP
     }
 };
 AuthenticationApiRequestTokenProvider = __decorate([
-    Singleton(),
-    __metadata("design:paramtypes", [AuthenticationService])
+    Singleton()
 ], AuthenticationApiRequestTokenProvider);
 export { AuthenticationApiRequestTokenProvider };

package/authentication/server/authentication.api-controller.d.ts

@@ -13,8 +13,7 @@ import { AuthenticationService } from './authentication.service.js';
  * @template AdditionalInitSecretResetData Type of additional secret reset data
  */
 export declare class AuthenticationApiController<AdditionalTokenPayload extends Record, AuthenticationData, AdditionalInitSecretResetData = void> implements ApiController<AuthenticationApiDefinition<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>> {
-    readonly authenticationService: AuthenticationService<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>;
-    constructor(authenticationService: AuthenticationService<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>);
+    protected readonly authenticationService: AuthenticationService<AdditionalTokenPayload, AuthenticationData, AdditionalInitSecretResetData>;
     /**
      * Get a token for a subject and secret.
      * @param parameters The parameters for the request.

package/authentication/server/authentication.api-controller.js

@@ -4,11 +4,9 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
     else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
     return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
-var __metadata = (this && this.__metadata) || function (k, v) {
-    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
-};
 import { apiController } from '../../api/server/index.js';
 import { HttpServerResponse } from '../../http/server/index.js';
+import { inject } from '../../injector/index.js';
 import { currentTimestampSeconds } from '../../utils/date-time.js';
 import { assertDefinedPass, isDefined } from '../../utils/type-guards.js';
 import { authenticationApiDefinition, getAuthenticationApiDefinition } from '../authentication.api.js';
@@ -24,10 +22,7 @@ const deleteCookie = { value: '', ...cookieBaseOptions, maxAge: -1 };
  * @template AdditionalInitSecretResetData Type of additional secret reset data
  */
 let AuthenticationApiController = class AuthenticationApiController {
-    authenticationService;
-    constructor(authenticationService) {
-        this.authenticationService = authenticationService;
-    }
+    authenticationService = inject((AuthenticationService));
     /**
      * Get a token for a subject and secret.
      * @param parameters The parameters for the request.
@@ -146,6 +141,10 @@ let AuthenticationApiController = class AuthenticationApiController {
     getTokenResponse({ token, jsonToken, refreshToken, omitImpersonatorRefreshToken, impersonatorRefreshToken, impersonatorRefreshTokenExpiration }) {
         const result = jsonToken.payload;
         const options = {
+            headers: {
+                'X-Authorization': `Bearer ${token}`,
+                'X-Refresh-Token': `Bearer ${refreshToken}`,
+            },
             cookies: {
                 authorization: {
                     value: `Bearer ${token}`,
@@ -163,6 +162,7 @@ let AuthenticationApiController = class AuthenticationApiController {
             },
         };
         if (isDefined(impersonatorRefreshToken)) {
+            options.headers['X-Impersonator-Refresh-Token'] = `Bearer ${impersonatorRefreshToken}`;
             options.cookies['impersonatorRefreshToken'] = {
                 value: `Bearer ${impersonatorRefreshToken}`,
                 ...cookieBaseOptions,
@@ -176,8 +176,7 @@ let AuthenticationApiController = class AuthenticationApiController {
     }
 };
 AuthenticationApiController = __decorate([
-    apiController(authenticationApiDefinition),
-    __metadata("design:paramtypes", [AuthenticationService])
+    apiController(authenticationApiDefinition)
 ], AuthenticationApiController);
 export { AuthenticationApiController };
 /**