npm - mesauth-angular - Versions diffs - 1.23.0 → 1.24.0 - Mend

mesauth-angular 1.23.0 → 1.24.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/fesm2022/mesauth-angular.mjs +79 -57
package/fesm2022/mesauth-angular.mjs.map +1 -1
package/package.json +1 -1
package/types/mesauth-angular.d.ts +13 -4

package/fesm2022/mesauth-angular.mjs CHANGED Viewed

@@ -1,16 +1,16 @@
 import * as i0 from '@angular/core';
 import { signal, Injectable, InjectionToken, makeEnvironmentProviders, provideAppInitializer, inject, NgModule, afterNextRender, input, booleanAttribute, computed, HostBinding, Component, output, Injector, ChangeDetectionStrategy, effect, HostListener, ElementRef, Pipe, viewChild, ViewChild, DestroyRef, Directive } from '@angular/core';
 import { toObservable, toSignal, takeUntilDestroyed, rxResource } from '@angular/core/rxjs-interop';
-import { catchError, of, Subject, EMPTY, timer, throwError, firstValueFrom, distinctUntilChanged, switchMap as switchMap$1, forkJoin } from 'rxjs';
+import { catchError, of, Subject, EMPTY, BehaviorSubject, throwError, timer, firstValueFrom, distinctUntilChanged, switchMap as switchMap$1, forkJoin } from 'rxjs';
 import { HttpClient, HttpResponse } from '@angular/common/http';
 import { HubConnectionBuilder, LogLevel } from '@microsoft/signalr';
-import { map, tap, catchError as catchError$1, switchMap } from 'rxjs/operators';
+import { map, tap, catchError as catchError$1, switchMap, filter, take } from 'rxjs/operators';
 import { Router } from '@angular/router';
 import { DomSanitizer } from '@angular/platform-browser';
 import { DatePipe, JsonPipe } from '@angular/common';
 /** Current installed package version — keep in sync with package.json. */
-const PACKAGE_VERSION = '1.23.0';
+const PACKAGE_VERSION = '1.24.0';
 /**
  * Provides server-driven UI configuration loaded from the hosted manifest.
  * Components read `labels()` and `features()` signals instead of hardcoded strings.
@@ -446,20 +446,32 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImpo
             type: Injectable
         }], ctorParameters: () => [] });
-// Track if we're currently redirecting to prevent loopback
+// Module-scope state — single instance shared across all requests because
+// HttpInterceptorFn is provided once per injector.
+// True while a 401-triggered refresh is in flight; concurrent 401 retries wait for it.
+const refreshing$ = new BehaviorSubject(false);
+// Last access token written to localStorage from an X-Refreshed-Token response header.
+// Used to collapse N duplicate writes (one per parallel response) into one notifySignedIn call.
+let lastWrittenAccessToken = null;
+// Track if we're currently redirecting to login to prevent loopback storms.
 let isRedirecting = false;
 /**
- * Functional HTTP interceptor for handling 401/403 auth errors.
- * Redirects to login page on 401, and to 403 page on 403.
- * Includes loopback prevention to avoid infinite redirects.
+ * Functional HTTP interceptor.
+ *
+ * Responsibilities:
+ *   1. Attach `Authorization: Bearer` + `X-Refresh-Token` from localStorage to requests
+ *      targeting the auth server / trusted hosts (so the server-side Authorizer middleware
+ *      can perform silent refresh and emit X-Refreshed-* response headers).
+ *   2. On every successful response, if `X-Refreshed-Token` is present, write it to
+ *      localStorage exactly once (dedup across parallel responses).
+ *   3. On 401, queue concurrent failures behind a single 1.5s wait so only ONE retry
+ *      fires per refresh window. Retries strip the stale auth headers so the interceptor
+ *      re-reads the freshly-stored tokens from localStorage.
+ *   4. On 403, redirect to /403.
  */
 const mesAuthInterceptor = (req, next) => {
     const authService = inject(MesAuthService);
     const router = inject(Router);
-    // Attach access + refresh tokens from localStorage to requests going to the auth server
-    // or any backend host running MesAuth.Authorizer (trustedHosts). This lets the authorizer
-    // middleware silently refresh tokens and emit X-Refreshed-Token response headers.
-    // Relative URLs are always considered trusted (same origin).
     const config = authService.getConfig();
     const apiBase = config?.apiBaseUrl ?? '';
     const trustedHosts = config?.trustedHosts ?? [];
@@ -473,9 +485,11 @@ const mesAuthInterceptor = (req, next) => {
             return true; // relative URL — same origin
         }
     }
-    let authReq = req;
-    if (typeof localStorage !== 'undefined' && isTrusted(req.url)) {
-        let headers = req.headers;
+    // ---- Build the outgoing request, attaching localStorage tokens for trusted hosts.
+    function attachAuthHeaders(r) {
+        if (typeof localStorage === 'undefined' || !isTrusted(r.url))
+            return r;
+        let headers = r.headers;
         if (!headers.has('Authorization')) {
             const accessToken = localStorage.getItem('mes_auth_token');
             if (accessToken)
@@ -486,39 +500,50 @@ const mesAuthInterceptor = (req, next) => {
             if (refreshToken)
                 headers = headers.set('X-Refresh-Token', refreshToken);
         }
-        if (headers !== req.headers)
-            authReq = req.clone({ headers });
+        return headers !== r.headers ? r.clone({ headers }) : r;
+    }
+    // Strip the headers we set so a retry forces re-read from localStorage (which by then
+    // contains the refreshed tokens written by the X-Refreshed-Token response handler).
+    function stripAuthHeaders(r) {
+        return r.clone({
+            headers: r.headers.delete('Authorization').delete('X-Refresh-Token')
+        });
     }
+    const authReq = attachAuthHeaders(req);
     return next(authReq).pipe(tap(event => {
         if (event instanceof HttpResponse) {
             const newAccessToken = event.headers.get('X-Refreshed-Token');
-            if (newAccessToken) {
+            if (newAccessToken && newAccessToken !== lastWrittenAccessToken) {
+                lastWrittenAccessToken = newAccessToken;
                 const newRefreshToken = event.headers.get('X-Refreshed-Refresh-Token') ?? undefined;
                 authService.notifySignedIn(newAccessToken, newRefreshToken);
             }
         }
     }), catchError$1((error) => {
         const status = error.status;
-        // Check if we should handle this error and prevent loopback
-        if ((status === 401 || status === 403) && !isRedirecting) {
-            const config = authService.getConfig();
-            const baseUrl = config?.userBaseUrl || '';
-            const currentUrl = router.url + (window.location.hash || '');
-            const returnUrl = encodeURIComponent(currentUrl);
-            // Avoid loops if already on auth/unauth pages
-            const isLoginPage = currentUrl.includes('/login');
-            const is403Page = currentUrl.includes('/403');
-            const isAuthPage = currentUrl.includes('/auth');
-            // Public pages that should never trigger a 401 redirect (e.g., register, password reset)
-            const isPublicPage = currentUrl.includes('/register')
-                || currentUrl.includes('/forgot-password')
-                || currentUrl.includes('/reset-password');
-            // Skip redirect for the initial /auth/me check (app startup when not logged in)
-            const isMeAuthPage = req.url.includes('/auth/me');
-            if (status === 401 && !isLoginPage && !isAuthPage && !isMeAuthPage && !isPublicPage) {
-                // Wait 1.5s for the concurrent refresh's Set-Cookie to be processed, then retry once.
-                // If retry also gets 401, redirect to login.
-                return timer(1500).pipe(switchMap(() => next(req)), catchError$1((retryError) => {
+        if (!(status === 401 || status === 403) || isRedirecting) {
+            return throwError(() => error);
+        }
+        const baseUrl = config?.userBaseUrl || '';
+        const currentUrl = router.url + (window.location.hash || '');
+        const returnUrl = encodeURIComponent(currentUrl);
+        const isLoginPage = currentUrl.includes('/login');
+        const is403Page = currentUrl.includes('/403');
+        const isAuthPage = currentUrl.includes('/auth');
+        const isPublicPage = currentUrl.includes('/register')
+            || currentUrl.includes('/forgot-password')
+            || currentUrl.includes('/reset-password');
+        const isMeAuthPage = req.url.includes('/auth/me');
+        if (status === 401 && !isLoginPage && !isAuthPage && !isMeAuthPage && !isPublicPage) {
+            // Single-flight: the first 401 opens a 1.5s window during which all other 401s
+            // wait for the refresh signal to flip back to false, then retry once.
+            if (!refreshing$.value) {
+                refreshing$.next(true);
+                return timer(1500).pipe(switchMap(() => next(stripAuthHeaders(req))), tap({
+                    next: () => refreshing$.next(false),
+                    error: () => refreshing$.next(false),
+                    complete: () => refreshing$.next(false)
+                }), catchError$1((retryError) => {
                     if (retryError.status === 401) {
                         isRedirecting = true;
                         setTimeout(() => { isRedirecting = false; }, 5000);
@@ -527,32 +552,29 @@ const mesAuthInterceptor = (req, next) => {
                     return throwError(() => retryError);
                 }));
             }
-            else if (status === 403 && !is403Page) {
-                isRedirecting = true;
-                setTimeout(() => { isRedirecting = false; }, 5000);
-                let redirectUrl = `${baseUrl}/403?returnUrl=${returnUrl}`;
-                if (error.error && error.error.required) {
-                    redirectUrl += `&required=${encodeURIComponent(error.error.required)}`;
+            // Refresh already in flight — wait for it to finish, then retry once with
+            // headers stripped so the interceptor re-reads the now-fresh tokens.
+            return refreshing$.pipe(filter(v => !v), take(1), switchMap(() => next(stripAuthHeaders(req))), catchError$1((retryError) => {
+                if (retryError.status === 401 && !isRedirecting) {
+                    isRedirecting = true;
+                    setTimeout(() => { isRedirecting = false; }, 5000);
+                    window.location.href = `${baseUrl}/login?returnUrl=${returnUrl}`;
                 }
-                window.location.href = redirectUrl;
+                return throwError(() => retryError);
+            }));
+        }
+        if (status === 403 && !is403Page) {
+            isRedirecting = true;
+            setTimeout(() => { isRedirecting = false; }, 5000);
+            let redirectUrl = `${baseUrl}/403?returnUrl=${returnUrl}`;
+            if (error.error && error.error.required) {
+                redirectUrl += `&required=${encodeURIComponent(error.error.required)}`;
             }
+            window.location.href = redirectUrl;
         }
         return throwError(() => error);
     }));
 };
-function appendPermissions(body, allowedActions) {
-    if (body === null || body === undefined) {
-        return { 'x-ma-perms': allowedActions };
-    }
-    if (Array.isArray(body)) {
-        return { data: body, 'x-ma-perms': allowedActions };
-    }
-    if (typeof body === 'object') {
-        return { ...body, 'x-ma-perms': allowedActions };
-    }
-    // Primitive (string, number, boolean)
-    return { data: body, 'x-ma-perms': allowedActions };
-}
 class MesAuthModule {
     static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: MesAuthModule, deps: [], target: i0.ɵɵFactoryTarget.NgModule });